Solved

Brute force attack on RDP Server

Posted on 2013-01-10
4
1,631 Views
Last Modified: 2013-01-15
Hi,  

we have a RDP broker that load balances to about 10 windows 2008 VM's, on the regular 3389 RDP Port.  The users are very low-tech people.

We were seeing a brute force attacks coming in to a RDP broker, these have stopped after turning on NLA on the servers, however that brings to light a architecture question, should we close the RDP port and migrate all the users to using VPN, or put in place a firewall that can detect these type of attacks and block them, what other options are there?  thanks!
0
Comment
Question by:sbsc
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 14

Accepted Solution

by:
BlueCompute earned 500 total points
ID: 38763674
Several options are available here:
1) Run RDP on a non-standard port - this can dramatically reduce failed login attempts.
2) Use a perimeter security device with the capability to detect and block such connections
3) Use a 3rd party software product to dynamically ban the attacking IPs.
4) Configure strong password policies and account lockout policies, then just ignore the brute force attacks.  If you set eg. 4 password attempts then a 10 minute lockout it becomes very very unfeasible for a brute-force / dictionary attack to succeed.
5) Use VPN.  This isn't usually encouraged because it potentially allows access to the whole internal network rather than just a specifically published service.
0
 
LVL 13

Expert Comment

by:upalakshitha
ID: 38763676
If you close 3389 port & map anothor port to 3389 it will very easy for you rather than changing current setup http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_27959615.html#a38672260
If you do not like it simply ignore.
Thanks
0
 

Author Comment

by:sbsc
ID: 38764094
BlueCompute - what devices have you used to detect these IPS's? this company has a Sonicwall 3060 but I dont know if it supports the modules needed.  I know Checkpoint has it, you are talknig just a standard IPS? there's also a Cisco ASA5510 we can use there but it doesnt have the IPS module.
0
 
LVL 14

Expert Comment

by:BlueCompute
ID: 38764769
Hi sbsc.

Sorry, I've not configured this on a UTM / IPD / IPS because we use non-standard ports and password policies to the extent that it's not been an issue (yet).

I'm pretty sure that you can do what's needed with the ASA but you'd probably need the IPS module.  I'm not a cisco configuration guy so I can't give you the config, but you want any IP that makes more than say 3 connections on 3389 in one minute to be blocked for say 20 minutes.

It looks like the Juniper IPD series has a specific signature for this: https://services.netscreen.com/idpupdates/attackDescriptions.html#APP:RDP-BRUTE-FORCE
0

Featured Post

 Watch the Recording: Learning MySQL 5.7

MySQL 5.7 has a lot of new features. If you've dabbled with an older version of MySQL, it is definitely worth learning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
For anyone that has accidentally used newSID with Server 2008 R2 (like I did) and hasn't been able to get the server running again because you were unlucky (as I was) and had no backups - I was able to get things working by doing a Registry Hive rec…
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

630 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question