SEP 12.1 Firewall - How to Block RDP while allowing only specific connections

This article will go into some detail on how to block RDP while allowing only specific connections using the SEP 12.1 firewall. This is also applicable to SEP 11.x.

Often times, a request comes in to block the RDP protocol for a group of machines but allow it to one "special" machine. Here's how we can accomplish that.

First, we need to Add a Network Service. Login to your SEPM and go to Policies >> Policy Components >> Network Services >> Add a Network Service

Add the necessary info for the RDP protocol. RDP works over TCP 3389:

Once finished, click OK to save your work. You now have a new network service added for RDP.

Now, you need to create the rules to block/allow RDP. You can either create a new firewall policy or edit your existing one. For this article, I started with a new one.

Let's first start by adding the "Block ALL RDP" rule

In your firewall policy, click Add Rule

Give it a name, click Next

Tick the radio button for Block connections, click Next

Tick the radio button for Only the applications listed below, click Add

Add the RDP filename, mstsc.exe, click OK

Select Any computer or site so all computers and sites will be blocked from using RDP, click Next

Add the RDP network services that you created earlier

Tick the radio for Yes to create a log entry, click Finish

The Block ALL RDP rule will be placed at the top.

Now, to create our Allow Specific RDP exclusion

Add another rule and give it a name, click Next

Tick the radio button for Only the applications listed below, click Add

Add the RDP filename, mstsc.exe, click OK

Now, we need to add what computer we want to have RDP access to. Tick the radio button for Only the computers and sites listed below, click Add:

You have a few options to choose from but I will add it by IP address

Add the RDP network services that you created earlier

Tick the radio button for Yes to create a log entry, click Finish

Move the Allow Specific RDP rule to the top, above the Block rule that you created. This ensures only the PC you specified as an exception can be RDP'd to.

Make sure you save your settings and that the firewall policy is correctly applied to the group.

First, let's attempt to RDP to a random machine:

Seems we cannot:

Upon checking the Traffic log, we see the following entry confirming our rule is working:

Let's try an RDP to our exception machine

Working as expected...

I hope this article will be helpful for you. Comments/Questions/Criticisms are encouraged

Brian