> Also, when conflicting rules are applied, most lenient wins.
Allow rules can't conflict so this is not accurate. Both rules win, both are
applied, and both have a slightly different meaning. All allow rules are simply
combined together like one big happy OR statement.
From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On
Behalf Of Mote, Todd
Sent: Monday, October 17, 2016 12:55 PM
Subject: [mssms] Windows Firewall Remote Desktop oddity
So in cleaning up some OUs, rearranging and generally redoing some GPOs I came
across this little gem.
In 2008 and 2008 R2, the built in remote desktop firewall rules are written
In 2012, 2012 R2, and 2016, the default rules are written like this:
Note the biggest difference is that there are now three rules, and the Program
changed from "System" to actual executables, svchost.exe and rdpsa.exe.
Found out today that a policy written on 2012 and up does not work when applied
to 2008 R2 and down, despite both being "Advanced Firewall" rules.
I couldn't find anything specific about this on the interwebs, heck I'm not
even sure this list is appropriate, but there it is. Also, when conflicting
rules are applied, most lenient wins. We've found a bunch of 2008 + that still
have a 2003 firewall policy applied using the old xp/2003 registry style rules
allowing '*', because things were easier back then, along with later, tighter
scoped advanced firewall policies, and rdp still works from places it
shouldn't, or we didn't intend it to anyway. it turns out windows firewall has
turned into kind of a mess over time...
And yes, at the moment, I have to manage it at the host...