How to bypass (or limit) the default rules applied by Windows Server 2008 firewall?
I have the following scenario (all servers running Windows Server 2008)- 2 Domain Controllers- 2 Member Servers (using Failover Cluster)After adding roles and features (AD, Failover Cluster, etc.) in the servers, there are some rules activated so all will work as expected.But, most of these rules allow its traffic from any ip address, and we don't want this because "any" includes for example the students subnet, etc. etc.One solution would be modify each rule activated by Windows for limiting the traffic for specific ip addresses, but this is time consuming and we don't know if Windows will change the rule when modifying features, roles or something.Which is the best approach to limit the traffic to only servers in the domain and clients that need to logon in the domain without modifying or do something with the default rules?Thank you very much!
March 19th, 2008 1:01pm
Hello, Do you mean that you want only some specified computers to access to your servers? I think you can add a customized inbound rule on the firewall by using "Windows Firewall with Advanced Security". You can configure this rule to accept only communications from specified IP addresses or subnets or IP address ranges. Then only the specified computers can access these servers. However, you may need to give these computers static IP address. For more details about this, please refer to: Introduction to Windows Firewall with Advanced Security: http://www.microsoft.com/downloads/details.aspx?FamilyId=DF192E1B-A92A-4075-9F69-C12B7C54B52B&displaylang=en If you would like to get more detailed plans or solutions, we recommend that you contact Microsoft Advisory service or Microsoft Product Support Service for a solution. Microsoft now offers short-term and proactive assistance for specific planning, design, development or assistance with installing, deploying, and general "how to" advice via telephone. For more information: http://support.microsoft.com/default.aspx?scid=fh;en-us;advisoryservice http://support.microsoft.com/?LN=en-us&scid=gp%3Ben-us%3Bofferprophone&x=3&y=11 Best regards, Chang Yin Microsoft Online Community Support
March 21st, 2008 2:17pm
Yes and no.By default, WS2008 activates the precreated rules when adding roles, activating features, etc.For example, when you activate RDesktop, the rule is activated for allowing inbound connections to RDP port from any ip address. As this is a single rule, I've modified the rule for allowing only from some ip addresses.But, when you do a dcpromo and install AD, a lot of rules are activated allowing kerberos, dns, etc. traffic from any address.I don't want to modify these rules because a) a lot of them are activated and b) we don't know if Windows will change them again in the future when changing the configuration of the server.How do you deal with the firewall in this situation?Thanks.
March 28th, 2008 1:39am