Remote Desktop evading firewall

I’m having a really odd issue with CIS 5.5.195786.1383 on Win 7 (64).

I’m planning to expose Apache on this box to the Internet so I’m just double checking my firewall settings. The box is behind an O2 Wireless Box II router with port forwarding of port 80 only.

It’s a fresh install of CIS. I have Defense+ set to disabled, Antivirus set to statefull on access scan. Firewall Behaviour Settings are set to Custom Policy. In Network Security Policy the only Global Rules are the predefined ones which block ICMP. I then plan to add specific Application Rules to permit only the access I want, which will be various server systems accessible from the LAN and HTTP access via Apache from the Internet.

The problem I have is that even with absolutely no Application Rules defined whatsoever I can still access the box on the LAN via Remote Desktop! The only way I can get the firewall to disable Remote Desktop is by setting Firewall Behaviour Settings to Block All.

Why is that happening? I expected that the firewall would block Remote Desktop unless I explicitly enable it. It concerns me that this is not the case as I worry about what else might also be being let though.

But it gets odder.

I created a Global Rule to Block TCP and UDP both In and Out with Source and Destination address of Any Address and Source and Destination port of 3389. But Remote Desktop still works. If I check the View Active Connections in CIS it shows nothing occurring, but if I use the Win 7 Resource Monitor to show TCP connections it clearly shows svchost.exe whizzing away on 3389 like a champ.

So what’s going on here?

I know that unless also I configure the router to forward port 3389 then in principle a Remote Desktop connection cannot come through the Internet, but my LAN is shared with my neighbours and the cheap ISP provided router I’m using isn’t without it’s own issues too so I’d like to be assured that my firewall setup is robust.

I’d be most grateful for any insight anyone can provide.

Welcome.

Not really sure why you’re seeing this, as RDP is not allowed by default, there has to be a specific rule both on the PC initiating the connection:

Application Name - mstsc.exe
Action - Allow
Protocol - TCP
Direction - OUT
Source Address - ANY
Destination Address - ANY
Source Port - ANY
Destination Port - 3389

And on the PC receiving the connection:

Application Name - svchost.exe
Action - Allow
Protocol - TCP
Direction - IN
Source Address - ANY
Destination Address - ANY
Source Port - ANY
Destination Port - 3389

Obviously these are generic rules, which may be modified by using specific source and destination addresses, regardless, the rules have to exist in some form. See images take from a default install of CIS.

In this configuration, CIS doesn’t prohibit inbound connections through Global rules, however, for a connection to be established, an Application rule has to be available to receive the connection. Without this, an Alert will be produced and the connection will fail unless explicitly allowed.

Perhaps you could post screenshots of your firewall application and global rules and any pertinent log entries.

[attachment deleted by admin]

Thanks for the reply Radaghast, I’m just off to work now but I’ll get those screenies for you when I get home.

I’ve just got home, woken up my server and now all of a sudden without changing anything at all Remote Desktop wouldn’t work until I created a rule for it.

Perhaps an extra reboot between installing Comodo and configuring it was needed, I don’t know, but at any rate it’s working now.