Sonntag, 13. Januar 2013 00:04
This question might partially belong to security forum but I think anyone using RDS services comes across this. I would like to TOTALLY block all internet access including "updates" to any software, windows updates, anti-virus updates, TCP, UDP, or ANY other protocol out of the server. I would like to only allow traffic both ways for established traffic (e.g. accessing the remote apps).
How can I achieve this without involving a third party firewall software?
Sonntag, 13. Januar 2013 15:24
In our visitor center, we setup a computer with fake proxy server and add our website to the exception so that the visitors access our website only and no other website. If this RDS is for internal use only, you may disable default gateway. This link may give you more options.How to restrict Internet Access. You may have many options to disable a user or
computer to access the Internet. Some options can be adopted for many users ...
Bob Lin, MVP, MCSE & CNE Networking, Internet, Routing, VPN Troubleshooting on
Sonntag, 13. Januar 2013 15:59Moderator
You may use Windows Firewall with Advanced Security (wf.msc) to control what network traffic is allowed to/from your RDSH server. For example, you may change the setting for Outbound connections to Block (it is Allow by default), and then enable Inbound and Outbound rules as needed to control precisely what is permitted. If you wanted you could configure the rules so that the only traffic that is allowed in or out of the server is RDP.
- Als Antwort vorgeschlagen Bob Lin (MCSE) Mittwoch, 13. Februar 2013 04:47
Sonntag, 13. Januar 2013 17:08
Thanks for the tips. I don't think fake proxy would do it for me as I want ALL outbound traffic blocked and not only TCP. Am I getting that right?
I tried Windows Firewall and assigned it the update manager program for a software and it sets on top of the list as DENY but it doesn't work. Where can I put one DENY rule for any and all traffic in the outbound list and how can I do it?
Sonntag, 13. Januar 2013 17:54Moderator
Please consider this as a potential starting point for you:
- Log on to the server console as an administrator, open wf.msc.
- In the left pane, right-click on Windows Firewall with Advanced Security, and choose Properties.
- On the each of the three profile tabs (Domain, Private, Public), set Outbound connections to Block.
- Examine each Enabled Inbound and Outbound rule to see if it is appropriate for your needs. If you choose to Disable a rule, make a note of it in case you are unhappy with the results of your changes.
- Thoroughly test the server to make sure that everything you need works properly and that the things that you do not want to permit are in fact blocked. Make sure you can still log on remotely, run RemoteApps, etc., any/all features you need to work or not work should be tested to the degree you can. Check Event Viewer for any new errors/warnings that may be result of your firewall changes.
- Based on your tests, consider creating new inbound/outbound rule(s) and/or Disabling/Enabling existing rules.
- Als Antwort vorgeschlagen Bob Lin (MCSE) Mittwoch, 13. Februar 2013 04:48
Sonntag, 13. Januar 2013 21:50
TP, thanks. I tried that. I have a block rule for all outbound on the very top but QuickBooks still able to update itself when run as a RemoteApp. As Administrator I tried to ping Google.com but I can't because of the block rule so it seems to be working for local users but not for remote users. Should firewall restrictions be tied to DC somehow?
I have Windows 2008 R2 Server (standalone but DC mode).
Montag, 14. Januar 2013 09:11Moderator
You should not need to create a Block rule for quickbooks if you have the default Outbound connections set to Block.
Please make a note of all Inbound/Outbound rules that are enabled, and then Disable all of them. When you have completed this verify that you are not able to connect to server in any way and you are unable to connect from the server to another machine. At this point no network traffic should flow into or out of the server no matter what program you use.
After you have successfully verified that all traffic is blocked, enable the inbound rule(s) you need, one at a time, testing after you enable each rule. For example, you may want to start by enabling the Remote Desktop (TCP-In) inbound rule. The goal is to enable only the rules you need and nothing more.
Samstag, 19. Januar 2013 19:13
That would be way to much work and there are over 100 inbound and outbound rules open by default. I thought there would be an easier way of simply blocking outbound traffic while allowing inbound established traffic.