When you accidentally block all TCP connections (including RDP) via Windows Firewall rules, recovery mode becomes your lifeline. If you're using a VNC-based recovery environment (like a Windows XP recovery system), you can still access the physical files of your Windows Server 2008 R2 installation. The key is to modify the firewall configuration before rebooting.
The firewall rules in Windows Server 2008 are stored in the registry. You'll need to load the offline SYSTEM hive from the recovered OS:
reg load HKLM\TempSOFTWARE C:\Windows\System32\config\SYSTEMThen navigate to the firewall settings key:
reg add "HKLM\TempSOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile" /v EnableFirewall /t REG_DWORD /d 0 /fIf registry editing isn't possible, you can directly modify the firewall service startup:
sc config MpsSvc start= disabledOr edit the service configuration in the registry hive:
reg add "HKLM\TempSOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v DisableFirewall /t REG_SZ /d "netsh advfirewall set allprofiles state off" /fFor repeated scenarios, create a batch script in the recovery environment:
@echo off
reg load HKLM\TempSOFTWARE C:\Windows\System32\config\SOFTWARE
reg add "HKLM\TempSOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile" /v EnableFirewall /t REG_DWORD /d 0 /f
reg unload HKLM\TempSOFTWARE
shutdown /r /t 0After making these modifications and rebooting, you should be able to:
- Connect via RDP normally
- Check the firewall status with:
netsh advfirewall show allprofiles state - Review the applied rules:
netsh advfirewall firewall show rule name=all
Always test firewall rules with a temporary exception that allows your current IP, or use this PowerShell command to create a temporary rule:
New-NetFirewallRule -DisplayName "TempRDPAccess" -Direction Inbound -Protocol TCP -LocalPort 3389 -Action Allow -Enabled TrueGetting locked out of your Windows Server 2008 R2 due to an overzealous firewall rule is every sysadmin's nightmare. When Remote Desktop gets blocked and you only have filesystem access through recovery mode, here's how to surgically disable the firewall before reboot.
From your recovery environment (WinPE/VNC/XP recovery console), locate the Windows installation directory (typically C:\Windows) and navigate to:
cd /d C:\Windows\System32\config
We'll edit the SYSTEM hive where firewall settings are stored:
reg load HKU\TempSys C:\Windows\System32\config\SYSTEM
reg add "HKU\TempSys\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" /v EnableFirewall /t REG_DWORD /d 0 /f
reg unload HKU\TempSys
For a more thorough solution that prevents the firewall service from starting at all:
reg load HKU\TempSys C:\Windows\System32\config\SYSTEM
reg add "HKU\TempSys\ControlSet001\Services\SharedAccess" /v Start /t REG_DWORD /d 4 /f
reg unload HKU\TempSys
After making changes, you can verify them by querying the registry:
reg load HKU\TempSys C:\Windows\System32\config\SYSTEM
reg query "HKU\TempSys\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" /v EnableFirewall
reg unload HKU\TempSys
This should return "0x0" indicating the firewall will be disabled on next boot.
If you're dealing with dynamic disks or unusual configurations, you might need to modify the ControlSet002 or ControlSet003 instead of ControlSet001. Check which is marked as "current" in:
reg query "HKU\TempSys\Select" /v Current