Yea, I ended up there when I was explaining this to a colleague. It's not so much that most lenient wins, it just happens that one rule is more lenient than the others. They all get applied because they have different sources and different conditions around what's logically in my head the same thing, restricting access to RDP. RDP is implemented differently between the editions so the rules have to be different, e.g. the "Program" entry. When I applied the 2012+ rules to a 2008 R2 machine, for example, RDP didn't work, because svchost.exe on 2008 R2 doesn't answer on 3389, "system" does.
Turns out there's more than one service firewall rule like this. I got tipped off to this because on the 2008 R2 server itself the rule name and group look something like "@FirewallAPI.dll,-28778" because the firewall api can't understand what it's being told by the newer policy. I've got a mess to untangle for sure... From: [email protected] [mailto:[email protected]] On Behalf Of Jason Sandys Sent: Monday, October 17, 2016 1:49 PM To: [email protected] Subject: [mssms] RE: Windows Firewall Remote Desktop oddity > Also, when conflicting rules are applied, most lenient wins. Allow rules can't conflict so this is not accurate. Both rules win, both are applied, and both have a slightly different meaning. All allow rules are simply combined together like one big happy OR statement. J From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Mote, Todd Sent: Monday, October 17, 2016 12:55 PM To: [email protected]<mailto:[email protected]> Subject: [mssms] Windows Firewall Remote Desktop oddity So in cleaning up some OUs, rearranging and generally redoing some GPOs I came across this little gem. In 2008 and 2008 R2, the built in remote desktop firewall rules are written like this: [cid:[email protected]] In 2012, 2012 R2, and 2016, the default rules are written like this: [cid:[email protected]] Note the biggest difference is that there are now three rules, and the Program changed from "System" to actual executables, svchost.exe and rdpsa.exe. Found out today that a policy written on 2012 and up does not work when applied to 2008 R2 and down, despite both being "Advanced Firewall" rules. I couldn't find anything specific about this on the interwebs, heck I'm not even sure this list is appropriate, but there it is. Also, when conflicting rules are applied, most lenient wins. We've found a bunch of 2008 + that still have a 2003 firewall policy applied using the old xp/2003 registry style rules allowing '*', because things were easier back then, along with later, tighter scoped advanced firewall policies, and rdp still works from places it shouldn't, or we didn't intend it to anyway. it turns out windows firewall has turned into kind of a mess over time... And yes, at the moment, I have to manage it at the host... Todd
