If vulnerable ports such as Windows remote port 3389 and Linux remote port 22 are exposed, malicious parties can scan for and initiate attacks over these ports. You can prevent these attacks by modifying the default remote port or restricting remote access sources. This topic takes an ECS instance running Windows Server 2012 R2 as an example to describe how to use Windows Firewall with Advanced Security (WFAS) to restrict IP addresses of remote access.

Prerequisites

You must have registered an Alibaba Cloud account before you follow the instructions provided in the tutorial. If not, create a new Alibaba Cloud account first.

Background information

WFAS is an important part of a layered security model. WFAS provides host-based bidirectional network traffic filtering to block unauthorized network traffic flowing into or out of the local computer. WFAS also works with Network Awareness to apply corresponding security settings to the network to which the computer is connected. WFAS integrates Windows Firewall and Internet Protocol Security (IPsec) configuration settings into a single Microsoft Management Console (MMC), becoming an important part of the network isolation strategy.

Note The procedure described in this topic is not applicable to ECS instances that run Windows Server 2016. For ECS instances running Windows Server 2016, we recommend that you restrict remote access sources by adding security group rules. For more information, see the "Scenario 4: Allow your instance to access only specific public IP addresses" section in Scenarios for security groups. For more information about how to add security group rules, see Add security group rules.

Use MMC to configure WFAS

  1. Enable the firewall.
    1. Press the shortcut keys Win + R to open the Run dialog box.
    2. Enter firewall.cpl and press the Enter key.
      firewall1
    3. Click Turn Windows Firewall on or off to view the firewall status.
      The firewall is disabled by default.
    4. Enable Windows firewalls for each network type and click OK.
      firewall2
  2. Check the remote RDP port 3389.
    1. Press the shortcut keys Win + R to open the Run dialog box.
    2. Enter wf.msc and press the Enter key.
      firewall3
    3. Click Inbound Rules. In the Open RDP Port 3389 inbound rule, you can find that the default allowed port is 3389.
      firewall4
  3. Add the remote RDP port 3389 to Windows Firewall with Advanced Security.
    1. Click New Rule, and the New Inbound Rule Wizard dialog box appears.
    2. In the Rule Type step, select Port and click Next.
    3. In the Protocol and Ports step, select TCP as the protocol, select the Specific local ports option button and enter 3389 in the field, and then click Next.
    4. Select Allow the connection and click Next.
    5. Keep the default configuration and click Next.
    6. Set the rule name such as RemoteDesktop, and click Finish.
  4. Configure the scope.
    1. Right-click the created inbound rule RemoteDesktop and choose Properties from the shortcut menu.
    2. On the Scope tab, select These IP addresses: in the Remote IP address section, add one or more IP addresses or CIDR blocks, and then click OK.
      firewall5
      Notice After the scope parameter is configured, remote connection is only allowed from the remote IP address that you have set in the scope.
  5. Validate the scope. Add any other IP address to the remote IP addresses and click OK.
    The remote connection is automatically interrupted, indicating that the scope parameter has taken effect.
    If the remote connection continues, right-click the Open RDP Port 3389 inbound rule and choose Disable Rule from the shortcut menu.
  6. In the ECS Console, change the remote IP addresses in the scope to the public IP address of the office environment to restore the remote connection.
    1. Log on to the ECS console.
    2. In the instance list, find the target instance. In the Actions column, click Connect.
      firewall7
    3. In the Enter VNC password: field, enter the password and click OK.
    4. Modify the remote IP address in the scope of the RemoteDesktop inbound rule. Change the original 1.1.1.1 IP address to the IP address that you want to authorize.

Use CLI to configure WFAS

You can also run the netsh command in CLI to configure WFAS. The following list shows examples of the netsh command:
  • Export the firewall configuration file.
    netsh advfirewall export c:\adv.pol
  • Import the firewall configuration file.
    netsh advfirewall import c:\adv.pol
  • Restore the default settings of the firewall.
    netsh advfirewall reset
  • Disable the firewall.
    netsh advfirewall set allprofiles state off
  • Enable the firewall.
    netsh advfirewall set allprofiles state on
  • Set the default firewall policy for all configuration files to block inbound traffic and allow outbound traffic.
    netsh advfirewall set allprofiles firewallpolicy blockinbound,allowoutbound
  • Delete the ftp rule.
    netsh advfirewall firewall delete rule name=ftp
  • Delete all inbound rules for the local port 80.
    netsh advfirewall firewall delete rule name=all protocol=tcp localport=80
  • Add an inbound rule for the remote desktop to allow traffic from port 3389.
    netsh advfirewall firewall add rule name=remote desktop (TCP-In-3389) protocol=TCP dir=in localport=3389 action=allow