Please see my scenario:
- I need to use two computers in a big network;
- they have CIS 5.10.228257.2253 installed;
- on both, Stealth Ports Wizard was set to "Block all incoming connections and make my ports stealth for everyone";
- both systems use DropBox and Windows Live Mesh;
- surprisingly, despite the stealth setting, each system warns when the other try to connect to one of those applications;
- since it's a convenient thing, I've allowed such connections, set CIS to remember those, and customized the resulting rules to get them somewhat more restrict;
- when I tried to connect one system to another by Remote Desktop, I got no connection on the source side and no warning on the target side;
- ok, that was expected, since CIS is set to stealth ports;
- so I set Stealth Ports Wizard on the target machine to "Alert me to incoming connections and make my ports stealth on a per-case basis";
- I've got the alert, allowed the connection, remembered and customized the resulting rule;
- Remote Desktop connection was established successfully;
- then I reset Stealth Ports Wizard on the target machine to "Block all incoming connections and make my ports stealth for everyone";
- <CRASH>!!! the Remote desktop connection was broken and could not be restablished until I had reset Stealth Ports Wizard on the target machine to "Alert me to incoming connections and make my ports stealth on a per-case basis";
- now my target computer receives some alerts about other computers in the network trying to connect to it. Boring. :-(
Hence my questions:
- Why did CIS warned about incoming connections to DropBox and Windows Live Mesh even when all ports were stealthed?
- Shouldn't an application rule override a global rule? Why the rule for svchost.exe that allows RDP connections is ignored when the ports are stealthed again?
Thanks in advance and forgive my poor English.