• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2453
  • Last Modified:

Force Windows firewall GPO to override existing, predefined Remote Desktop rule?

Hello all,

I have a Remote Desktop TCP GPO for Windows Firewall that only allows clients with specific IP ranges to connect.  When I apply the GPO, it is being overridden by the pre-existing Remote Desktop rule.  When I disable the existing rule locally, my GPO works fine.

I don't want to have to manually disable the existing, default rule on all the servers I deploy for this purpose.  I want to set up a GPO once in Active Directory that:

1.  Restricts RD access to the IP ranges I specify.
2. Overrides the existing, more relaxed local firewall policy for remote desktop.

Having trouble getting good search results on this one so I thought someone could help.

Thanks.
0
yccdadmins
Asked:
yccdadmins
  • 4
  • 3
  • 2
1 Solution
 
Will SzymkowskiSenior Solution ArchitectCommented:
Local Policies with also get applied with the domain policies. What you could do is in your GPO disable the local policies which will then apply your domain policies.

Will.
0
 
yccdadminsAuthor Commented:
Hey Will,

I've been trying to figure out how to use GPO to disable that local Remote Desktop policy but haven't been able to figure out how to do it.  I was able to create the new rule I need for Remote Desktop but it is not overriding the existing.  I'm not seeing how to disable the existing local one.
0
 
Will SzymkowskiSenior Solution ArchitectCommented:
The link below illustrates how to disable merging on the local firewall policy via GPO, which should do the trick.
https://technet.microsoft.com/en-us/library/cc732770%28v=ws.10%29.aspx

Will.
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
McKnifeCommented:
Though Will has a solution, it is a dangerous one. If we disable local fw policies, all the exceptions that programs have set (believe me, there will be many) will become inactive, which might break many things.

I recommend to use a domain start script instead that deletes or modifies some rules using netsh.exe.
0
 
yccdadminsAuthor Commented:
I found a solution the other day.  I'm going back to it to see if it matches any of these....

Ken.
0
 
yccdadminsAuthor Commented:
Forgot to get back to this but that worked.  Thanks!!
0
 
McKnifeCommented:
I wonder why you don't comment on my advice. That way of solving it is very dangerous.
0
 
yccdadminsAuthor Commented:
Actually, I believe I solved it myself and thought that solution was basically the same.  It isn't completely but it was close.  

I did not use any start scripts at all , so I selected the other solution.
0
 
McKnifeCommented:
Say, did you understand what I was saying about the danger?
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

WEBINAR: 10 Easy Ways to Lose a Password

Join us on June 27th at 8 am PDT to learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees. We'll cover the importance of multi-factor authentication and how these solutions can better protect your business!

  • 4
  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now