3

Is it possible to disable/overwrite Windows TCP/IP filtering settings via a Group Policy object?

I have a server running 2012 R2 which I was setting up RRAS on, and I inadvertently cut myself off from remote access by allowing the wizard to secure the network connection (the server has a single NIC).

Chris McKeown
  • 7,168
  • 1
  • 18
  • 26

1 Answers1

5

Locked the keys in the car, eh?

I don't believe that one is configurable via Group Policy. Periodic policy refresh isn't going to help you run a script or install software on the machine since both of those operations only occur on a synchronous policy refresh (i.e. a reboot).

I think you're going to be stuck laying hands on the machine.

I've forgotten what the static packet filter that gets added by that wizard contains. Something in the back of my mind says its fairly restrictive and might even limit the machine's ability to contact AD for a Group Policy refresh.

Assuming it can access AD for Group Policy and, if you can get somebody to reboot it, you can assign a Powershell startup script with the commands Get-RemoteAccessIpFilter | Remove-RemoteAccessIpFilter that will probably do the trick (though I don't have a test box spun up right now to verify with).

Evan Anderson
  • 141,881
  • 20
  • 196
  • 331
  • I thought that would be the case. I can get to the server tomorrow, I was just hoping to get some more done on it tonight. Thanks for the reply! – Chris McKeown Jan 06 '14 at 21:18
  • I took a look this morning before disabling RRAS - the wizard applies a set of pretty restrictive IP filters (both inbound and outbound) that would definitely revent the machine refreshing its policy. – Chris McKeown Jan 07 '14 at 08:29
  • I kinda thought so. If memory serves it locks things down to PPTP, SSTP, and IPSEC in and just about nothing else. Definitely not a box you want to tick when remotely configuring a box on an oil derrick in the middle of the North Sea, or on the moon. >smile – Evan Anderson Jan 07 '14 at 08:59