Force Windows firewall GPO to override existing, predefined Remote Desktop rule?

Hello all,

I have a Remote Desktop TCP GPO for Windows Firewall that only allows clients with specific IP ranges to connect.  When I apply the GPO, it is being overridden by the pre-existing Remote Desktop rule.  When I disable the existing rule locally, my GPO works fine.

I don't want to have to manually disable the existing, default rule on all the servers I deploy for this purpose.  I want to set up a GPO once in Active Directory that:

1.  Restricts RD access to the IP ranges I specify.
2. Overrides the existing, more relaxed local firewall policy for remote desktop.

Having trouble getting good search results on this one so I thought someone could help.

Thanks.
yccdadminsAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Will SzymkowskiSenior Solution ArchitectCommented:
Local Policies with also get applied with the domain policies. What you could do is in your GPO disable the local policies which will then apply your domain policies.

Will.
0
yccdadminsAuthor Commented:
Hey Will,

I've been trying to figure out how to use GPO to disable that local Remote Desktop policy but haven't been able to figure out how to do it.  I was able to create the new rule I need for Remote Desktop but it is not overriding the existing.  I'm not seeing how to disable the existing local one.
0
Will SzymkowskiSenior Solution ArchitectCommented:
The link below illustrates how to disable merging on the local firewall policy via GPO, which should do the trick.
https://technet.microsoft.com/en-us/library/cc732770%28v=ws.10%29.aspx

Will.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
How the Cloud Can Help You as an MSSP

Today, every Managed Security Service Provider (MSSP) needs a platform to deliver effective and efficient security-as-a-service to their customers. Scale, elasticity and profitability are a few of the many features that a Cloud platform offers. Register today to learn more!

McKnifeCommented:
Though Will has a solution, it is a dangerous one. If we disable local fw policies, all the exceptions that programs have set (believe me, there will be many) will become inactive, which might break many things.

I recommend to use a domain start script instead that deletes or modifies some rules using netsh.exe.
0
yccdadminsAuthor Commented:
I found a solution the other day.  I'm going back to it to see if it matches any of these....

Ken.
0
yccdadminsAuthor Commented:
Forgot to get back to this but that worked.  Thanks!!
0
McKnifeCommented:
I wonder why you don't comment on my advice. That way of solving it is very dangerous.
0
yccdadminsAuthor Commented:
Actually, I believe I solved it myself and thought that solution was basically the same.  It isn't completely but it was close.  

I did not use any start scripts at all , so I selected the other solution.
0
McKnifeCommented:
Say, did you understand what I was saying about the danger?
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.