Solved

Brute force attack on RDP Server

Posted on 2013-01-10
4
1,583 Views
Last Modified: 2013-01-15
Hi,  

we have a RDP broker that load balances to about 10 windows 2008 VM's, on the regular 3389 RDP Port.  The users are very low-tech people.

We were seeing a brute force attacks coming in to a RDP broker, these have stopped after turning on NLA on the servers, however that brings to light a architecture question, should we close the RDP port and migrate all the users to using VPN, or put in place a firewall that can detect these type of attacks and block them, what other options are there?  thanks!
0
Comment
Question by:sbsc
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 14

Accepted Solution

by:
BlueCompute earned 500 total points
ID: 38763674
Several options are available here:
1) Run RDP on a non-standard port - this can dramatically reduce failed login attempts.
2) Use a perimeter security device with the capability to detect and block such connections
3) Use a 3rd party software product to dynamically ban the attacking IPs.
4) Configure strong password policies and account lockout policies, then just ignore the brute force attacks.  If you set eg. 4 password attempts then a 10 minute lockout it becomes very very unfeasible for a brute-force / dictionary attack to succeed.
5) Use VPN.  This isn't usually encouraged because it potentially allows access to the whole internal network rather than just a specifically published service.
0
 
LVL 13

Expert Comment

by:upalakshitha
ID: 38763676
If you close 3389 port & map anothor port to 3389 it will very easy for you rather than changing current setup http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_27959615.html#a38672260
If you do not like it simply ignore.
Thanks
0
 

Author Comment

by:sbsc
ID: 38764094
BlueCompute - what devices have you used to detect these IPS's? this company has a Sonicwall 3060 but I dont know if it supports the modules needed.  I know Checkpoint has it, you are talknig just a standard IPS? there's also a Cisco ASA5510 we can use there but it doesnt have the IPS module.
0
 
LVL 14

Expert Comment

by:BlueCompute
ID: 38764769
Hi sbsc.

Sorry, I've not configured this on a UTM / IPD / IPS because we use non-standard ports and password policies to the extent that it's not been an issue (yet).

I'm pretty sure that you can do what's needed with the ASA but you'd probably need the IPS module.  I'm not a cisco configuration guy so I can't give you the config, but you want any IP that makes more than say 3 connections on 3389 in one minute to be blocked for say 20 minutes.

It looks like the Juniper IPD series has a specific signature for this: https://services.netscreen.com/idpupdates/attackDescriptions.html#APP:RDP-BRUTE-FORCE
0

Featured Post

Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…

735 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question