Step 1: Adding and Testing a Firewall Rule that Blocks Standard Telnet Traffic

Updated: September 1, 2010

Applies To: Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows Vista

Create a rule that blocks all Telnet traffic, and then test it against the existing Telnet Allow Rule (created previously in “Creating Rules that Allow Required Inbound Network Traffic, Step 2: Allowing Unsolicited Inbound Network Traffic for a Specific Program”) to see that the cumulative effect is to block Telnet traffic.

To create a Telnet block rule

  1. On MBRSVR1, in Group Policy Management, click Group Policy Objects, right-click Firewall Settings for Windows Servers, and then click Edit.

  2. In the Group Policy Management Editor, in the navigation pane, expand Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, expand Windows Firewall with Advanced Security, and then expand Windows Firewall with Advanced Security - LDAP://cn={GUID},cn=policies,cn=system,DC=contoso,DC=com.

  3. Right-click Inbound Rules, and then click New Rule.

  4. On the Rule Type page, click Custom, and then click Next.

  5. On the Program page, click This program path, and then in the text box, type %systemroot%\system32\tlntsvr.exe.

  6. Click Customize, click Apply to this service, click the row for Telnet with a short name of TlntSvr, click OK, and then click Next.

  7. On the Protocol and Ports page, change the Protocol type to TCP, change Local port to Specific Ports, type 23 in the text box, and then click Next.

  8. On the Scope page, click Next.

  9. On the Action page, click Block the connection, and then click Next.

  10. On the Profile page, clear the Private and Public check boxes, and then click Next.

  11. On the Name page, type Block All Telnet, and then click Finish.

Now you have two conflicting rules. One specifies that Telnet traffic is permitted as long as it is encrypted and sent by a user that is a member of the group Authorized to Access to MBRSVR1. The other rule says to block all Telnet traffic. In the next procedure you see what Telnet connectivity is available when these two rules are both in place.

To test Telnet connectivity when two conflicting rules are in place

  1. On MBRSVR1, switch to the Administrator: Command Prompt, run gpupdate /force. Wait until the command is finished.

  2. On CLIENT1, at a command prompt, type the command telnet mbrsvr1.

    The command fails because the inbound block rule has a higher precedence than the inbound allow rule.

Next topic: Step 2: Modifying a Telnet Firewall Allow Rule to Override Block Rules