Configuring WFAS Rules
The best to way to understand WFAS (Windows Firewall with Advanced Security) is by setting up a test rule as we are going to see in this article. We will configure a firewall rule that accepts only authenticated RDP (Remote Desktop Protocol) connections from hosts on a specific or same subnet:
- In the Start search text box type Windows Firewall with Advanced Security and click the WFAS link.
- From the WFAS window, select the Inbound Rules node and click the New Rule… item on the right hand side Actions pane.
- Select Port on the Rule Type page and click Next.
- On the Protocols and Ports page, make sure that the TCP protocol is selected (default) and type 3389 in the Specific local ports: text box and click Next.
- On the Action page, select Allow the connection if it is secure and click Customize…
- On the Customize Allow if Secure Settings page, select Require the connections to be encrypted and then select Allow the computers to dynamically negotiate encryption check box and click OK and then Next.
- On the Users page you can add specific users. Click Next.
- On the Computers page you can add specific computers. Click Next.
- On the Profile page, select Domain and Private check boxes and click Next.
- On the Name page, give the rule a name such as, My RDP Allow Rule and click Finish.
- In the list of Inbound Rules, right click the newly created rule such as, My RDP Allow Rule and select Properties.
- On the Properties (My RDP Allow Rule Properties) window, click the Scope tab and in the Remote IP address section select These IP address and click Add.
- In the This IP Address or subnet text box, type for example 192.168.100.0/24 which can represent an internal subnet where our host resides and then click OK.
Your Properties window should match the one shown below:
The above procedure makes you aware of the necessary steps you need to take when configuring firewall rules with advanced options. However, you do not need to configure a firewall rule for RDP connections as it is enabled by default when enabling the Remote Desktop service or by searching for the default Remote Desktop (TCP-In) rule under the Inbound Rules and enable it by right-clicking it and selecting Enable Rule and then configuring the advanced options.