...Because someone's gotta tell the story...


To return to the main Blog List, click Full Blog Listing.


Group Policy
Remote Desktop

Allowing RDP access to only certain IPs

Monday, June 26, 2017 in Technical Articles (Views: 1911)
Allowing RDP access to only certain IPs

I had an issue come up recently where the ask was to only allow RDP access to certain IPs. The trick here was that a Group Policy existed that set universal access to RDP through the firewall.

A very simple fix can take care of this issue. In this repro, the following applies:
  • I have a rule by GPO scoped to allow RDP to all systems from any IP. This is administrator defined, and cannot be changed.
  • Only the IP will be able to access with RDP
  • No other ports or connectivity will be affected

To resolve the issue, here is the fix:
  • Create a block rule on the firewall (assuming a GPO wasn't set to limit this)
    • Open Windows Firewall (wf.msc) on the system to limit access
    • Right click Inbound Rules, then click New Rule
    • For Rule Type, I selected Port and clicked Next (this gives me more control than the predefined Remote Desktop, as ports for RDP can be changed)
    • For Protocol and Ports, I left TCP selected and for Specific local ports, added 3389 and clicked Next.
    • For action, I selected Block the Connection and clicked Next
    • For Profile, I only use a Domain Profile, but if you want it to apply to all, just leave the default of the Domain, Private and Public profiles and click Next.
    • For Name, give it a name you'll remember.
  • Modify the created rule
    • Open the rule you created in Windows Firewall in the Inbound Rules node
    • Click on the Scope tab.
    • For remote IP addresses, click Add
    • Click This IP address range
    • For the first range, From: To: and click OK
    • Repeat for the second set of rules: From: To: and click OK (Remember we are leaving .36 for "Allow" access)
    • Click OK one last time to save your rule.

Now, we test. Log in from any system considered blocked, and you should receive a message saying you cannot connect. Now, from the system you granted IP access to, you should be able to log in via RDP just fine. Since this rule is on the local firewall, this rule will take effect instantly and give you more granular control.

If you want to set this via Group Policy, you can set special rules in GPO, but it can be messy if you want to have a lot rules and therefore a lot of GPOs to do it. The GPO solution would be good if you wanted to restrict a whole server subnet to just a group of jumphosts as an example.

Hope this helps.


Related Blogs You May Be Interested In:

To leave a comment, please log in and/or register.