Hello friends,
today I'm going to share my experience on how we did restore RDP access blocked by Firewall after we blocked 3389 port by accident.
So first thing we tried was the standard steps suggested by AWS support, here they are:
1.Stop the instance i-xxyyzzaabb
Please note: it is recommended you take a snapshot or AMI of the instance prior to performing modifications for backup purposes.
I would note that if you have any data on any temporary drive attached to your instance then you will loose that data unless you will figure out how to backup it (I'm not sure if creating snapshot is backing them up but I guess - no)
2. Launch a temporary Windows EC2 Instance (20yy) in the same Availability Zone us-west-2a)
Be Sure to select exactly the same Availability Zone!
3. Detach the root volume vol-aabbccdd from the problem instance.
4. Attach the root volume to the new temporary instance (xvdf mapping is fine)
5. Login to the helper instance.
6. Download EC2Rescue on the temporary/helper instance from the following location: https://s3.amazonaws.com/ec2rescue/windows/EC2Rescue_latest.zip
7. Run EC2Rescue and select Next -> Offline Instance
8. Select the root volume vol-aabbccdd from the list of disks and select Next
9. Select Diagnose and Rescue which will provide suggestions to restore connectivity to the instance.
10. In the list of Detected Possible Issues, select all the checkboxes under windows firewall.
11. Select Next, then Rescue, and OK for the volume to be offline
12. Once EC2Rescue has completed, detach the volume from the temporary instance and re-attach the volume back to the original instance i-xxyyzzaabb as /dev/sda1. It is important to attach it back as /dev/sda1 .
13. Start the instance i-xxyyzzaabb and attempt to RDP
After two tries we were not able to get ride the Firewall and were not able to connect to Server via RDP.
So we decide to edit Register file of that problematic instance and yes we were right and managed to solve it.
Here are steps to do it:
1. Attach the volume to the temporary instance if not yet
2. Right-click the Windows toolbar button and open the Disk Management system tool
3. Find the offline disk (volume) and bring/make it online
4. Open RegEdit tool: Win+R > RegEdit > ENTER
5. Select HKEY_LOCAL_MACHINE node then File > Load Hive ...
6. go to Windows > System32 > Config and find SYSTEM file on the new drive you just made online and available (the problematic instance drive)
7. in the prompt dialog gives it any user friendly name for example "RDP Lost Instance" or whatever you want
8. Under the name you set go to the node:
SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules
if you added rule and want to disable it like we did.