Maddoghoek77
asked on
RDP Login attack causing account lockout.
We are running a server (Win2K3) for RDP/terminal services. Every so often (there is no pattern, unfortunately) one of out accounts keeps getting logged out due to bad passwords. I have shut off terminal services for the account in AD, but the login attempts are still polling AD, and therefore locking the account out. Looking at the event logs, this appears to be an attempt to brute force into the network. The logs show the source IP address(s) coming from other countries and all that jazz. We have password policies set up (lockout, strong password requirements, etc...), so I am not too worried about a break in, I just need the lockout to stop occuring.
Is there a way to prevent this from occuring (aside from restricting IP addresses, etc...)? I was hoping there was a way to have the RDP/terminal services server recognize that this login is not allowed to use any "remote services" and stop hitting AD.
I tried adding the username to the terminal services permissions and then denying all, but it still hits AD.
The long and short of it is that I am looking for a way to restrict access based on the username supplied at the RDP server level rather than having it hit AD. Does anyone know of a way to do this?
Thanks in advance!
Is there a way to prevent this from occuring (aside from restricting IP addresses, etc...)? I was hoping there was a way to have the RDP/terminal services server recognize that this login is not allowed to use any "remote services" and stop hitting AD.
I tried adding the username to the terminal services permissions and then denying all, but it still hits AD.
The long and short of it is that I am looking for a way to restrict access based on the username supplied at the RDP server level rather than having it hit AD. Does anyone know of a way to do this?
Thanks in advance!
I remember that a virus or trojan is trying that to get access to your system(s). I think it was conficker, are your systems fully patched?
ASKER
Yes, fully patched and with the latest service packs. We also have antivirus and anti malware software running on every machine.
What is the account name? Is the name easy to guess for the malware/virus that is trying to get access? You could maybe remove the account and and create a new one with the same rights/access level.
ASKER
The account is for our BES server, so it can't be changed. I was just hoping there was a way to have the local terminal services machine look at the user/pw before passing it on to AD for authentication, a sort of "extra filter".
Ok, looks like you have to make sure that access to your system is made more secure. I've found this article: http://www.mobydisk.com/techres/securing_remote_desktop.html - it is about changing RDP port number and encrypting the connection. I haven't tried what is described there, but it makes sense to me.
ASKER
Thanks, I will take a look!
If this is 2003, simply look for SecureRDP on google. We wrote this utility several years ago, before 2X acquired my company. If you cannot find it, just let me know.
It will allow you to filter the RDP incoming connections based on several things, from MAC address to usernames and if they do not meet the criteria, they will not even see the logon window that would trigger an AD query.
Cláudio Rodrigues
Microsoft MVP - RDS
Citrix CTP
It will allow you to filter the RDP incoming connections based on several things, from MAC address to usernames and if they do not meet the criteria, they will not even see the logon window that would trigger an AD query.
Cláudio Rodrigues
Microsoft MVP - RDS
Citrix CTP
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
I had looked at that program online (awesome piece of software by the way), but it hadn't mentioned being able to filter by username, so I passed it by. I will take a look at it and see if it can filter by username. Thanks!
We wrote the tool. It can filter by username. :-)
Cláudio Rodrigues
Microsoft MVP - RDS
Citrix CTP
Cláudio Rodrigues
Microsoft MVP - RDS
Citrix CTP
ASKER
Awesome! Thanks!