-1

i have just enabled remote desktop on a windows 10 computer, and in fact when i telnet to 3389 port from any other computer i can reach that service, but what i want is to deny the connection from any computer but a specific one (192.168.0.12), so i have issued the commands below:

netsh advfirewall firewall add rule name="RDP_regla_bloquea_entrada_IN"    dir=in action=block  protocol=tcp localport=3389 remoteip=any description="Deniega RDP IN"
netsh advfirewall firewall add rule name="RDP_regla_bloquea_entrada_OUT"   dir=out action=block protocol=tcp localport=3389 remoteip=any description="Deniega RDP OUT"

netsh advfirewall firewall add rule name="RDP_regla_permite_guacamole_IN"  dir=in action=allow  protocol=tcp localport=3389 remoteip=192.168.0.12 description="Permite RDP guacamole IN"
netsh advfirewall firewall add rule name="RDP_regla_permite_guacamole_OUT" dir=out action=allow protocol=tcp localport=3389 remoteip=192.168.0.12 description="Permite RDP guacamole OUT"

but all connections gets blocked, even if i swap the rules:

netsh advfirewall firewall add rule name="RDP_regla_permite_guacamole_IN"  dir=in action=allow  protocol=tcp localport=3389 remoteip=192.168.0.12 description="Permite RDP guacamole IN"
netsh advfirewall firewall add rule name="RDP_regla_permite_guacamole_OUT" dir=out action=allow protocol=tcp localport=3389 remoteip=192.168.0.12 description="Permite RDP guacamole OUT"

netsh advfirewall firewall add rule name="RDP_regla_bloquea_entrada_IN"    dir=in action=block  protocol=tcp localport=3389 remoteip=any description="Deniega RDP IN"
netsh advfirewall firewall add rule name="RDP_regla_bloquea_entrada_OUT"   dir=out action=block protocol=tcp localport=3389 remoteip=any description="Deniega RDP OUT"

thank you in advance, any help will be appreciated

user3227400
  • 1
  • Why are you adding a deny rule? That's what firewalls do, deny by default. You should only need the allow rule. – Greg Askew Jun 12 '20 at 13:36
  • because, as i said, firewall is open for 3389 as soon as i enable rdp service, i mean, anyone is able to connect – user3227400 Jun 12 '20 at 15:31
  • Uncheck the "Network Level Authentication (NLA)" Option in RDP settings. – bjoster Jun 13 '20 at 12:06
  • still the same bjoster, no change; it seems the rule with ip 192.168.0.12 has no effect, only the 'remoteip=any' applies; i thought that netsh would behave similarly to iptables – user3227400 Jun 15 '20 at 07:30

2 Answers2

0

Use New-NetFirewallRule with allow action and remoteaddress switch. https://docs.microsoft.com/en-us/powershell/module/netsecurity/new-netfirewallrule?view=win10-ps

IshRaj
  • 81
  • 9
  • thankyou ishraj, but i think i will have the same issues because i think that new-netfirewallrule is the powershell's version of netsh (begin netsh the 'command version'); anyway, i will check it – user3227400 Jun 12 '20 at 15:36
0

in the end, the solution i have adopted (because it worked for me!) is the one given in:

https://security.stackexchange.com/questions/34709/enable-rdp-for-internal-network-only

" In order to restrict RDP to specific IP addresses,

  • Go to the control panel->Administrative Tools
  • Windows Firewall with Advanced Settings
  • Inbound Rules
  • Remote Desktop (TCP-In)
  • Go to the Properties->Scope tab
  • Add the IP (or IP range) in the Remote IP addresses section "

I would have preferred a command line solution (ie, with netsh), but it was not possible

user3227400
  • 1