Solved

Brute force attack on RDP Server

Posted on 2013-01-10
4
1,505 Views
Last Modified: 2013-01-15
Hi,  

we have a RDP broker that load balances to about 10 windows 2008 VM's, on the regular 3389 RDP Port.  The users are very low-tech people.

We were seeing a brute force attacks coming in to a RDP broker, these have stopped after turning on NLA on the servers, however that brings to light a architecture question, should we close the RDP port and migrate all the users to using VPN, or put in place a firewall that can detect these type of attacks and block them, what other options are there?  thanks!
0
Comment
Question by:sbsc
  • 2
4 Comments
 
LVL 14

Accepted Solution

by:
BlueCompute earned 500 total points
ID: 38763674
Several options are available here:
1) Run RDP on a non-standard port - this can dramatically reduce failed login attempts.
2) Use a perimeter security device with the capability to detect and block such connections
3) Use a 3rd party software product to dynamically ban the attacking IPs.
4) Configure strong password policies and account lockout policies, then just ignore the brute force attacks.  If you set eg. 4 password attempts then a 10 minute lockout it becomes very very unfeasible for a brute-force / dictionary attack to succeed.
5) Use VPN.  This isn't usually encouraged because it potentially allows access to the whole internal network rather than just a specifically published service.
0
 
LVL 13

Expert Comment

by:upalakshitha
ID: 38763676
If you close 3389 port & map anothor port to 3389 it will very easy for you rather than changing current setup http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_27959615.html#a38672260
If you do not like it simply ignore.
Thanks
0
 

Author Comment

by:sbsc
ID: 38764094
BlueCompute - what devices have you used to detect these IPS's? this company has a Sonicwall 3060 but I dont know if it supports the modules needed.  I know Checkpoint has it, you are talknig just a standard IPS? there's also a Cisco ASA5510 we can use there but it doesnt have the IPS module.
0
 
LVL 14

Expert Comment

by:BlueCompute
ID: 38764769
Hi sbsc.

Sorry, I've not configured this on a UTM / IPD / IPS because we use non-standard ports and password policies to the extent that it's not been an issue (yet).

I'm pretty sure that you can do what's needed with the ASA but you'd probably need the IPS module.  I'm not a cisco configuration guy so I can't give you the config, but you want any IP that makes more than say 3 connections on 3389 in one minute to be blocked for say 20 minutes.

It looks like the Juniper IPD series has a specific signature for this: https://services.netscreen.com/idpupdates/attackDescriptions.html#APP:RDP-BRUTE-FORCE
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

It’s 2016. Password authentication should be dead — or at least close to dying. But, unfortunately, it has not traversed Quagga stage yet. Using password authentication is like laundering hotel guest linens with a washboard — it’s Passé.
Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now