Windows Firewall – Remote Desktop Exemption

 

Now that CST is scanning for Remote Desktop Port 3389 being accessible from offsite, it is important to ensure your system is blocking or limiting the ‘Remote Desktop’ port with your firewall rules. For most this is probably coming from a GPO used in our domains.

There have been reports of systems that have the setting defined, but our scanner is detecting these. In most cases, we have found that some systems are using the over-ride ability for firewall rules that can be applied to an individual network interface on a system. For example, if you look at your firewall settings using the standard GUI interface from the control panel:

 

 

You will notice there is an exemption defined for ‘Remote desktop’. If you look at the details on that exemption, you might see something like this:

 

And if you look at the ‘scope’ you might have:

 

 

Now check on the ‘advanced’ settings in the Windows Firewall GUI. You will see a list of network interfaces for your system (in most cases, systems usually only have one). If you look at the settings on the individual interfaces, this will display if the interface has any additional or over-riding settings.

 

For example, you might see:

 

 

In this case, the remote desktop setting was changed. If you look at the details, you might see something like this:

 

 

Notice there is no ‘scope’ setting. Basically, in this systems case, even though the firewall rules stated to limit TCP port 3389 to on site, this setting over rode it for the main network interface, and since the ability to define a scope on the over-ride does not exist, the system will open the setting to the entire network.

last modified 9-26-2008email fidler@fnal.gov