Brute force attacks on Terminal Server

Posted on 2012-09-12
Last Modified: 2012-09-17
We have Terminal Servers with port 3389 open on the Internet and we see tens of thousands of failed logins on the server logs.

Is there any suggestion to slow down these (dictionary?) attacks?

The TS server is running on Windows 2008 STD x64, our firewall can only drop packets if it is more than 10 pkt/s.

Question by:sidartra
    LVL 6

    Assisted Solution

    There are a number of open-source and commercial resources for Linux servers that assist with banning such attacks, this may be a possible solution for your Windows server, similar to fail2ban:
    LVL 9

    Assisted Solution

    by:Ashok Dewan
    You can ban that particular IP address. But if the attacks from different ip's then You can change the username of that user for which these attacks have happened. If you are using administrator then you can disable administrator account and provide different user account to your clients with admin rights to connect terminal server.
    LVL 6

    Accepted Solution

    disable ping to your external IP

    so when these attackers do searches for IP's they wont get a ping responce so assume its offline

    Author Comment

    OK, so it seems Windows server does not have any built in defense for brute force like slowing down the password retries etc.

    We have already set the firewall to ignore external pings, however this remote access / terminal server is on the DNS entry.


    Author Closing Comment


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    If you get continual lockouts after changing your Active Directory password, there are several possible reasons.  Two of the most common are using other devices to access your email and stored passwords in the credential manager of windows.
    This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
    This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
    This tutorial will show how to inventory, catalog, and restore media from legacy versions of Backup Exec into both 2012 and 2014 versions of the software. Select Storage from the tabs along the ribbon bar as the top: Ensure the proper storage devi…

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    10 Experts available now in Live!

    Get 1:1 Help Now