Should I set up Remote Desktop Protocol Firewall rule in Windows?

Here we show how to set up firewall rules in Windows, both locally and via GPO.

There are two solutions to stop this attack.

1- If you don't need RDP enabled on this device, turn it off.

2- If you do need RDP enabled on this device, limit it to UIC campus networks; including the Virtual Private Network (VPN).

Note: Option 3, Group Policy is the preferred method.


Option 1: GUI method - requires admin rights.

On the machine you need to set up the rule, go to:

Control Panel / Administrative Tools / Windows Defender Firewall with Advanced Settings

Inbound Rules

Remote Desktop (TCP-In)

Properties->Scope tab

Add the IP (or IP range) in the Remote IP addresses section

The UIC IP ranges are:

131.193.0.0/16

128.248.0.0/16

10.0.0.0/8

Option 2: Via Command Line.

You can run this command remotely to close the RDP port to the outside world:

netsh firewall set opmode enable   <== Makes sure the firewall is turned on first.

netsh firewall set service type = REMOTEDESKTOP mode = ENABLE profile = ALL scope = CUSTOM addresses = 128.248.0.0/16,131.193.0.0/16,10.0.0.0/8,x.x.x.0/24 <== Insert your unit-specific AnyConnect VPN range here

Option 3: Group Policy

This is the preferred method as it can be widely deployed and survives reboots and random Windows patches that reset the local firewall rules.

1. Open up GPMC or Group Policy Management app.

2. Move to Depts, your department. Now you can either Create a new GPO or Edit an existing one. 

3. Move to Computer Configuration/Policies/Windows Settings/Security Settings/Windows Defender Firewall with Advanced Security.

4. Right-click on Inbound rules and select New Rule. Select Port, then hit Next >.

5. Under Specific local ports, enter: 3389. Make sure TCP is checked and hit Next >.

6. Make sure Allow the connection is checked and hit Next >.

7. Make sure Domain and Private only are checked. Hit Next >.

8. Give this a name like RDP - TCP 3389 and hit Finish.

9. Now open up this rule and select the Scope tab.

10. Under Remote IP address, check These IP addresses: and click Add.

Add these three four ranges:

131.193.0.0/16

128.248.0.0/16

10.0.0.0/8

If you're curious and want to see the IP address of the attacker making the requests, you’ll need to look at the local logs on the workstation.

start > right click computer > manage > event viewer > Applications and Services Logs > Microsoft > Windows 

then it could be under either “RemoteDesktopServices-RdpCoreTS” and/or “TerminalServices-RemoteConnectionManager”

Details

Article ID: 873
Created
Fri 1/15/21 6:12 PM
Modified
Mon 8/21/23 4:22 PM