Lets say that when I install a particular program on a Windows client located on subnet 192.168.1.0/24 it creates a local firewall rule that allows inbound connections to port 1234 from ANY subnet. This is a common: anti-virus software, remote access software like VNC, etc. do this to avoid firewall headaches during deployment.
I want to create a more restrictive firewall rule set using group policy that only allows inbound connections to port 1234 from a specific remote subnet only (e.g. 192.168.101.0/24). So I add a new Windows firewall rule via group policy to allow inbound connections to port 1234 from network 192.168.101.0/24.
Currently in my environment Windows firewall rules for Windows clients that are set via domain group policy are configured to MERGE with local Windows firewall rules. The end result is that the more lenient local rules seem to take precedence over the firewall rule set using domain policy. Specifically, I can still access the client via port 1234 from any subnet, not only from 192.168.101.0/24.
If possible, I want to use group policy firewall settings to change, delete, or nulify the local firewall setting (and not use a startup script to delete the unwanted firewall rule). The simplest way I think to do this I think would be to specify some sort of firewall rule priority where the generic local rule is overruled the more specific domain rule. However, I am not sure that this is possible.
Any suggestions?
I posted this question 4 years ago and received no answers. This is what I ended up doing:
Create a second domain firewall rule to explicitly BLOCK inbound connections from subnets that shouldn't have access to the port.
Specifically, for the scenario outlined in the question I create two firewall rules using domain policy:
I don't know if there was/is a better way to solve this problem, but this is what I ended up doing.