Yesterday we noticed that the list of remote addresses in the scope of Remote Desktop firewall rule was empty. We had set up these addresses so that only a limited list of remote clients could access the server over RDP. After analysing why this happened, we found the following entry in the eventlog
A rule has been added to the Windows Firewall exception list.
Added Rule:
Rule ID: RemoteDesktop-In-TCP
Rule Name: Remote Desktop (TCP-In)
Origin: Local
Active: Yes
Direction: Inbound
Profiles: Private,Domain, Public
Action: Allow
Application Path:
System
Service Name:
Protocol:
TCP
Security Options:
None
Edge Traversal:
None
Modifying User:
SYSTEM
Modifying Application:
C:\Windows\servicing\TrustedInstaller.exeEventData showed
RuleId RemoteDesktop-In-TCP
RuleName Remote Desktop (TCP-In)
Origin 1
ApplicationPath System
ServiceName
Direction 1
Protocol 6
LocalPorts 3389
RemotePorts *
Action 3
Profiles 2147483647
LocalAddresses *
RemoteAddresses *
RemoteMachineAuthorizationList
RemoteUserAuthorizationList
EmbeddedContext @FirewallAPI.dll,-28752
Flags 1
Active 1
EdgeTraversal 0
LooseSourceMapped 0
SecurityOptions 0
ModifyingUser S-1-5-18
ModifyingApplication C:\Windows\servicing\TrustedInstaller.exe
SchemaVersion 522
RuleStatus 65536 So, the firewall rule was changed during an update. We correlated the date/time of this update with the installation of Service Pack 1 for Windows Server 2008 R2. We found this on 6 machines. Did we miss the notification that Service Pack 1 changes the
firewall rule for RDP or have we stumbled upon a serious problem with SP1?