Allowing RDP access to only certain IPs


I had an issue come up recently where the ask was to only allow RDP access to certain IPs. The trick here was that a Group Policy existed that set universal access to RDP through the firewall.

A very simple fix can take care of this issue. In this repro, the following applies:

  • I have a rule by GPO scoped to allow RDP to all systems from any IP. This is administrator defined, and cannot be changed.
  • Only the IP 192.168.1.36 will be able to access 192.168.1.39 with RDP
  • No other ports or connectivity will be affected

To resolve the issue, here is the fix:
Before implementing this, make sure you are NOT on a Remote Desktop Session to the system you are trying to secure.

  • Create a block rule on the firewall (assuming a GPO wasn't set to limit this)
    • Open Windows Firewall (wf.msc) on the system to limit access
    • Right click Inbound Rules, then click New Rule
    • For Rule Type, I selected Port and clicked Next (this gives me more control than the predefined Remote Desktop, as ports for RDP can be changed)
    • For Protocol and Ports, I left TCP selected and for Specific local ports, added 3389 and clicked Next.
    • For action, I selected Block the Connection and clicked Next
    • For Profile, I only use a Domain Profile, but if you want it to apply to all, just leave the default of the Domain, Private and Public profiles and click Next.
    • For Name, give it a name you'll remember.
  • Modify the created rule
    • Open the rule you created in Windows Firewall in the Inbound Rules node
    • Click on the Scope tab.
    • For remote IP addresses, click Add
    • Click This IP address range
    • For the first range, From: 1.1.1.1 To:192.168.1.35 and click OK
    • Repeat for the second set of rules: From: 192.168.1.37 To: 255.255.255.255 and click OK (Remember we are leaving .36 for "Allow" access)
    • Click OK one last time to save your rule.

Now, we test. Log in from any system considered blocked, and you should receive a message saying you cannot connect. Now, from the system you granted IP access to, you should be able to log in via RDP just fine. Since this rule is on the local firewall, this rule will take effect instantly and give you more granular control.

If you want to set this via Group Policy, you can set special rules in GPO, but it can be messy if you want to have a lot rules and therefore a lot of GPOs to do it. The GPO solution would be good if you wanted to restrict a whole server subnet to just a group of jumphosts as an example.

Hope this helps.

— If you like my blogs, please share it on social media, rate it, and/or leave a comment. —


Comments (0)

Skip to main content