Restricting RDP to certain IP addresses on my LAN...

Edition Windows 10 Pro
Version 21H2
OS build 19044.2728

The subject line pretty much says it all. I want the one machine I connect to using Remote Desktop to only accept incoming connections from two computers on my internal network. I've consulted several articles online and in spite of editing the existing firewall rules to only allow for the IP addresses of the two computers involved, the target machine is still accepting RDP requests from other computers outside the selected IP range.

Do I need to compose a new rule? Am I allowed to edit the existing rule given that there is a box at the top saying it is a predefined rule and certain aspects of its properties (which ones?) cannot be modified? Do I need to reboot the computer I'm making the changes on in order for them to take effect? I was given to understand that firewall rule modifications took effect instantly.

Any questions please ask and any help appreciated.

Edited by Chris Cosgrove, 10 April 2023 - 04:35 PM.
Moved from Win 10 Support to Networking

No the subject does not state it all. In order to restrict to a certain group of workstations/servers, you would need to utilize VLAN and suggest using a VPN server. That means a managed system. Easier yet, use VNC or Teamviewer and only have those systems that need to be accessed running that software and disable RDP on all others.

Thanks greg18 for responding.

Actually, for me anyway, the subject line does say it all. It expressly states what I wish to do and I think I have found a way that isn't nearly as involved as you suggest. I won't be able to busy myself with the target box until the weekend though so I can't confirm until then but I shall post an update.

As for third party RDP programs, whilst VNC is all right, I would NEVER use or recommend Teamviewer. It's an overpriced and bloated POS program. I know that they have a "free" version they offer for personal use but if you use it long enough you will eventually get a message from them informing you that their tech department has somehow determined you are using the software in a commercial environment and they will deny you access to their servers unless you agree to pay the blackmail of their insanely high subscription fees. I speak from experience and I know several other people who can relate the same tale.

However, if my plan doesn't work your advice to disable the RDP and go with a third party program is sound enough. And I do operate behind a VPN at all times.

Some points to keep in mind that IP addresses are device identifiers, each PC in your home LAN is assigned its own unique IP address by your home router. Windows RDP is a locally sourced service that runs on each PC, and its connectivity is more based on ports. Both are of course interrelated but perhaps you might want to redirect your efforts not so much with firewall rules and more in re-configuring RDP with your PCs. There are options in the setup menu on controlling local and external exposure:

https://www.pcmag.com/how-to/how-to-use-microsofts-remote-desktop-connection

IP addressing

https://www.bleepingcomputer.com/tutorials/ip-addresses-explained/

TCP and UDP ports

https://www.bleepingcomputer.com/tutorials/tcp-and-udp-ports-explained/

Given Windows RDP doesn't have the best reputation on security even if you lock it down from external access it might be better to block it using your router's setup menu. This will be a more reliable restriction from RDP to be accessible outside your home LAN. Do you have your VPN service set up individually on each PC, or instead on your router so it applies to your entire LAN?

Ok thanks guys.

I am looking at AnyDesk as my remote access software. 

One thing though, why would what's advocated in this tutorial not work? Also, if I am making the edits on the target box why do I need a static IP? How am I going to get locked out of my server? Or is that just a safety precaution?

Going through my bookmarks manager today doing a bit of tidying up and came across this post and here I am responding just a touch over a year to date! Lol! Better late than never I suppose! 

Firstly, greg18 and svim thanks again for checking in. Your answers were instructive and indeed helpful in some of the research I subsequently conducted on both RDP and remote access software!

Secondly, my eventual approach to resolving the issue combined a bit of both.

So once again, BC.com was a port in the cyberstorm!

Some points to keep in mind that IP addresses are device identifiers, each PC in your home LAN is assigned its own unique IP address by your home router. Windows RDP is a locally sourced service that runs on each PC, and its connectivity is more based on ports. Both are of course interrelated but perhaps you might want to redirect your efforts not so much with firewall rules and more in re-configuring RDP with your PCs. There are options in the setup menu on controlling local and external exposure:

https://www.pcmag.com/how-to/how-to-use-microsofts-remote-desktop-connection

I agree that in general, this is a more logical choice of action. However, I worry that with Microsoft being as boneheaded as they are, an update at some point will re-enable RDS connections on one or more of the boxes in question.

I think your second point, about blocking stuff at the router/network level is necessary as well here.