Windows Firewall doesn't block RDP

Posted by PiotrIr@reddit | sysadmin | View on Reddit | 9 comments

Hi,

I have an issue on number of computers (not all) and I hope someone will be able to help me. Basically no matter what I'm doing with rules (disabling build-in RDP, creating dedicated block RDP one) the RDP is allowed through Windows 10 Firewall. The firewall is enabled and working as some rules can be disabled and they are blocked. To deeper investigate the issue I used following procedure to find what is allowing the traffic.

https://superuser.com/questions/1130078/how-to-tell-which-windows-firewall-rule-is-blocking-traffic/1141671#1141671

And results shows that "Interface Un-quarantine filter" passes the RDP (details below). Does someone know why this rule passes the traffic and how to fix the issue?

{267dab86-f8d0-4d0a-be2c-910d73a84e9e}

Interface Un-quarantine filter

FWPM_PROVIDER_MPSSVC_WF

FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4

FWPM_SUBLAYER_MPSSVC_QUARANTINE

FWP_UINT8

FWPM_CONDITION_INTERFACE_QUARANTINE_EPOCH

FWP_MATCH_EQUAL

FWP_UINT64

10000001

FWPM_CONDITION_IP_ARRIVAL_INTERFACE

FWP_MATCH_EQUAL

FWP_UINT64

1689399632855040

FWPM_CONDITION_FLAGS

FWP_MATCH_FLAGS_NONE_SET

FWP_UINT32

FWP_ACTION_PERMIT

150795

FWP_UINT64

2251834173423632

[-]

ZAFJB@reddit

Are you blocking both TCP and UDP?

[-]

PiotrIr@reddit (OP)

yes

[-]

BlackV@reddit

I'd be looking at GPO for rules , but why block RDP when you could turn it off instead and then not have another rule to maintain?

[-]

PiotrIr@reddit (OP)

Because I want to make sure my Windows Firewall is working as expected.

[-]

gotmynamefromcaptcha@reddit

No idea on why the rule passes traffic but I recently had a similar issue. I had restricted access in the firewall for a vendor's IP range + restricted accounts. Firewall allowed EVERYTHING anyway which caused a breach/quarantine. Went back and sifted through everything and no matter what we did it wouldn't block it...UNTIL...and this is where it gets weird..

We have a SD-WAN appliance that also acts as a firewall...I went in there and created a block rule for RDP which worked, but now even the restricted IP's got blocked. I got rid of the rule, tested FW again with restricted IPs....and magically it worked. I can't explain why but there's something up with Windows FW.

If you have an appliance in front of your network acting as a firewall, it's worth checking in there and blocking RDP on that then test to verify.

[-]

PiotrIr@reddit (OP)

Wow, this is really strange. How possibly creating and deleting rule on network firewall can trigger Windows Firewall block rule? Hmm unless Endpoint Protection is somehow connected to your SD WAN appliances - maybe this is a case. I started to worry about Defender Firewall reliability. Sadly I don't have hardware firewall which I could use to test this.

[-]

gotmynamefromcaptcha@reddit

I honestly cannot explain it either, I even went to my boss with it, my old boss and everyone just scratched their head at that. Unless it’s purely coincidental that it just magically started working the moment I did that on the SD-WAN.

[-]

PiotrIr@reddit (OP)

Maybe it is coincidental.

[-]

_CyrAz@reddit

Is this windows 10 machine member of a domain and if yes, do you have any gpo that could be overriding windows firewall rules? These are treacherous because there is no visual hint in the firewall console that the local rules are being ignored in favor of those from the gpo.