Fooling about with managing Windows Firewall with Powershell, and am discovering the usual 'Windows things', like by default there's 70 rules that are enabled that are a default allow. It's howling fucking madness.
That said, there's something like six different entries for RDP connections, and you'll need to switch them *all* off to get your own rules in there. This is silly.
And you can have rules pinned to a service or executable, as well as a *nix like simple network rule. This allows flexibility, but also gets horribly complicated to understand just what the fuck is going on.