I am trying to configure endpoint machines with a firewall that only allows white-listed traffic, and all other connections are blocked.
The client machines are desktops and laptops running Windows 7 (both x86 and x64) using the built-in Windows Firewall with Advanced Security. Every machine is part of a Windows Server 2008 domain, and I am configuring the firewall using Group Policy. I am testing this firewall configuration with a small subset of machines.
Right now, I have Windows Firewall configured to block all inbound and outbound traffic that doesn't match an explicit allow rule. Here are the basic communications that are currently enabled:
- DNS (UDP 53 Out)
- LDAP (TCP 389 Out, UDP 389 Out)
- Remote Desktop (TCP 3389 Out)
- Web Browsing (TCP 80 Out)
- Preset: Core Networking
- Preset: Distributed Transaction Coordinator
- Preset: File and Printer Sharing
- Preset: Network Discovery
- Preset: Remote Assistance
In addition, I have a few rules defined for the business applications we use. This has been working fairly well, but today I encountered some problems with MSRPC (Microsoft Remote Procedure Call).
I open mmc.exe
and load the computer management snap-in in order to modify the local administrators group. In the "Select Users, Computers..." window I enter the username, then click "Check Names". It gives me the following error:
Windows cannot process the object with the name "Foo Bar" because of the following error:
Access is denied.
When I remove the firewall restrictions, it works fine. The traffic being blocked is MSRPC, and it uses a randomly selected port in the range of [49100...65535].
How can I create a rule for Windows Firewall that allows MSRPC traffic without creating an overly broad rule, such as allowing TCP traffic on all ports?