Start Free TrialLog in
Avatar of Maddoghoek77
Maddoghoek77Flag for United States of America

asked on 

RDP Login attack causing account lockout.

We are running a server (Win2K3) for RDP/terminal services. Every so often (there is no pattern, unfortunately) one of out accounts keeps getting logged out due to bad passwords. I have shut off terminal services for the account in AD, but the login attempts are still polling AD, and therefore locking the account out. Looking at the event logs, this appears to be an attempt to brute force into the network. The logs show the source IP address(s) coming from other countries and all that jazz. We have password policies set up (lockout, strong password requirements, etc...), so I am not too worried about a break in, I just need the lockout to stop occuring.

Is there a way to prevent this from occuring (aside from restricting IP addresses, etc...)? I was hoping there was a way to have the RDP/terminal services server recognize that this login is not allowed to use any "remote services" and stop hitting AD.

I tried adding the username to the terminal services permissions and then denying all, but it still hits AD.

The long and short of it is that I am looking for a way to restrict access based on the username supplied at the RDP server level rather than having it hit AD. Does anyone know of a way to do this?

Thanks in advance!
Microsoft Server OSWindows Server 2003
Avatar of undefined
Last Comment
Maddoghoek77
Avatar of Gerwin Jansen
Gerwin Jansen
Flag of Netherlands image
I remember that a virus or trojan is trying that to get access to your system(s). I think it was conficker, are your systems fully patched?
Avatar of Maddoghoek77
Maddoghoek77
Flag of United States of America image

ASKER

Yes, fully patched and with the latest service packs. We also have antivirus and anti malware software running on every machine.
Avatar of Gerwin Jansen
Gerwin Jansen
Flag of Netherlands image
What is the account name? Is the name easy to guess for the malware/virus that is trying to get access? You could maybe remove the account and and create a new one with the same rights/access level.
Avatar of Maddoghoek77
Maddoghoek77
Flag of United States of America image

ASKER

The account is for our BES server, so it can't be changed. I was just hoping there was a way to have the local terminal services machine look at the user/pw before passing it on to AD for authentication, a sort of "extra filter".
Avatar of Gerwin Jansen
Gerwin Jansen
Flag of Netherlands image
Ok, looks like you have to make sure that access to your system is made more secure. I've found this article: http://www.mobydisk.com/techres/securing_remote_desktop.html - it is about changing RDP port number and encrypting the connection. I haven't tried what is described there, but it makes sense to me.
Avatar of Maddoghoek77
Maddoghoek77
Flag of United States of America image

ASKER

Thanks, I will take a look!
Avatar of Cláudio Rodrigues
Cláudio Rodrigues
Flag of Canada image
If this is 2003, simply look for SecureRDP on google. We wrote this utility several years ago, before 2X acquired my company. If you cannot find it, just let me know.
It will allow you to filter the RDP incoming connections based on several things, from MAC address to usernames and if they do not meet the criteria, they will not even see the logon window that would trigger an AD query.

Cláudio Rodrigues
Microsoft MVP - RDS
Citrix CTP
ASKER CERTIFIED SOLUTION
Avatar of Cláudio Rodrigues
Cláudio Rodrigues
Flag of Canada image
Blurred text
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
Avatar of Maddoghoek77
Maddoghoek77
Flag of United States of America image

ASKER

I had looked at that program online (awesome piece of software by the way), but it hadn't mentioned being able to filter by username, so I passed it by. I will take a look at it and see if it can filter by username. Thanks!
Avatar of Cláudio Rodrigues
Cláudio Rodrigues
Flag of Canada image
We wrote the tool. It can filter by username. :-)

Cláudio Rodrigues
Microsoft MVP - RDS
Citrix CTP
Avatar of Maddoghoek77
Maddoghoek77
Flag of United States of America image

ASKER

Awesome! Thanks!
Windows Server 2003
Windows Server 2003

Windows Server 2003 was based on Windows XP and was released in four editions: Web, Standard, Enterprise and Datacenter. It also had derivative versions for clusters, storage and Microsoft’s Small Business Server. Important upgrades included integrating Internet Information Services (IIS), improvements to Active Directory (AD) and Group Policy (GP), and the migration to Automated System Recovery (ASR).

129K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
Ask the experts

  • "Invaluable tool for our organization"

    Josh Regalski

  • "Your help has saved me hundreds of hours of internet surfing."

    @fblack61

  • "Just a dang good service!"

    @golferski

  • "Worth every penny."

    Steve Hougom

  • "It’s been a life saver."

    Maria Halt

  • "Best support site I’ve seen!"

    Bob Schneider

  • "I would be lost without them."

    @fblack61

  • "Saved my job multiple times."

    Walt Forbes

  • "I love this site."

    Maria Duwe

  • "Friendly respectful help."

    Andrew Kowtalo

  • "Such top-notch experts."

    @magento

  • "The best money I have ever spent."

    @rwheeler23

  • "Beyond any comprehensible value"

    George Morris

  • "Invaluable tool for our organization"

    Josh Regalski

Read over 600 more reviews

TRUSTED BY

IBM logoIntel logoMicrosoft logoUbisoft logoSAP logo
Qualcomm logoCitrix Systems logoWorkday logoErnst & Young logo
High performer badgeUsers love us badge
LinkedIn logoFacebook logoX logoInstagram logoTikTok logoYouTube logo
© 1996-2023 Experts Exchange, LLC. All rights reserved. Covered by US Patent