If vulnerable ports such as Windows remote port 3389 and Linux remote port 22 are exposed, malicious parties can scan for and initiate attacks over these ports. You can prevent attacks by modifying the default remote port or restricting remote access sources. This topic takes an ECS instance running Windows Server 2008 R2 as an example to describe how to use Windows Firewall with Advanced Security to restrict IP addresses of remote access.

Prerequisites

You must have registered an Alibaba Cloud account before you follow the instructions provided in the tutorial. If not, create a new Alibaba Cloud account first.

Background information

Windows Firewall with Advanced Security (WFAS) is an important part of a layered security model. WFAS provides host-based, two-way network traffic filtering for a computer to block unauthorized network traffic flowing into or out of the local computer. WFAS also works with Network Awareness to apply security settings appropriate to the types of networks to which the computer is connected. Window Firewall and Internet Protocol Security (IPsec) configuration settings are integrated into a single Microsoft Management Console (MMC) named Windows Firewall with Advanced Security (WFAS), which makes WFAS an important part of your network's isolation strategy.

Note The procedure described in this topic is not applicable to ECS instances that run Windows Server 2016. For ECS instances running Windows Server 2016, we recommend that you restrict remote access sources by adding security group rules. For more information, see Scenario 4: Allow your instance to access only specific public IP addresses in Scenarios for security groups. For more information about how to add security group rules, see Add security group rules.

Use MMC to configure WFAS

  1. Enable the firewall.
    1. Press the shortcut keys Win+R to run the Run dialog box.
    2. Enter firewall.cpl and then press the Enter key.
      firewall.cpl
    3. Click Turn Windows Firewall on or off to view the firewall status.
      The firewall is off by default.
    4. Enable Windows firewalls for each type of network, and click OK.
      Enable Windows firewalls for each type of network
  2. Check the remote RDP port 3389.
    1. Press the shortcut keys Win+R to run the Run dialog box.
    2. Enter wf.msc and then press the Enter key.
      wf.msc
    3. Click Inbound Rules. You can see the default allow port of the Open RDP Port 3389 inbound rule is 3389.
      Inbound rules
  3. Add the remote RDP port 3389 to Windows Firewall with Advanced Security.
    1. Click New Rule, and the New Inbound Rule Wizard dialog box appears.
    2. On the Rule Type tab, select Port, and then click Next.
    3. On the Protocol and Ports tab, select TCP for the protocol, enter 3389 for the Specific local port, and click Next.
      New Inbound Rule Wizard
    4. On the Action tab, select Allow the connection and click Next.
    5. Retain the default configuration and click Next.
    6. Set the rule name, such as RemoteDesktop, and click Finish.
  4. Configure the scope.
    1. Right-click the created inbound rule RemoteDesktop and select Properties.
    2. On the Scope tab, select These IP addresses: under Remote IP address, add one or more IP addresses or CIDR blocks, and then click OK.
      Remote IP addresses
      Notice After the scope parameter is configured, remote connection from all addresses except for the remote IP address that you set in the scope cannot be established.
  5. Validate the scope. Add any other IP address to the remote IP addresses and click OK.
    Add any other IP address to the remote IP addresses
    The remote connection is automatically interrupted, indicating that the scope parameter has taken effect.
    If the remote connection continues, right-click the Open RDP Port 3389 inbound rule and select Disable Rule.
  6. In the ECS Console, change the remote IP addresses in the scope parameter to the public IP address of the office environment to recover the remote connection.
    1. Log on to the ECS console.
    2. In the instances list, find the instance you want to connect to. In the Actions column, click Connect.
    3. In the Enter VNC password: field, enter the password, and then click OK.
    4. Modify the remote IP address in the scope of the RemoteDesktop inbound rule. Modify the original 1.1.1.1 IP address to the IP address that you want to authorize to.

Use the CLI to configure Windows Firewall with Advanced Security

You can also run the netsh command in CLI to configure Windows Firewall with Advanced Security. The following list shows examples of the netsh command:
  • Export the firewall configuration file.
    netsh advfirewall export c:\adv.pol
  • Import the firewall configuration file.
    netsh advfirewall import c:\adv.pol
  • Restore the default settings of the firewall.
    netsh advfirewall reset
  • Turn off the firewall.
    netsh advfirewall set allprofiles state off
  • Turn on the firewall.
    netsh advfirewall set allprofiles state on
  • Set the default firewall policy for all configuration files to block inbound traffic and allow outbound traffic.
    netsh advfirewall set allprofiles firewallpolicy blockinbound,allowoutbound
  • Delete the rule named ftp.
    netsh advfirewall firewall delete rule name=ftp
  • Delete all inbound rules for the local port 80.
    netsh advfirewall firewall delete rule name=all protocol=tcp localport=80
  • Add the inbound rule for the remote desktop to allow port 3389.
    netsh advfirewall firewall add rule name= remote desktop (TCP-In-3389) protocol=TCP dir=in localport=3389 action=allow