We have a hosted server running Windows Server 2008 R2 that approximately 60 users access via RDP from approximately 8 locations. We were recently the target of a RDP brute force attack on that server, which caused major instability for our users and in most cases disconnected/blocked access to it.
After identifying the issue, we blocked the offending IP via Windows Firewall, but were attacked later that day from a different IP, which we also blocked, and have since received no further attempts.
I was, up to that point, not familiar with this sort of exploit, and have since done some homework on how to prevent such attacks, but haven't found a perfect solution for our configuration. I would like to note that the attacks were originating from any number of very high ports, and obviously being directed at 3389, which is currently not configured to block other ports from accessing it.
Would setting a rule to only allow access TO local port 3389 FROM remote port 3389 be the best solution, or would that cause some sort of malfunction I'm not taking into consideration?