How to Enable and Configure RDP Brute-Force Protection. RDP Protection Settings.
Intrusion prevention system for your Windows Server

RDP Brute-Force Protection Configuration

Protection Overview

RdpGuard detects and blocks dictionary-based brute-force attacks against RDP Server. It works with all RDP Security layers: RDP Security Layer, Negotiate, SSL (TLS)

To enable and configure RDP protection

Start RdpGuard Dashboard and click the link next to RDP

rdp protection link

RDP Protection Link in RdpGuard Dashboard

An RDP Settings dialog will open:

rdp detection engine settings

RDP Detection Engine Settings

Enable RDP protection - tick this check-box to enable system event-log based RDP protection. If this checkbox set, RdpGuard monitors system event logs for failed login attempt events.

Enable traffic monitoring - If this checkbox set, RdpGuard also monitors RDP traffic using one of the methods described below.

As you probably know, Windows 2008 (and 2008 R2) do not write attacker's IP address to Security event log when RDP connection is made via TLS/SSL.

To work-around this issue, RdpGuard uses an alternate, traffic-based approach to detect failed RDP connections over TLS.

You usually do not need to enable traffic monitoring on Windows Server 2012 and later, log-based approach usually covers 100% of failed login attempts on these editions, but there are setups that may result to empty source network address events in the Security event log.

If you observe 4625 events in the Security event log with emtpy source network address, please enable traffic monitoring.

Traffic monitoring methods:

  • Raw Sockets - may not work on Windows Server 2008 (but works on R2) or with 3-rd party Firewalls and Anti-Viruses. It may also work slow on heavy loaded servers. Not recommended for high bandwidth setups.
  • WinPcap - works on all Windows editions, WinPcap/NPcap must be installed. Works faster than Raw Sockets. Recommended choice.

Monitoring via Raw Sockets

This monitoring method works on Windows Server 2008 R2 only if there are no 3-rd party firewalls or anti-viruses installed. It works out of the box and doesn't require any additional software. It may work slow on heavy loaded servers. Not recommended for high bandwidth setups.

Addresses to monitor

When Monitoring via Raw Sockets is enabled, RdpGuard listens on RDP port for an each IP address associated with the machine. This may affect server performance if there are high number of IP addresses associated with the machine.

In order to avoid performance decrease, you may consider limiting the number of IP addresses available for RDP connection:

  • Open the Windows Firewall MMC (wf.msc)
  • Select the Inbound Rules section
  • Get the properties of the Remote Desktop (TCP-In) rule
  • On the Scope tab, choose the option to select specific IP's in the "Local IP Address" section
  • Add the IP address that you want to allow RDP connections to connect to

When you done with the firewall configuration, you may update addresses to monitor in RdpGuard.

Monitoring via WinPcap

This monitoring method works on all Windows Server 2008 editions but requires additional software installation. You need to download and install WinPcap. It works faster than Raw Sockets and consumes less resources. We recommend this monitoring method.

3. Specify one or multiple RDP ports to monitor (you may skip this step if you are using RDP on a single port)

4. Click Save to save changes and restart RdpGuard service.

Exclusions for RDP detection engine

Starting from version 7.8.7 RdpGuard provides you the way to exclude some Security log events from processing. This could be useful if you would like to protect legitimate users from blocking and they can be definitely distinguished based on event details.

This can be achieved by the Exclusions feature, please check out these instructions for more details on Exclusion rules syntax.

RdpGuard 7.9.9 Free Trial

RdpGuard protects:

Social Connection
RdpGuard Logo
People like RdpGuard!
Our Other Products
Windows Client for Amazon Glacier - new low-cost storage for data archiving and backup.
Copyright © 2012-2022 NetSDK Software. All rights reserved.  Terms of Use.  Privacy Policy.