Windows Defender Firewall – Blocking Rdp From Only Public Ips

I am a longtime enterprise firewall administrator but am relatively new to the Windows Firewall. Even though users are instructed against doing so, people working from home will sometimes connect their laptops directly to a cable modem and be assigned a public IP address. Because RDP is enabled, this allows malicious actors the opportunity to attempt connections directly from the Internet and attempt to enumerate and brute force accounts. I would like to create a Windows Firewall rule that permits RDP from private addresses (RFC1918) but blocks the traffic from public addresses. In a real firewall, I would create a rule (or even three rules, if necessary) that permits the traffic from private IP ranges and then the cleanup rule at the bottom of the rule set would drop all other RDP traffic by default. If this was Linux, this would be pretty easy to accomplish with something like IPTABLES. However, Windows does not appear to process its firewall rules sequentially and, instead, processes in a "most restrictive" manner. My experience has been, if there is a rule to block all RDP, any rules that explicitly permit RDP by defined subnets will be ignored.

I don't believe blocking RDP traffic based on profile (Domain, Private, or Public) is going to help in this case either. Microsoft defines the Domain profile as "networks where the host system can authenticate to a domain controller." In a work-from-home scenario, the operating system will not see a domain controller until after the client is connected to a corporate client/server VPN. (RDP would always be blocked.) Configuring separate RDP rules for Private vs. Public would then rely on the user selecting the correct option. Relying on the user to make the appropriate selection is something I would like to avoid. (In the user's mind, the home network would most likely be considered "Private," even if the user is plugging the device directly into a modem.)

Any suggestions would be greatly appreciated! Thank you!

 

So you have tried to mess with the firewall's scope for local and remote IPs?
Second why RDP? cost? you don't make that decision?

 

One use case example (although there are others) is that some users who are 100% work from home prefer to RDP to their work laptop (on the same home network) from their personal device rather than work with two computers on a desk. Most of the reasons for having RDP enabled are business decisions that I do not have the authority to overrule. I am simply working to mitigate risk. So, yeah, I can't make the decision to just disable RDP.

I have been having difficulties finding information on what Microsoft's definition is for "Local IP Address" and "Remote IP Address." The only information I could find states, "On the Scope page, you can specify that the rule applies only to network traffic to or from the IP addresses entered on this page." I am interpreting "Local IP Address" scopes to mean that the IP address(es) of the NIC(s) must fall within this defined scope in order for the rule to apply. And I am interpreting "Remote IP" to be the definition of source in an inbound rule or destination in an outbound rule.

I suspect part of my problem was that a new TCP 3389 rule was defined with a private IP scope while the default "Remote Desktop – User Mode (TCP-In)" rule was still enabled. Was rule overlap the root of my problems? Not completely sure but, by not having a separate RDP rule and modifying the default rule to have a Remote IP address scope of 10.0.0.0/8, 192.168.0.0/16, and 172.16.0.0/12 instead, the behavior is as I would expect—blocking traffic from public IPs but permitting it from private IPs.

Thank you for the help on this one! It certainly pointed me in the right direction! I am now going to work with one of my system administrators to get the change tested in a group policy. ;-)