Yea, I ended up there when I was explaining this to a colleague. It's not so
much that most lenient wins, it just happens that one rule is more lenient than
the others. They all get applied because they have different sources and
different conditions around what's logically in my head the same thing,
restricting access to RDP. RDP is implemented differently between the editions
so the rules have to be different, e.g. the "Program" entry. When I applied
the 2012+ rules to a 2008 R2 machine, for example, RDP didn't work, because
svchost.exe on 2008 R2 doesn't answer on 3389, "system" does.
Turns out there's more than one service firewall rule like this. I got tipped
off to this because on the 2008 R2 server itself the rule name and group look
something like "@FirewallAPI.dll,-28778" because the firewall api can't
understand what it's being told by the newer policy.
I've got a mess to untangle for sure...
From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On
Behalf Of Jason Sandys
Sent: Monday, October 17, 2016 1:49 PM
Subject: [mssms] RE: Windows Firewall Remote Desktop oddity
> Also, when conflicting rules are applied, most lenient wins.
Allow rules can't conflict so this is not accurate. Both rules win, both are
applied, and both have a slightly different meaning. All allow rules are simply
combined together like one big happy OR statement.
[mailto:listsad...@lists.myitforum.com] On Behalf Of Mote, Todd
Sent: Monday, October 17, 2016 12:55 PM
Subject: [mssms] Windows Firewall Remote Desktop oddity
So in cleaning up some OUs, rearranging and generally redoing some GPOs I came
across this little gem.
In 2008 and 2008 R2, the built in remote desktop firewall rules are written
In 2012, 2012 R2, and 2016, the default rules are written like this:
Note the biggest difference is that there are now three rules, and the Program
changed from "System" to actual executables, svchost.exe and rdpsa.exe.
Found out today that a policy written on 2012 and up does not work when applied
to 2008 R2 and down, despite both being "Advanced Firewall" rules.
I couldn't find anything specific about this on the interwebs, heck I'm not
even sure this list is appropriate, but there it is. Also, when conflicting
rules are applied, most lenient wins. We've found a bunch of 2008 + that still
have a 2003 firewall policy applied using the old xp/2003 registry style rules
allowing '*', because things were easier back then, along with later, tighter
scoped advanced firewall policies, and rdp still works from places it
shouldn't, or we didn't intend it to anyway. it turns out windows firewall has
turned into kind of a mess over time...
And yes, at the moment, I have to manage it at the host...