Hello,
I've set the firewall to filter unwanted remote desktop access attempts by filtering EventID = 1149 from "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational" event log.
These few days, despite I've added filter range for 192.162.0.0-192.162.255.255 in "Configure firewall rules", it seems the attacker can still access the "supposed to be blocked" port. The rule seems to be able to block access from all other port ranges. Please help me to figure out whether the setting is wrong or else.
SEP version: 12.1.6168.6000
OS Version: Win7 x64
Related log entry:
Remote Desktop Services: User authentication succeeded:
User: support_388945a0
Domain:
Source Network Address: 192.162.63.214
Firewall rule (I've set it to be the first rule in filter set):
1.0.0.0-5.255.255.255,13.0.0.0-14.255.255.255,23.0.0.0-27.255.255.255,31.0.0.0-31.255.255.255,36.0.0.0-50.255.255.255,58.0.0.0-89.255.255.255,91.0.0.0-98.255.255.255,101.0.0.0-125.255.255.255,133.208.22.170,139.196.0.0-139.196.255.255,146.0.0.0-148.255.255.255,151.252.217.30,153.156.44.214,155.94.0.0-155.94.255.255,158.69.33.6,162.0.0.0-168.255.255.255,171.0.0.0-176.255.255.255,177.0.0.0-191.255.255.255,192.162.0.0-192.162.255.255,193.0.0.0-198.255.255.255,200.0.0.0-223.255.255.255,229.249.129.31
Regards,
Lau Lei Cheong