none
Block RDP access on public facing network adapter RRS feed

  • 質問

  • Hi,

    We have a hosted 2012 mail server with 2 physical network interfaces. 1 network is assigned a local IP range for our internal network, and the other interface is assigned a public IP address for external access. Current RDP access is available via both the internal IP address through VPN and the external IP address without the VPN. I need to be able to block RDP access on the public/external interface. I believe I should be able to do this through the Windows firewall but I just can't figure out how. Both networks are assigned to public profiles.

    Any suggestions would be much appreciated.

    Many thanks

    2019年9月19日 10:39

すべての返信

  • RDP runs over TCP port 3389 and UDP port 3389.  Block them.

    tim

    2019年9月19日 13:39
  • Hi Tim,

    Thank you for your reply. I understand that I need to block them, but if I block them then I won't be able RDP in from the private network. How do I block them on a specific physical interface and allow them on another interface?

    Actually this question should probably be in Server 2012>Security. Can a mod move this for us please?

    Many thanks 

    2019年9月19日 19:50
  • I'm not sure it is possible...some people will say you should be able to configure public profile rules and private profile rules so they apply to your interfaces as such...foobar...I've never go this to work.

    In my experience the most restrictive profile detected will always apply to the host as a whole...i.e. Windows is detecting a private and public interface therefor applying the public rules kick in.

    Windows Firewall is not a great piece of software...it's basically a Windows Vista relic...I would look for other soft firewalls, disable the Windows one and use third party software or better still put a physical firewall between your public facing NIC and the internet.

    2019年9月19日 20:36
  • HI
    we can try to use "Block the Connection" for public Profile and not allow specified public access the public ip of session host server .

    Allowing RDP access to only certain IPs
    https://blogs.technet.microsoft.com/leesteve/2017/06/26/allowing-rdp-access-to-only-certain-ips/

    Best Regards
    Andy YOU
    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    2019年9月20日 10:19
  • This is not what he asked for. He dont what to block source IPs, but limit IPs that RDP is listening on.

    Mark as answer if it solves your issue. Leos

    2019年9月20日 10:31
  • Such thing should not be handled on OS level, but on your network layer level. Only needed ports should be open to the public internet, which is definitely not RDP.

    But, the thing with 2 different profiles on the network interfaces should work in Windows Firewall...


    Mark as answer if it solves your issue. Leos

    2019年9月20日 10:37
  • Windows Firewall recognizes three different profiles.  You would ensure you have your networks in the proper profiles and then block only the profiles you do not want to have access.

    Or, you can handle this outside of Windows and put the block into your network switches, where any network manager would say such a function belongs in the first place.


    tim

    2019年9月20日 15:10
  • HI

    Is there any progress on your question?


    Best Regards
    Andy YOU
    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    2019年9月23日 2:02
  • HI

    Is there anything to help you?


    Best Regards
    Andy YOU
    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    2019年9月27日 15:01