RDP Login attack causing account lockout.

Maddoghoek77
Maddoghoek77 used Ask the Experts™
on
We are running a server (Win2K3) for RDP/terminal services. Every so often (there is no pattern, unfortunately) one of out accounts keeps getting logged out due to bad passwords. I have shut off terminal services for the account in AD, but the login attempts are still polling AD, and therefore locking the account out. Looking at the event logs, this appears to be an attempt to brute force into the network. The logs show the source IP address(s) coming from other countries and all that jazz. We have password policies set up (lockout, strong password requirements, etc...), so I am not too worried about a break in, I just need the lockout to stop occuring.

Is there a way to prevent this from occuring (aside from restricting IP addresses, etc...)? I was hoping there was a way to have the RDP/terminal services server recognize that this login is not allowed to use any "remote services" and stop hitting AD.

I tried adding the username to the terminal services permissions and then denying all, but it still hits AD.

The long and short of it is that I am looking for a way to restrict access based on the username supplied at the RDP server level rather than having it hit AD. Does anyone know of a way to do this?

Thanks in advance!
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Gerwin Jansen, EE MVETopic Advisor
Most Valuable Expert 2016

Commented:
I remember that a virus or trojan is trying that to get access to your system(s). I think it was conficker, are your systems fully patched?

Author

Commented:
Yes, fully patched and with the latest service packs. We also have antivirus and anti malware software running on every machine.
Gerwin Jansen, EE MVETopic Advisor
Most Valuable Expert 2016

Commented:
What is the account name? Is the name easy to guess for the malware/virus that is trying to get access? You could maybe remove the account and and create a new one with the same rights/access level.
Acronis in Gartner 2019 MQ for datacenter backup

It is an honor to be featured in Gartner 2019 Magic Quadrant for Datacenter Backup and Recovery Solutions. Gartner’s MQ sets a high standard and earning a place on their grid is a great affirmation that Acronis is delivering on our mission to protect all data, apps, and systems.

Author

Commented:
The account is for our BES server, so it can't be changed. I was just hoping there was a way to have the local terminal services machine look at the user/pw before passing it on to AD for authentication, a sort of "extra filter".
Gerwin Jansen, EE MVETopic Advisor
Most Valuable Expert 2016

Commented:
Ok, looks like you have to make sure that access to your system is made more secure. I've found this article: http://www.mobydisk.com/techres/securing_remote_desktop.html - it is about changing RDP port number and encrypting the connection. I haven't tried what is described there, but it makes sense to me.

Author

Commented:
Thanks, I will take a look!
If this is 2003, simply look for SecureRDP on google. We wrote this utility several years ago, before 2X acquired my company. If you cannot find it, just let me know.
It will allow you to filter the RDP incoming connections based on several things, from MAC address to usernames and if they do not meet the criteria, they will not even see the logon window that would trigger an AD query.

Cláudio Rodrigues
Microsoft MVP - RDS
Citrix CTP
And a quick note: changing your RDP port and encryption buys you nothing in this case. First of all if there is indeed someone trying to break in, they can simply run a nessus scan against the IP and find out the port RDP is listening on.
The encryption does indeed help reducing the chances of a MITM attack. But again, you are on 2003 and RDP in that particular version is known for having issues, even though I have never seen a real case of RDP hacking in the wild. It was always down to simple usernames/passwords really and never as a true RDP exploit.

Just my $0.02.

Cláudio Rodrigues
Microsoft MVP - RDS
Citrix CTP

Author

Commented:
I had looked at that program online (awesome piece of software by the way), but it hadn't mentioned being able to filter by username, so I passed it by. I will take a look at it and see if it can filter by username. Thanks!
We wrote the tool. It can filter by username. :-)

Cláudio Rodrigues
Microsoft MVP - RDS
Citrix CTP

Author

Commented:
Awesome! Thanks!

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial