Link to home
Create AccountLog in
Avatar of Dana D
Dana D

asked on

How to better secure my terminal server as it keeps on getting brute force attacked.

My term server has been attacked several times now with brute force attack software which i keep finding on the terminal server via antivirus scans.

It is on the standard RDP port of 3389 and I wondered if someone could suggest a step by step guide on how to better protect it.

I understand that you could move it to another port but am not aware of what this entails or how you would go about choosing another port and configuring that port in the router/switch?

I have a windows server 2003 R2 standard Edition terminal server.
ASKER CERTIFIED SOLUTION
Avatar of Timothy McCartney
Timothy McCartney
Flag of United States of America image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
Avatar of Dana D
Dana D

ASKER

Thanks for the suggestion tracerfet but i am looking for a complete step by step guide for windows server 2003 and this article you posted is for windows server 2000.

I am also looking for a bit more guidance beyond just a KB article.

Thanks for your understanding!
SOLUTION
Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
SOLUTION
Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
SOLUTION
Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
Security by Obscurity is never a good practice.  By moving the port all you are doing is making things just slightly, oh so slightly, harder. This may stop some script kiddies but it is not a long term solution.  

Using a vpn is a much better solution. Or even using a remote desktop gateway server.  You are convinced that a brute strength attack is in progress.. So what is your account lockout policy? A three tries and then lockout the account for 15 minutes is a workable business plan. It gives your users 3 tries to login and after that they have to wait 15 minutes.. This allows a maximum of 12 tries / hour or 288 tries / day. You can make it 3 tries and then totally lockout the account which forces the user to contact the help desk to unlock the account. You can scale up or down to suit your business requirements.

Are you enforcing a strong password policy?  How often do users have to change their passwords?  Do you enforce a password minimum time and password history to prevent users from changing their password say once every 6 months and then immediately changing the password back to their favorite password.  You can buy addon's that check the passwords for common dictionary words and to disallow them.

Security and ease of access are items in conflict.. the more you increase one the more you lower the other proportionally.

If you use a gateway web server you could configure it to use certificate's only for login. Installing a certificate server is free but there is a learning curve in setting it up.  If the user doesn't have a computer/personal certificate then they can't login using their web browser to initiate the RDS session.

I once had a sql server that was exposed to the internet using the common port of 1433 and I had thousands of failed attempted logins to the SA account.. Considering that I used only Windows Authentication and no SA authentication, I found it rather annoying.. I lodged a complaint with the ip address owner (ISP) and sent them some logs and the attempts started to dwindle.  I never had to go through the legal route though that option exists.  The ISP's weren't always cooperative but a letter on legal stationary (golf buddy is a lawyer) got their attention.

You have a lot more options other than trying out security through obscurity.