Why is my Windows Firewall allowing connections from IP addresses other than which I specified?

I created a windows firewall rule restricting access to port 3389 (RDP) to only one Remote IP. However, I'm still able to Remote Desktop from other machines... Why would this be? Even if I disable the rule for port 3389 entirely I'm still able to connect. I've also confirmed that all 3 profiles (Domain, Public and Private) are set so that "inbound connections that do not match a rule are blocked".

Here are my firewall rules for incoming connections which I exported from Windows Firewall with Advanced Security.

I replaced actual IPs in the list with "Trusted IP", "Trusted IPs", "Public IP" and "Public IP".

I'm using Windows Server 2008 R2 and Windows Firewall with Advanced Security 6.1

windows-firewall

David

Posted 2011-04-19T05:48:55.547

Reputation: 525

Answers

You're explicitly allowing one IP, but are you blocking the rest of them? Since you note that disabling the rule allows you to connect, I'd suggest that by default there's nothing blocking the port, so making an 'allow' whitelist exception is liable to not accomplish anything. I'd suggest you trying blocking it first, then give priority to the allow.

Rushyo

Posted 2011-04-19T05:48:55.547

Reputation: 249

All 3 profiles (Domain, Private and Public) are set so that "Inbound connections that do not match a rule are blocked". So yes, the rest are blocked. There must be a rule in my list which is allowing TCP connections to port 3389, but I can't tell which... Unless there is something else I haven't thought of. Any other suggestions? – David – 2011-04-20T01:31:46.400

I've had the same/similar problem. I have one ip (mine) that I want to use to access my database ports, (not a dozen chinese IPs that connect every 10 seconds and bloat my log files to 100MB every day). My default is set to allow (lot's of services running, and don't want to accidentally turn off something, I know, it's bad) but I want to limit malicious activity on the 1433 port, so I set up a block rule with a range that excludes my IP as shown bellow. this (sample) would allow anything from 170.181.. (with the exception of 170.181.0.0)

limit IP

you could also adjust to a tighter (single IP) rule

Daniel

Posted 2011-04-19T05:48:55.547

Reputation: 430