asked on

RDP Login attack causing account lockout.

We are running a server (Win2K3) for RDP/terminal services. Every so often (there is no pattern, unfortunately) one of out accounts keeps getting logged out due to bad passwords. I have shut off terminal services for the account in AD, but the login attempts are still polling AD, and therefore locking the account out. Looking at the event logs, this appears to be an attempt to brute force into the network. The logs show the source IP address(s) coming from other countries and all that jazz. We have password policies set up (lockout, strong password requirements, etc...), so I am not too worried about a break in, I just need the lockout to stop occuring.

Is there a way to prevent this from occuring (aside from restricting IP addresses, etc...)? I was hoping there was a way to have the RDP/terminal services server recognize that this login is not allowed to use any "remote services" and stop hitting AD.

I tried adding the username to the terminal services permissions and then denying all, but it still hits AD.

The long and short of it is that I am looking for a way to restrict access based on the username supplied at the RDP server level rather than having it hit AD. Does anyone know of a way to do this?

Thanks in advance!

Gerwin Jansen

I remember that a virus or trojan is trying that to get access to your system(s). I think it was conficker, are your systems fully patched?

Maddoghoek77

ASKER

Yes, fully patched and with the latest service packs. We also have antivirus and anti malware software running on every machine.

Gerwin Jansen

What is the account name? Is the name easy to guess for the malware/virus that is trying to get access? You could maybe remove the account and and create a new one with the same rights/access level.

Maddoghoek77

ASKER

The account is for our BES server, so it can't be changed. I was just hoping there was a way to have the local terminal services machine look at the user/pw before passing it on to AD for authentication, a sort of "extra filter".

Gerwin Jansen

Ok, looks like you have to make sure that access to your system is made more secure. I've found this article: http://www.mobydisk.com/techres/securing_remote_desktop.html - it is about changing RDP port number and encrypting the connection. I haven't tried what is described there, but it makes sense to me.

Maddoghoek77

ASKER

Thanks, I will take a look!

Cláudio Rodrigues

If this is 2003, simply look for SecureRDP on google. We wrote this utility several years ago, before 2X acquired my company. If you cannot find it, just let me know.
It will allow you to filter the RDP incoming connections based on several things, from MAC address to usernames and if they do not meet the criteria, they will not even see the logon window that would trigger an AD query.

Cláudio Rodrigues
Microsoft MVP - RDS
Citrix CTP

ASKER CERTIFIED SOLUTION

Cláudio Rodrigues

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

Maddoghoek77

ASKER

I had looked at that program online (awesome piece of software by the way), but it hadn't mentioned being able to filter by username, so I passed it by. I will take a look at it and see if it can filter by username. Thanks!

Cláudio Rodrigues

We wrote the tool. It can filter by username. :-)

Cláudio Rodrigues
Microsoft MVP - RDS
Citrix CTP

Maddoghoek77

ASKER

Awesome! Thanks!