0

We currently have a windows firewall rule in place to ALLOW RDP connections only on specific ports (non-defualt). This does not contain a whitelist of IP addresses and currently allows all IP's to connect.

In an attempt to reduce the number of overseas attacks (I know a hardware solution would be more robust but have not received approval for this), I would like to put a secondary "block" rule in to blacklist IP ranges from suspicious countries.

How do rules interact with each other? If one rule is allowing connections without an IP list, would that override the "block" rule? Or will the "block" rule override (i.e. if I leave local IP addresses set to Any IP Address will this automatically block all local IPs?

Basically I'm looking to keep all local IPs accessible and only manage a blacklist rather than a whitelist.

What's the best way to achieve this while still only allowing the specific custom port I have setup?

Sami.C
  • 111

1 Answers1

0

Block rules override Allow rules, where they conflict (search on page for "take precedence"). Any explicit rules override default-allow or default-block. Finally, if the rules are both Allow or both Deny, more specific (more filters) overrides less specific (though I can't imagine that often comes up).

You could also just add a list of allowed IP ranges to your existing Allow rules, and allow everything except the ranges you want. This might sightly complicate the process of changing the allowed ranges, but it has the advantage of keeping the total number of rules low (possibly handy if you decide to do something like change your RDP listen port again).

CBHacking
  • 6,244
  • My fear in creating a whitelist is that I could potentially lock us out if there was some shake up to IP addresses in our country (IDK). I figure if I block IP ranges from suspicious countries (Russia, China) I can continue to monitor the logs over the coming months and just periodically implement more blacklist entries. How would you recommend I do this? – Sami.C Mar 25 '21 at 23:33