Several Times a day RDP Guard shows multiple login (hundreds) Like Brute Force

I have a customer who runs ( No I didn't set it up ) Windows 7 / Thin stuff and RDP Guard
What is happening is Several Times a day RDP Guard shows multiple login (hundreds) Like Brute Force then RDP guard blocks IP addresses, Many of them being local machines that are not even turned on and at least several times a day it also blocks itself 127.0.0.1

I went last night to help him and scanned for viruses, Root kits, Malware, SFC, Baseline security scan, and Microsoft security scanner, all came up empty with no issues.
but the attacks continue. I have also checked the local machine for scripts etc.

ran port scans on the firewall found only 2 ports one going to a camera and one to RDP that points to the machine.

In addition I have been told from my friend that even if you remove the network cable  RDP Guard and the Windows Resource Monitor still shows as if attacks are happening RDP guard continues blocking IP addresses, so this is why I have focused on the local machine as an issue or having some sort of bug.


Any suggestions of where I should look next
Tarris89Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
I see that RDPGuard (lock out after x (or 3 default) attempts) does not seem to work if the attempts are made with a username which is unknown to the system. Of course there is no harm possible, but they still fill up the security log.

 If I will to change the RDP default (3389) listening port and update the FW and add port suffix on RDP clients, I guess the attempt may disappear or reduced.  Also RDPGuard used the WIndows default FW rule and if we see there are related RDP denial, it may otherwise not be seeing it - we may want to make sure the FW rules is not allowing some local IP address or application unnecessary causing RDP Guard to keep flagging.

Likewise if we check the event log there should be corresponding failed logon attempt (e.g. 4625 id)  if we turn off RDPGuard windows service else I do see possibly of false positive. Strange localhost is the source and suspect there is certain service attempting at that RDP ports persistently using some userid
0
Tarris89Author Commented:
Changing the port does not do anything because even if you unplug the network it still shows as attacks and blocks IP addresses ( Local and Internet ), so It has to be something running on the machine. The only issue there is all scans come up clean, even checking for boot time scripts etc.

I will keep checking. Also tried to remove RDP guard and do a fresh install of it. but that didn't help.
0
btanExec ConsultantCommented:
I was thinking if we will to login to safe mode will the login attempt still be as pervasive, will also want to check the startup program. Maybe what we should do is really know what process is behind this ...

e.g. Show if any process is listening on port 1433 (in our case may be the RDP port) for example
c:\temp> netstat -ano | find /I “1433¿ | find /I “LISTEN”
Proto Local Address Foreign Address State PID
TCP 0.0.0.0:1433 0.0.0.0:0 LISTENING 6244

e.g. Using tlist or task manager one can find the PID (last column) from the above command to find the process
c:\temp> tlist | find /I “6244¿
6244 sqlservr.exe

e.g. To stop the process, taskkill /PID {process id}
if it works, a message stating “Success:  The process with PID {PID} has been terminated.

Another useful tool is the PSTool suite, just to sieve more thing out
http://technet.microsoft.com/en-us/sysinternals/bb896649.aspx

e.g. PsList - list detailed information about processes
e.g. PsService - view and control services
e.g. PsLoggedOn - see who's logged on locally and via resource sharing (full source is included)
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Tarris89Author Commented:
Although the above solutions did help, the final answer after spending time with some antivirus and malware companies and spending a few hundred dollars they found a bug but could not tell us or help us remove it, We ended up changing ports for RDP and doing a complete reinstall of the system and software.
Problem solved.

Thank you guys
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Security

From novice to tech pro — start learning today.