Solved

Brute force attack on RDP Server

Posted on 2013-01-10
4
1,517 Views
Last Modified: 2013-01-15
Hi,  

we have a RDP broker that load balances to about 10 windows 2008 VM's, on the regular 3389 RDP Port.  The users are very low-tech people.

We were seeing a brute force attacks coming in to a RDP broker, these have stopped after turning on NLA on the servers, however that brings to light a architecture question, should we close the RDP port and migrate all the users to using VPN, or put in place a firewall that can detect these type of attacks and block them, what other options are there?  thanks!
0
Comment
Question by:sbsc
  • 2
4 Comments
 
LVL 14

Accepted Solution

by:
BlueCompute earned 500 total points
ID: 38763674
Several options are available here:
1) Run RDP on a non-standard port - this can dramatically reduce failed login attempts.
2) Use a perimeter security device with the capability to detect and block such connections
3) Use a 3rd party software product to dynamically ban the attacking IPs.
4) Configure strong password policies and account lockout policies, then just ignore the brute force attacks.  If you set eg. 4 password attempts then a 10 minute lockout it becomes very very unfeasible for a brute-force / dictionary attack to succeed.
5) Use VPN.  This isn't usually encouraged because it potentially allows access to the whole internal network rather than just a specifically published service.
0
 
LVL 13

Expert Comment

by:upalakshitha
ID: 38763676
If you close 3389 port & map anothor port to 3389 it will very easy for you rather than changing current setup http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_27959615.html#a38672260
If you do not like it simply ignore.
Thanks
0
 

Author Comment

by:sbsc
ID: 38764094
BlueCompute - what devices have you used to detect these IPS's? this company has a Sonicwall 3060 but I dont know if it supports the modules needed.  I know Checkpoint has it, you are talknig just a standard IPS? there's also a Cisco ASA5510 we can use there but it doesnt have the IPS module.
0
 
LVL 14

Expert Comment

by:BlueCompute
ID: 38764769
Hi sbsc.

Sorry, I've not configured this on a UTM / IPD / IPS because we use non-standard ports and password policies to the extent that it's not been an issue (yet).

I'm pretty sure that you can do what's needed with the ASA but you'd probably need the IPS module.  I'm not a cisco configuration guy so I can't give you the config, but you want any IP that makes more than say 3 connections on 3389 in one minute to be blocked for say 20 minutes.

It looks like the Juniper IPD series has a specific signature for this: https://services.netscreen.com/idpupdates/attackDescriptions.html#APP:RDP-BRUTE-FORCE
0

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

At the beginning of the year, the IT world was taken hostage by the shareholders of LogMeIn. Their free product, which had been free for ten years, all of the sudden became a "pay" product. Now, I am the first person who will say that software maker…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

948 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now