I've set the firewall to filter unwanted remote desktop access attempts by filtering EventID = 1149 from "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational" event log.
These few days, despite I've added filter range for 188.8.131.52-184.108.40.206 in "Configure firewall rules", it seems the attacker can still access the "supposed to be blocked" port. The rule seems to be able to block access from all other port ranges. Please help me to figure out whether the setting is wrong or else.
SEP version: 12.1.6168.6000
OS Version: Win7 x64
Related log entry:
Remote Desktop Services: User authentication succeeded:
Source Network Address: 220.127.116.11
Firewall rule (I've set it to be the first rule in filter set):
Lau Lei Cheong
Can you post a screenshot(s) of the rule?
Here's the screenshots.
Btw, I should mention that I only move the rule to the first before I leave work at night in order to make sure it's not the ordering of rule preventing it to work. The "Block suspicious connection" rule contains IP ranges that covers multiple places that I use and also prevents me from connection from home using remote desktop, so I need the first two "Allow" rules to enable me doing that.