Windows 7 ignores the firewall rule from Group Policy, that should restrict RemoteDesktop to certain IP addresses. It works for XP, but Win7 machines still allow Remote Desktop from everywhere.
I guess the reason is that Win7 has not one, but three firewall rules for RemoteDesktop:
- Remote Desktop (TCP incoming)
- Remote Desktop - RemoteFX (UDP-In)
- Remote Desktop - RemoteFX (TCP-In)
When the GPO is applied, it adds another rule, titled just "Remote Desktop", but the other three rules remain active and still allow it.
The Server runs Windows 2008-R2, so it should know Windows 7.
How can I make this work?
Found the answer myself:
do not use this (because it is for Windows-XP firewall only):
Computer Configuration, Policies, Administrative Templates, Network Connections, Firewall
instead use this:
Computer Configuration, Policies, Windows Settings, Security Settings, Windows Firewall with Advanced Security, incoming, new rule, predefined, remote desktop.
And if you are not satisfied with the questions that the rule creation wizard asked, right-click on the new rule, then select properties. This allows to set much more options, for example IP address range.
Don't allow local firewall rules.