1

I have a publicly-facing Windows 10 box (with a public IP) that I would to configure so that I, and only I, can remotely VNC to it.

Fortunately I can ensure that I will only be connecting to my server from a single remote host (198.51.100.1 in this example). So I have the firewall rules setup on the Windows 10 host in this way:

enter image description here

Specifically, under the "Scope" setting for the rule, I have configured "Remote IP address" to allow only 198.51.100.1. Under "Advanced", I have the rule set to apply to Domain, Private and Public profiles. Under "Protocols and Ports", the incoming rule applies to local port 5900. No other customizations are present.

enter image description here

However this rule does not appear to be working. I can still VNC to this Windows 10 server from any remote PC, not just 198.51.100.1

Why is this rule not blocking connections from all IPs except the one I want?

Improve this question

1 Answer 1

Reset to default
3

This rule doesn't tell Windows Firewall to block a connection. This rule tells Windows Firewall to allow a connection. So, this rule does not provide the behavior you are asking for.

If you want a firewall to deny all other connections than the ones you specifically allow, then there is usually an implicit or explicit Deny All at the bottom of the ACL list. Windows firewall uses an implicit Deny All by default. However, you can change this behavior. Therefore, first check that your Windows Firewall is configured to block all inbound connections:

  • Open Control Panel -> Windows Defender Firewall
  • Click Advanced settings
  • Adjust the default action for each profile:

enter image description here

Now that you have an implicit Deny All to block all connections that are not specifically allowed, you will need to identify any other rules that would be allowing port 5900(VNC) from a different IP address, because the rule you provided does not do that.

  • Open Control Panel -> Windows Defender Firewall

  • Click 'Allow an app or feature through Windows Defender Firewall'

  • Search through the list of 'Allowed apps and features' and remove anything related to the VNC executable that you have installed.

    Next:

  • Click 'OK' in the Allowed Apps window so you are back to the Windows Defender Firewall page.

  • Click 'Advanced settings'

  • Choose 'Inbound Rules' on the left

  • Click the Local Port header to sort the list of firewall rules by the local port number.

  • Find any rules that cover port 5900 either directly or through a range. Be sure to look through all the port numbers assigned to a specific rule: enter image description here

Remove any rule that allows port 5900 in a way that you do not want.

Improve this answer
2
  • Thanks, Appleoddity, that was it. UltraVNC had unexpectedly installed two different firewall rules. The "vnc5900" one was already in place, and I had hoped by modifying it to allow only certain IPs I could tighten up the rule and limit access. But it had also installed a "WinVNC" rule which was application based (winvnc.exe) rather than port based, and apparently that rule tool precedence over the "vnc5900" rule, causing my IP restrictions on that rule to have no effect. Consolidating the two rules into one now has the firewall working as expected.
    – David White
    Commented May 12, 2019 at 3:31
  • @DavidWhite: As the answer explained, it's not a matter of precedence. Failure to match an "allow" rule does not mean instant denial -- the firewall keeps evaluating rules all the way down the list until one matches.
    – Ben Voigt
    Commented May 12, 2019 at 3:55

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .