How to Enable and Configure RDP Brute-Force Protection. RDP Protection Settings.
RdpGuard
Intrusion prevention system for your Windows Server
 
Follow:
Share:

RDP Brute-Force Protection Configuration


Protection Overview

RdpGuard is a security software that helps protect RDP (Remote Desktop Protocol) servers from brute-force attacks. It works by monitoring the RDP server for failed login attempts and automatically blocking IP addresses that exceed a certain number of failed attempts.

Here's how RdpGuard protects from brute-force attacks on RDP:

  • Monitors failed login attempts: RdpGuard continuously monitors the RDP server for failed login attempts. Each time a login attempt fails, RdpGuard records the IP address of the client attempting the login.
  • Blocks IP addresses: Once the number of failed login attempts from a particular IP address exceeds a certain threshold, RdpGuard automatically blocks that IP address, preventing further login attempts from that address.
  • Configurable blocking settings: You can configure RdpGuard to block IP addresses for a specific period of time. You can also specify the maximum number of failed login attempts allowed before an IP address is blocked.
  • Real-time alerts: RdpGuard provides real-time alerts and notifications when an IP address is blocked, allowing you to take immediate action and investigate any potential security breaches.

By automatically blocking IP addresses that exceed the maximum number of failed login attempts, RdpGuard helps prevent brute-force attacks on RDP servers. This reduces the risk of unauthorized access and helps keep your system secure.


To enable and configure RDP protection

Start RdpGuard Dashboard and click the link next to RDP

rdp protection link

RDP Protection Link in RdpGuard Dashboard

An RDP Settings dialog will open:

rdp detection engine settings

RDP Detection Engine Settings

Enable RDP protection - tick this check-box to enable system event-log based RDP protection. If this checkbox is set, RdpGuard monitors system event logs for failed login attempt events.

Enable traffic monitoring - If this checkbox is set, RdpGuard also monitors RDP traffic using one of the methods described below.

As you probably know, Windows 2008 (and 2008 R2) do not write the attacker's IP address to the Security event log when an RDP connection is made via TLS/SSL.

To work around this issue, RdpGuard uses an alternate, traffic-based approach to detect failed RDP connections over TLS.

You usually do not need to enable traffic monitoring on Windows Server 2012 and later, as the log-based approach usually covers 100% of failed login attempts on these editions. However, there are setups that may result in empty source network address events in the Security event log.

If you observe 4625 events in the Security event log with empty source network address, please enable traffic monitoring.

Traffic monitoring methods:

  • WinPcap works on all editions of Windows, but requires installation of either WinPcap or NPcap. It is faster than Raw Sockets and is the recommended choice.
  • Raw Sockets - may not work on Windows Server 2008 (except for R2) or with third-party firewalls and antivirus software. Additionally, it may perform slowly on heavily loaded servers and is not recommended for high-bandwidth setups.

Monitoring via WinPcap

This monitoring method works on all editions of Windows Server 2008, but it requires additional software installation. You need to download and install WinPcap. It works faster than Raw Sockets and consumes fewer resources. We recommend using this monitoring method.

3. Specify one or multiple RDP ports to monitor (you can skip this step if you are using RDP on a single port).

4. Click Save to save changes and restart the RdpGuard service.

Monitoring via Raw Sockets

This monitoring method works on Windows Server 2008 R2 only if there are no 3-rd party firewalls or anti-viruses installed. It works out of the box and doesn't require any additional software. It may work slow on heavy loaded servers. Not recommended for high bandwidth setups.

Addresses to monitor

When monitoring via Raw Sockets is enabled, RdpGuard listens on the RDP port for each IP address associated with the machine. This may affect server performance if there are high number of IP addresses associated with the machine.

In order to avoid performance decrease, you may consider limiting the number of IP addresses available for RDP connection:

  • Open the Windows Firewall MMC (wf.msc)
  • Select the Inbound Rules section
  • Get the properties of the Remote Desktop (TCP-In) rule
  • On the Scope tab, choose the option to select specific IP's in the "Local IP Address" section
  • Add the IP address that you want to allow RDP connections to connect to

When you are done with the firewall configuration, you may update the addresses to monitor in RdpGuard.


Exclusions for RDP detection engine

Starting from version 7.8.7, RdpGuard provides you with a way to exclude some Security log events from processing. This could be useful if you would like to protect legitimate users from being blocked, and they can be definitively distinguished based on event details.

This can be achieved by the Exclusions feature, please check out these instructions for more details on Exclusion rules syntax.

RdpGuard 9.7.9 Free Trial

RdpGuard protects:

Social Connection
RdpGuard Logo
 
People like RdpGuard!
Our customers say

"This sotware is really great. It's a relief. Because my server is constantly under attack. Thanks RdpGuard" - Joaquim De Sousa Marques

"Nice product. I used to implement something similiar in a low-tech and cumbersome manner via a script called TSBlock (not mine). This makes it much easier and is well worth the pricetag for SMB's." - J. Johnson

"Absolutely amazed at your product. We are a church in the North Dallas area, and I discovered this morning multiple failed logon attempts via our Remote Access Server. A friend suggested your product, so I immediately downloaded the trial. It had a list of about five blocked IP addresses in minutes, and that was enough to lead me to push the BUY button. Over the past 10-15 minutes the list is now about thirty with at least a third being international attempts to break into our system. Thanks for a great product. You may have just saved us much grief." - John Hallford

"Love the software. RDP on our Windows servers is just ridiculous. We would block it in the router but we have lots of old-time customers that would have issues." - Scott Hirsch

"Love the software! Makes it easier than tailoring VB Scripts!!" - Nick Brennan

"It's a great product - really stopping those RDP attackers :-)" - Dave, UK

"First of all: Your application is very (!!!) useful and I like it very much securing my 2012 R2 server. RdpGuard is the best solution, I found on the market and after 10 minutes of testing it I ordered the fully-featured version. :-)" - Carsten Baltes

Our Other Products
Copyright © 2012-2024 NetSDK Software. All rights reserved.  Terms of Use.  Privacy Policy.