How to Enable and Configure MS VPN (RRAS) Brute-Force Protection.
RdpGuard
Intrusion prevention system for your Windows Server
 
Follow


MS VPN (RRAS) Protection Settings


Protection Overview

RdpGuard protects Microsoft VPN (RRAS) from brute-force attacks by monitoring failed VPN authentication attempts in Windows event logs. When the number of failed attempts from a single IP address reaches the configured limit, RdpGuard blocks that IP address.

The MS VPN detection engine monitors failed RemoteAccess events, including Event ID 20271, and related IPsec authentication failures, including Event ID 4652.


To Enable and Configure MS VPN Protection

1. Start RdpGuard Dashboard and click the link next to MS VPN (RRAS).

MS VPN RRAS protection link

Click the MS VPN (RRAS) link

2. The MS VPN Settings dialog will open.

MS VPN settings dialog

MS VPN (RRAS) Settings Dialog

3. Select Enable MS VPN protection and click Save. RdpGuard will save the settings and restart the service.


Exclusion Rules

MS VPN exclusion rules allow you to skip selected failed VPN authentication events before they are counted by RdpGuard. They are useful when a known user or a known server-side authentication condition should not trigger automatic blocking.

To configure exclusion rules, click Exclusions.. at the bottom of the MS VPN Settings dialog.

MS VPN exclusion rules dialog

MS VPN Exclusion Rules

Each rule is a set of key-value conditions. Supported operators are = and !=. Wildcards are supported in values.

Each rule must start from a new line. Multiple rules are combined with the OR operator. Multiple conditions inside one rule are separated by comma and combined with the AND operator.

For example: 

TargetDomainName=domain,TargetUserName=myloginname
User=domain\myloginname
IpAddress=5.128.80.34,TargetUserName=admin
FailureReason=*password combination*

The example above means: skip the event if it matches the domain/user pair, OR if the raw user value is domain\myloginname, OR if it came from 5.128.80.34 for user admin, OR if the failure reason contains password combination.


EventData Fields Available for Rules

RdpGuard matches exclusion rules against Windows EventData fields. For Event ID 20271, Windows does not provide named EventData fields, so RdpGuard creates convenient names from the event values.

Event ID 20271, RemoteAccess

  • ConnectionId or SessionId - connection/session identifier from the event
  • User - raw user value as recorded by Windows, for example domain\myloginname
  • TargetDomainName - domain part extracted from User, when the user value contains a domain
  • TargetUserName - username extracted from User
  • IpAddress or IPString - remote IP address
  • FailureReason or Reason - authentication failure reason text
  • ErrorCode - error code recorded by Windows
  • Binary - binary payload value from the event

Event ID 4652, IPsec

For Event ID 4652, Windows provides named EventData fields. Commonly useful fields include:

  • TargetUserName
  • TargetDomainName
  • IpAddress or IPString
  • FailureReason
  • FailureReasonShort - short normalized reason added by RdpGuard, for example IKEAuthCredentialsUnacceptable

The exact fields may depend on the Windows version and the event details. If you need a very specific rule, open the event in Event Viewer, switch to Details, then XML View, and use the field names from the EventData section.

RdpGuard 10.2.1 Free Trial

RdpGuard protects:

Social Connection
 
People like RdpGuard!
Our customers say

"This sotware is really great. It's a relief. Because my server is constantly under attack. Thanks RdpGuard" - Joaquim De Sousa Marques

"Nice product. I used to implement something similiar in a low-tech and cumbersome manner via a script called TSBlock (not mine). This makes it much easier and is well worth the pricetag for SMB's." - J. Johnson

"Absolutely amazed at your product. We are a church in the North Dallas area, and I discovered this morning multiple failed logon attempts via our Remote Access Server. A friend suggested your product, so I immediately downloaded the trial. It had a list of about five blocked IP addresses in minutes, and that was enough to lead me to push the BUY button. Over the past 10-15 minutes the list is now about thirty with at least a third being international attempts to break into our system. Thanks for a great product. You may have just saved us much grief." - John Hallford

"Love the software. RDP on our Windows servers is just ridiculous. We would block it in the router but we have lots of old-time customers that would have issues." - Scott Hirsch

"Love the software! Makes it easier than tailoring VB Scripts!!" - Nick Brennan

"It's a great product - really stopping those RDP attackers :-)" - Dave, UK

"First of all: Your application is very (!!!) useful and I like it very much securing my 2012 R2 server. RdpGuard is the best solution, I found on the market and after 10 minutes of testing it I ordered the fully-featured version. :-)" - Carsten Baltes

Our Other Products
TntDrive
Easily mount Amazon S3 Bucket as a Windows Drive
S3 Browser
Powerful Windows Client for Amazon S3 and Amazon CloudFront
Copyright © 2012-2026 Netsdk Software FZE. All rights reserved.  Terms of Use.  Privacy Policy.