Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1678
  • Last Modified:

Brute force attack on RDP Server

Hi,  

we have a RDP broker that load balances to about 10 windows 2008 VM's, on the regular 3389 RDP Port.  The users are very low-tech people.

We were seeing a brute force attacks coming in to a RDP broker, these have stopped after turning on NLA on the servers, however that brings to light a architecture question, should we close the RDP port and migrate all the users to using VPN, or put in place a firewall that can detect these type of attacks and block them, what other options are there?  thanks!
0
sbsc
Asked:
sbsc
  • 2
1 Solution
 
BlueComputeCommented:
Several options are available here:
1) Run RDP on a non-standard port - this can dramatically reduce failed login attempts.
2) Use a perimeter security device with the capability to detect and block such connections
3) Use a 3rd party software product to dynamically ban the attacking IPs.
4) Configure strong password policies and account lockout policies, then just ignore the brute force attacks.  If you set eg. 4 password attempts then a 10 minute lockout it becomes very very unfeasible for a brute-force / dictionary attack to succeed.
5) Use VPN.  This isn't usually encouraged because it potentially allows access to the whole internal network rather than just a specifically published service.
0
 
upalakshithaCommented:
If you close 3389 port & map anothor port to 3389 it will very easy for you rather than changing current setup http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_27959615.html#a38672260
If you do not like it simply ignore.
Thanks
0
 
sbscAuthor Commented:
BlueCompute - what devices have you used to detect these IPS's? this company has a Sonicwall 3060 but I dont know if it supports the modules needed.  I know Checkpoint has it, you are talknig just a standard IPS? there's also a Cisco ASA5510 we can use there but it doesnt have the IPS module.
0
 
BlueComputeCommented:
Hi sbsc.

Sorry, I've not configured this on a UTM / IPD / IPS because we use non-standard ports and password policies to the extent that it's not been an issue (yet).

I'm pretty sure that you can do what's needed with the ASA but you'd probably need the IPS module.  I'm not a cisco configuration guy so I can't give you the config, but you want any IP that makes more than say 3 connections on 3389 in one minute to be blocked for say 20 minutes.

It looks like the Juniper IPD series has a specific signature for this: https://services.netscreen.com/idpupdates/attackDescriptions.html#APP:RDP-BRUTE-FORCE
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now