3

On a fresh domain-joined Server 2012 R2 install I see a peculiarity where an enabled "Remote Desktop" rule is set to Block in the Domain profile:

firewall.cpl screenshot

As block rules take precedence over allow rules, I seem unable to effectively insert a firewall exception allowing RDP traffic to this machine. I cannot edit this rule as "This rule has been applied by the system administrator and cannot be modified". I also cannot override it by the "Remote Desktop" predefined rule in a Group Policy as this does not update the "Remote Desktop" rule but is introducing a new "Remote Desktop (TCP-In)" rule, with the "Remote Desktop" block rule still in place and taking precedence.

Contrary to what the Rule Source column (the first column in the screenshot above) is telling me, the rule is not defined in the machine's local policy:

enter image description here

Folks seem to have encountered this problem on older (Windows 7 / 2008 R2) installs as well, yet there seems to be no effective resolution documented in these cases.

So where does this come from and how to disable this block rule?

the-wabbit
  • 40,737
  • 13
  • 111
  • 174

3 Answers3

3

I had the same issue and found it was due to a space in the GPO comma delimited list. I documented this on my blog:

TLDR: Don’t put any spaces in the IP address list for the GPO setting for Computer/Admin Templates/Network/Network Connections/Windows Firewall/Domain Profile/Windows Firewall: Allow inbound Remote Desktop exceptions.

the-wabbit
  • 40,737
  • 13
  • 111
  • 174
security_chief
  • 31
  • 3
1

Try using the initial configuration tasks wizard to enable RDP access. It should the eighth option down. I believe Microsoft designed this to override Group Policy or any other settings so the system wouldn't automatically expose any ports/services (i.e. from GP rules) until all updates had a chance to be applied following a new install.

Initial Configuration Tasks

tfrederick74656
  • 1,452
  • 1
  • 13
  • 29
  • I have not seen this in Server 2012 R2. The "Server Manager" is listing Remote Desktop (and Remote Management) as "Enabled" in the "Local Server" section. I am going to try running through an update cycle to see if this is to change things. – the-wabbit Sep 30 '14 at 16:02
  • So the update cycle seems to have helped. Thank you for pointing me into the right direction. – the-wabbit Sep 30 '14 at 16:08
  • No problem, glad it's working for you! – tfrederick74656 Sep 30 '14 at 16:08
  • Mh, but it only helped in terms that the rule is hard-coded to "allow" now. I am still looking for a way to disable it so I could craft my own rules (basically I aim to restrict the remote desktop access to a number of hosts and networks) – the-wabbit Sep 30 '14 at 16:13
  • I don't think you can disable it, only override it. I believe that rule always exists - but remember that a deny takes precedence over an allow. So if it's set locally to deny, adding a GP rule to allow it won't work. But if it's set to allow locally, a GP rule to deny it WILL work. At least that's how I imagine it should work. We have it enabled everywhere in my environment, so I can't say for certain without testing. – tfrederick74656 Sep 30 '14 at 16:15
0

Have you tried looking in the network connections folder on your local gpo editor? It sounds like you might have have the remote desktop disabled from there...

Go to Computer Configuration/Administrative Templates/Network/Network Connections/Windows Firewall and make sure the "Allow inbound Remote Desktop" is set to "not configured"

Kai
  • 1
  • 1