Force Windows firewall GPO to override existing, predefined Remote Desktop rule?

Hello all,

I have a Remote Desktop TCP GPO for Windows Firewall that only allows clients with specific IP ranges to connect. When I apply the GPO, it is being overridden by the pre-existing Remote Desktop rule. When I disable the existing rule locally, my GPO works fine.

I don't want to have to manually disable the existing, default rule on all the servers I deploy for this purpose. I want to set up a GPO once in Active Directory that:
1. Restricts RD access to the IP ranges I specify.
2. Overrides the existing, more relaxed local firewall policy for remote desktop.

Having trouble getting good search results on this one so I thought someone could help.

Thanks.



Local Policies with also get applied with the domain policies. What you could do is in your GPO disable the local policies which will then apply your domain policies.

Will.



Local Policies with also get applied with the domain policies. What you could do is in your GPO disable the local policies which will then apply your domain policies.

Will.



Hey Will,

I've been trying to figure out how to use GPO to disable that local Remote Desktop policy but haven't been able to figure out how to do it. I was able to create the new rule I need for Remote Desktop but it is not overriding the existing. I'm not seeing how to disable the existing local one.



The link below illustrates how to disable merging on the local firewall policy via GPO, which should do the trick.
https://technet.microsoft.com/en-us/library/cc732770%28v=ws.10%29.aspx

Will.



Though Will has a solution, it is a dangerous one. If we disable local fw policies, all the exceptions that programs have set (believe me, there will be many) will become inactive, which might break many things.

I recommend to use a domain start script instead that deletes or modifies some rules using netsh.exe.



I found a solution the other day. I'm going back to it to see if it matches any of these....

Ken.

Share this

Related Posts

There was an error in this gadget