How to enable RDP

I know my router is “right” because if i disable CIS firewall, RDP works fine.

So, what is the right port configuration to allow 3389 to go through properly?

  1. open CIS control panel
  2. click the Firewall tab
  3. click Network Security Policy
    … need help with 4. through N. …

is it an “application rule” or a “global rule” that i need to Add or Edit? Tried to create a global rule (positioned above the built in “block all” rule… there must be something i’m missing.

Please help.


Read the following tutorial I made. Substitute the port numbers and protocol for your situation.

To open the port TCP 1723 for example

First step is to determine the MAC or Physical address of you network connector. Go to Start → Run → cmd → enter → a black box will show up and enter the following → ipconfig /all (notice the space before /all) → enter → now look up the Physical address and write it down.

Notice that Physical address = MAC address

Firewall → Network Security policy → Global Rules → Add → fill in the following:
Action: Allow
Protocol: TCP
Direction: In
Description: Incoming Port

Source address: Any
Destination Address: Choose MAC address and fill in the found MAC/Physical address
Source Port: Any
Destination Port: 1723

Then push Apply → Now make sure that the new rule is somewhere above the basic block rule(s) as the bottom (the block rules have red icons); you can drag and drop the rules → Ok.

Next step is to make a matching application rule for RDP. If I recall correctly svchost.exe is handling this. Is that correct?

Thanks for the reply!

Your note definitely gave me more information than i had before and I’ve mostly followed your instructions except for the bit about svchost.exe… svchost is already trusted (required for pretty much all web browsing to succeed and on the CIS summary page, it shows svchost.exe has 90.2% of the traffic. Nonetheless, i added it explicitly as a trusted application.

For the new global rule for RDP i set it to
source addr: any
dest addr: {my MAC}
source port: any
dest port: single-3389

still not working… any more thoughts?

Again… if i disable the firewall, it works fine.

Is the global rule you made above block rule(s) (the red rules)? Are you sure there is not a typo in the MAC address you entered?

Can you show a screenshot of the application rules of the firewall? I want to see where your rule for svchost.exe if placed.

We do not advice to make an important system file a trusted application in the firewall. We will keep that rule for testing sake right now but later I will advise on a tighter rule.