Here we show how to set up firewall rules in Windows, both locally and via GPO.
There are two solutions to stop this attack.
1- If you don't need RDP enabled on this device, turn it
off.
2- If you do need RDP enabled on this device, limit it to
UIC campus networks; including the Virtual Private Network (VPN).
Note: Option 3, Group Policy is the preferred method.
Option 1: GUI method - requires admin rights.
On the machine you need to set up the rule, go to:
Control Panel / Administrative Tools / Windows Defender Firewall with Advanced Settings
Inbound Rules
Remote Desktop (TCP-In)
Properties->Scope tab
Add the IP (or IP range) in the Remote IP addresses section
The UIC IP ranges are:
131.193.0.0/16
128.248.0.0/16
10.0.0.0/8
Option 2: Via Command Line.
You can run this command remotely to close the RDP port to
the outside world:
netsh firewall set
opmode enable <== Makes sure the firewall is turned on first.
netsh firewall set service type = REMOTEDESKTOP mode =
ENABLE profile = ALL scope = CUSTOM addresses =
128.248.0.0/16,131.193.0.0/16,10.0.0.0/8,x.x.x.0/24 <== Insert your unit-specific AnyConnect VPN range here
Option 3: Group Policy
This is the preferred method as it can be widely deployed and survives reboots and random Windows patches that reset the local firewall rules.
1. Open up GPMC or Group Policy Management app.
2. Move to Depts, your department. Now you can either Create a new GPO or Edit an existing one.
3. Move to Computer Configuration/Policies/Windows Settings/Security Settings/Windows Defender Firewall with Advanced Security.
4. Right-click on Inbound rules and select New Rule. Select Port, then hit Next >.
5. Under Specific local ports, enter: 3389. Make sure TCP is checked and hit Next >.
6. Make sure Allow the connection is checked and hit Next >.
7. Make sure Domain and Private only are checked. Hit Next >.
8. Give this a name like RDP - TCP 3389 and hit Finish.
9. Now open up this rule and select the Scope tab.
10. Under Remote IP address, check These IP addresses: and click Add.
Add these three four ranges:
131.193.0.0/16
128.248.0.0/16
10.0.0.0/8
If you're curious and want to see the IP address of the
attacker making the requests, you’ll need to look at the local logs on the
workstation.
start > right click computer > manage > event
viewer > Applications and Services Logs > Microsoft > Windows
then it could be under either “RemoteDesktopServices-RdpCoreTS”
and/or “TerminalServices-RemoteConnectionManager”