RdpGuard is a security software that helps protect
RDP (Remote Desktop Protocol) servers from brute-force attacks. It works by monitoring the RDP server for failed
login attempts and automatically blocking IP addresses that exceed a certain number of failed attempts.
Here's how RdpGuard protects from brute-force attacks on RDP:
Monitors failed login attempts: RdpGuard continuously monitors the RDP server for failed login attempts.
Each time a login attempt fails, RdpGuard records the IP address of the client attempting the login.
Blocks IP addresses: Once the number of failed login attempts from a particular IP address exceeds a certain threshold,
RdpGuard automatically blocks that IP address, preventing further login attempts from that address.
Configurable blocking settings: You can configure RdpGuard to block IP addresses for a specific period of time.
You can also specify the maximum number of failed login attempts allowed before an IP address is blocked.
Real-time alerts: RdpGuard provides real-time alerts and notifications
when an IP address is blocked, allowing you to take immediate action and investigate any potential security breaches.
By automatically blocking IP addresses that exceed the maximum number of failed login attempts,
RdpGuard helps prevent brute-force attacks on RDP servers. This reduces the risk of unauthorized
access and helps keep your system secure.
To enable and configure RDP protection
Start RdpGuard Dashboard and click the link next to RDP
RDP Protection Link in RdpGuard Dashboard
An RDP Settings dialog will open:
RDP Detection Engine Settings
Enable RDP protection - tick this check-box to enable system event-log based RDP protection.
If this checkbox is set, RdpGuard monitors system event logs for failed login attempt events.
Enable traffic monitoring - If this checkbox is set, RdpGuard also monitors RDP traffic using
one of the methods described below.
As you probably know, Windows 2008 (and 2008 R2) do not write the attacker's IP address to the
Security event log when an RDP connection is made via TLS/SSL.
To work around this issue, RdpGuard uses an alternate, traffic-based approach to detect failed RDP connections over TLS.
You usually do not need to enable traffic monitoring on Windows Server 2012 and later,
as the log-based approach usually covers 100% of failed login attempts on these editions.
However, there are setups that may result in empty source network address events in the Security event log.
If you observe 4625 events in the Security event log with empty source network address, please enable traffic monitoring.
Raw Sockets
- may not work on Windows Server 2008 (except for R2) or with third-party firewalls and antivirus software.
Additionally, it may perform slowly on heavily loaded servers and is not recommended for high-bandwidth setups.
Monitoring via WinPcap
This monitoring method works on all editions of Windows Server 2008, but it requires additional software installation.
You need to download and install WinPcap.
It works faster than Raw Sockets and consumes fewer resources. We recommend using this monitoring method.
3. Specify one or multiple RDP ports to monitor (you can skip this step if you are using RDP on a single port).
4. Click Save to save changes and restart the RdpGuard service.
Monitoring via Raw Sockets
This monitoring method works on Windows Server 2008 R2 only if there are no 3-rd party firewalls
or anti-viruses installed. It works out of the box and doesn't require any additional software.
It may work slow on heavy loaded servers. Not recommended for high bandwidth setups.
Addresses to monitor
When monitoring via Raw Sockets is enabled, RdpGuard listens on the RDP port for each IP address associated with the machine.
This may affect server performance if there are high number of IP addresses associated with the machine.
In order to avoid performance decrease, you may consider limiting the number of IP addresses available for RDP connection:
Open the Windows Firewall MMC (wf.msc)
Select the Inbound Rules section
Get the properties of the Remote Desktop (TCP-In) rule
On the Scope tab, choose the option to select specific IP's in the "Local IP Address" section
Add the IP address that you want to allow RDP connections to connect to
When you are done with the firewall configuration, you may update the addresses to monitor in RdpGuard.
Exclusions for RDP detection engine
Starting from version 7.8.7, RdpGuard provides you with a way to exclude some Security log events from processing.
This could be useful if you would like to protect legitimate users from being blocked,
and they can be definitively distinguished based on event details.
This can be achieved by the Exclusions feature, please check out these instructions for more details on Exclusion rules syntax.
"This sotware is really great. It's a relief. Because my server is constantly under attack. Thanks RdpGuard"
- Joaquim De Sousa Marques
"Nice product. I used to implement something similiar in a low-tech and cumbersome manner via a script called
TSBlock (not mine). This makes it much easier and is well worth the pricetag for SMB's."
- J. Johnson
"Absolutely amazed at your product. We are a church in the North Dallas area,
and I discovered this morning multiple failed logon attempts via our Remote Access Server.
A friend suggested your product, so I immediately downloaded the trial.
It had a list of about five blocked IP addresses in minutes, and that was enough to
lead me to push the BUY button. Over the past 10-15 minutes the list is now about thirty with at least a
third being international attempts to break into our system.
Thanks for a great product. You may have just saved us much grief."
- John Hallford
"Love the software. RDP on our Windows servers is just ridiculous.
We would block it in the router but we have lots of old-time customers that would have issues."
- Scott Hirsch
"Love the software! Makes it easier than tailoring VB Scripts!!"
- Nick Brennan
"It's a great product - really stopping those RDP attackers :-)"
- Dave, UK
"First of all: Your application is very (!!!) useful and I like it very much securing my 2012 R2 server.
RdpGuard is the best solution, I found on the market and after 10 minutes of testing it I ordered the fully-featured version. :-)"
- Carsten Baltes
