[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1187
  • Last Modified:

Brute force attacks on Terminal Server

We have Terminal Servers with port 3389 open on the Internet and we see tens of thousands of failed logins on the server logs.

Is there any suggestion to slow down these (dictionary?) attacks?

The TS server is running on Windows 2008 STD x64, our firewall can only drop packets if it is more than 10 pkt/s.

3 Solutions
There are a number of open-source and commercial resources for Linux servers that assist with banning such attacks, this may be a possible solution for your Windows server, similar to fail2ban: http://www.digitalruby.com/securing-your-windows-dedicated-server/
Ashok DewanCommented:
You can ban that particular IP address. But if the attacks from different ip's then You can change the username of that user for which these attacks have happened. If you are using administrator then you can disable administrator account and provide different user account to your clients with admin rights to connect terminal server.
disable ping to your external IP

so when these attackers do searches for IP's they wont get a ping responce so assume its offline
sidartraAuthor Commented:
OK, so it seems Windows server does not have any built in defense for brute force like slowing down the password retries etc.

We have already set the firewall to ignore external pings, however this remote access / terminal server is on the DNS entry.

sidartraAuthor Commented:

Featured Post

Vote for the Most Valuable Expert

It’s time to recognize experts that go above and beyond with helpful solutions and engagement on site. Choose from the top experts in the Hall of Fame or on the right rail of your favorite topic page. Look for the blue “Nominate” button on their profile to vote.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now