Windows Firewall: Allow inbound Remote Desktop exceptions

Allows this computer to receive inbound Remote Desktop requests. To do this, Windows Firewall opens TCP port 3389.

If you enable this policy setting, Windows Firewall opens this port so that this computer can receive Remote Desktop requests. You must specify the IP addresses or subnets from which these incoming messages are allowed. In the Windows Firewall component of Control Panel, the "Remote Desktop" check box is selected and administrators cannot clear it.

If you disable this policy setting, Windows Firewall blocks this port, which prevents this computer from receiving Remote Desktop requests. If an administrator attempts to open this port by adding it to a local port exceptions list, Windows Firewall does not open the port. In the Windows Firewall component of Control Panel, the "Remote Desktop" check box is cleared and administrators cannot select it.

If you do not configure this policy setting, Windows Firewall does not open this port. Therefore, the computer cannot receive Remote Desktop requests unless an administrator uses other policy settings to open the port. In the Windows Firewall component of Control Panel, the "Remote Desktop" check box is cleared. Administrators can change this check box."

Supported on: At least Windows XP Professional with SP2
Registry HiveHKEY_LOCAL_MACHINE
Registry PathSOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Services\RemoteDesktop
Value NameEnabled
Value TypeREG_DWORD
Enabled Value1
Disabled Value0

Allow unsolicited incoming messages from these IP addresses:

Registry HiveHKEY_LOCAL_MACHINE
Registry PathSOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Services\RemoteDesktop
Value NameRemoteAddresses
Value TypeREG_SZ
Default Value

Syntax:

Type "*" to allow messages from any network, or

else type a comma-separated list that contains

any number or combination of these:

IP addresses, such as 10.0.0.1

Subnet descriptions, such as 10.2.3.0/24

The string "localsubnet"

Example: to allow messages from 10.0.0.1,

10.0.0.2, and from any system on the

local subnet or on the 10.3.4.x subnet,

type the following in the "Allow unsolicited"

incoming messages from these IP addresses":

10.0.0.1,10.0.0.2,localsubnet,10.3.4.0/24


windowsfirewall.admx

Administrative Templates (Computers)

Administrative Templates (Users)