Why is my Windows Firewall allowing connections from IP addresses other than which I specified?

Question

I created a windows firewall rule restricting access to port 3389 (RDP) to only one Remote IP. However, I'm still able to Remote Desktop from other machines... Why would this be? Even if I disable the rule for port 3389 entirely I'm still able to connect. I've also confirmed that all 3 profiles (Domain, Public and Private) are set so that "inbound connections that do not match a rule are blocked".

Here are my firewall rules for incoming connections which I exported from Windows Firewall with Advanced Security.

I replaced actual IPs in the list with "Trusted IP", "Trusted IPs", "Public IP" and "Public IP".

I'm using Windows Server 2008 R2 and Windows Firewall with Advanced Security 6.1

Answer 1

You're explicitly allowing one IP, but are you blocking the rest of them? Since you note that disabling the rule allows you to connect, I'd suggest that by default there's nothing blocking the port, so making an 'allow' whitelist exception is liable to not accomplish anything. I'd suggest you trying blocking it first, then give priority to the allow.

Answer 2

I've had the same/similar problem. I have one ip (mine) that I want to use to access my database ports, (not a dozen chinese IPs that connect every 10 seconds and bloat my log files to 100MB every day). My default is set to allow (lot's of services running, and don't want to accidentally turn off something, I know, it's bad) but I want to limit malicious activity on the 1433 port, so I set up a block rule with a range that excludes my IP as shown bellow. this (sample) would allow anything from 170.181.. (with the exception of 170.181.0.0)

you could also adjust to a tighter (single IP) rule