RDP Brute-Force Protection Configuration
RdpGuard detects and blocks dictionary-based brute-force attacks against RDP Server. It works with all RDP Security layers: RDP Security Layer, Negotiate, SSL (TLS)
To enable RDP protection
1. Start RdpGuard Dashboard and click Tools, Options
Click Tools, Options
2. RdpGuard Options dialog will appear, open the Monitoring tab
RdpGuard Monitoring Options
3. Check Enable RDP protection
4. Click Save. RdpGuard service will be restarted.
RDP protection Configuration
Important note: information below applies for RdpGuard on Windows Server 2008 and Windows Server 2008 R2 only. Additional configuration for RDP protection is not required for other Windows versions.
1. Click Tools, Options, Monitoring
2. Click the configure.. link:
Click the configure link
RDP Settings dialog will open:
RDP Detection Engine Settings
As you probably know, Windows 2008 (and 2008 R2) do not write attacker's IP address to Security event log when RDP connections is made via TLS/SSL.
To work-around this issue, RdpGuard uses alternate approaches to detect incoming RDP connections when TLS or Negotiate security layer is selected for RDP encryption.
These approaches are:
Monitoring via Raw Sockets
This monitoring method works on Windows Server 2008 R2 only if there are no 3-rd party firewalls or anti-viruses installed. It works out of the box and doesn't require any addional software.
Addresses to monitor
When Monitoring via Raw Sockets is enabled, RdpGuard listens on RDP port for an each IP address associated with the machine. This may affect server performance if there are high number of IP addresses associated with the machine.
In order to avoid performance decrease, you may consider limiting the number of IP addresses available for RDP connection:
- Open the Windows Firewall MMC (wf.msc)
- Select the Inbound Rules section
- Get the properties of the Remote Desktop (TCP-In) rule
- On the Scope tab, choose the option to select specific IP's in the "Local IP Address" section
- Add the IP address that you want to allow RDP connections to connect to
When you done with the firewall configuration, you may update addresses to monitor in RdpGuard.
3. Click Save to close this dialog and Save to close the RdpGuard Options dialog.
Monitoring via WinPcap
This monitoring method works on all Windows Server 2008 editions but requires additional software installation. You need to install WinPcap from http://winpcap.org
After installing WinPcap restart RdpGuard Service via the Tools menu.
If you choose Monitoring Method via WinPcap, you will see the following changes:
RDP Detection Engine Settings when Monitoring via WinPcap is selected
3. Select the network interface for monitoring and click Save.