I routinely come across a problem with Windows 7 and the standard way of creating firewall rules using GPO’s. Usually firewall exceptions were set through Computer Configuration->Administrative Templates->Network Connections->Windows Firewall and then select the profile you would like to edit and add exceptions there. However with Windows 7 and the new Advanced Security Firewall setting the exceptions here seemed to create quite a few problems especially with Remote Administration (RPC) and Remote Desktop.
The best place to define these exceptions is in Computer Configuration->Windows Settings->Security Settings->Windows Firewall with Advanced Security. Here you can turn on or turn off the firewall, add policies including program exceptions and port exceptions. In my oponion it makes configuring Windows Firewall much easier, something which in the past was a pain.
A simple example is to set an exception in Windows Firewall from RDP (Remote Desktop). Right Click Inbound Rules and click New Rule.
Image may be NSFW.
Clik here to view.
Click next. Now Select the Remote Desktop Rule and click Next. Select Allow Connection and click Finish. You will now see the Rule in the Inbound Rules section:
Image may be NSFW.
Clik here to view.
Now all Computers this GPO is applied to will allow Remote Desktop from any IP Address. If this is what you want then you are finished. I tend to go a bit further and only allow RDP from the System Administration and Server subnet and also only allow it on the Domain Profile. To do this right click the rule and click on Properties. In the Properties window click the advanced TAB and then untick “Private” and “Public”:
Image may be NSFW.
Clik here to view.
To define IP addresses click on the Scope tab. In the Remote IP address section select These IP addresses, then click Add. Heres an example: if my IP Address is 192.168.10.3 and I have a subnet mask of 255.255.255.0 then in the “This IP Address or subnet” field I would type 192.168.10.0/24 this would allow the entire network I am currently on to RDP to the machine/s in question. Click OK and if you want to add another then just click ADD again.
Image may be NSFW.
Clik here to view.
Thats it you have just set up a rule to allow RDP connections from the 192.168.10.0/24 network aslong as they are connected to the Domain network. Setting Firewall rules up for different profiles is especially usefull for laptops as Workstations are more than likely always onnected to the internal Domain network, but laptops most of the time probably wont be so you want to make sure they are secure even when not connected to your own network. There are lots of useful predefined applications for you to use or you can even specify your own Ports or program to allow.
The post GPO’s and Windows Firewall with Advanced Security appeared first on Tom's Blog.
