So in cleaning up some OUs, rearranging and generally redoing some GPOs I came across this little gem.
In 2008 and 2008 R2, the built in remote desktop firewall rules are written like this: [cid:[email protected]] In 2012, 2012 R2, and 2016, the default rules are written like this: [cid:[email protected]] Note the biggest difference is that there are now three rules, and the Program changed from "System" to actual executables, svchost.exe and rdpsa.exe. Found out today that a policy written on 2012 and up does not work when applied to 2008 R2 and down, despite both being "Advanced Firewall" rules. I couldn't find anything specific about this on the interwebs, heck I'm not even sure this list is appropriate, but there it is. Also, when conflicting rules are applied, most lenient wins. We've found a bunch of 2008 + that still have a 2003 firewall policy applied using the old xp/2003 registry style rules allowing '*', because things were easier back then, along with later, tighter scoped advanced firewall policies, and rdp still works from places it shouldn't, or we didn't intend it to anyway. it turns out windows firewall has turned into kind of a mess over time... And yes, at the moment, I have to manage it at the host... Todd
