12 July 2011

Limit RDP inbound and outbound access to specific IPs

RDP access in and out of a machine can be a very useful tool.  It can however also present a big security headache. A user that is a member of the Remote Desktop Users group you can log onto the server.  By default there is no granular way to restrict where the connection come from.  As an example, you may only want to allow certain management stations to RDP to your servers.  To achieve this restriction you can make use of the Windows Firewall.

The Default Inbound Rules
There are some default rules for RDP access.  These are activated when you enable remote desktop access

Remote Desktop (TCP-In)
Remote Desktop - Remote FX (TCP-In)

These rules when enable will allow connection from anywhere and is applied to all the network profiles.

Editing the Allow Rule
Once active you can edit the Remote Desktop (TCP-In)

From the Windows Firewall advance console do the following:

  • Select Inbound Rules
  • Right click and select properties for the Remote Desktop (TCP-In) rule
  • Select the Scope tab
  • In the remote IP address section select "These IP addresses"
  • Click Add
  • Add the IP or range of IPs that you want to grant access from.

(In our example these would be the management consoles)

Creating a Deny rule.
This is the most suitable approach if you gennerally want to allow all ips acess except a few ranges
Create a restrictive inbound rule do the following from the Windows Firewall advance console:


  • Select Inbound Rules
  • Click New Rule form the actions pane
  • Select Port
  • Select TCP
  • Specify port 3389
  • Select Block the connection
  • Select all three network profiles
  • Specify a Rule name and description (Remote Desktop Granular Deny)
  • After creation open the rule for editing
  • Select the Scope tab
  • In the remote IP address section select "These IP addresses"
  • Click the add button
  • Enter either the IP subnet or range that you want to block.
  • You can add multiple IPs or IP ranges 

For this to work the default allow rule must be enabled.

Outbound Rule
If you want to restrict the RDP machines that the client can connect to you will need to specify an outbound deny rule.

Do the following from the Windows Firewall advance console:


  • Select Outbound Rules
  • Click New Rule form the actions pane
  • Select Port
  • Select TCP
  • Specify port 3389
  • Select Block the connection
  • Select all three network profiles
  • Specify a Rule name and description (Remote Desktop Granular Deny)
  • After creation open the rule for editing
  • Select the Scope tab
  • In the remote IP address section select "These IP addresses"
  • Click the add button
  • Enter either the IP subnet or range that you want to block.
  • You can add multiple IPs or IP ranges 
It is important to note that you have explicitly specify the addresses that you want to deny access.

You can also restrict certain users from even executing the RDP client in an RDS environment
http://fixmyitsystem.com/2011/07/rds-limit-application-execution-to.html

No comments:

Post a Comment