> Also, when conflicting rules are applied, most lenient wins.

Allow rules can't conflict so this is not accurate. Both rules win, both are 
applied, and both have a slightly different meaning. All allow rules are simply 
combined together like one big happy OR statement.

J

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Mote, Todd
Sent: Monday, October 17, 2016 12:55 PM
To: mssms@lists.myitforum.com
Subject: [mssms] Windows Firewall Remote Desktop oddity

So in cleaning up some OUs, rearranging and generally redoing some GPOs I came 
across this little gem.

In 2008 and 2008 R2, the built in remote desktop firewall rules are written 
like this:

[cid:image001.png@01D2287D.296E6750]

In 2012, 2012 R2, and 2016, the default rules are written like this:

[cid:image002.png@01D2287D.296E6750]

Note the biggest difference is that there are now three rules, and the Program 
changed from "System" to actual executables, svchost.exe and rdpsa.exe.

Found out today that a policy written on 2012 and up does not work when applied 
to 2008 R2 and down, despite both being "Advanced Firewall" rules.

I couldn't find anything specific about this on the interwebs, heck I'm not 
even sure this list is appropriate, but there it is.  Also, when conflicting 
rules are applied, most lenient wins.  We've found a bunch of 2008 + that still 
have a 2003 firewall policy applied using the old xp/2003 registry style rules 
allowing '*', because things were easier back then, along with later, tighter 
scoped advanced firewall policies, and rdp still works from places it 
shouldn't, or we didn't intend it to anyway.  it turns out windows firewall has 
turned into kind of a mess over time...

And yes, at the moment, I have to manage it at the host...

Todd




Reply via email to