Brute-force Protection for Remote Desktop Web Access (RD Web Access / TS Web Access)

RdpGuard

Intrusion prevention system for your Windows Server

Follow:

Twitter
Facebook
RSS

Remote Desktop Web Access (RD Web Access), formerly Terminal Services Web Access (TS Web Access), enables users to access RemoteApp and Desktop Connection through the Start menu on a computer that is running Windows 7 or through a Web browser.

If you have RD Web Access enabled on your server, you may notice a lot of brute-force attempts that look like below in your Security Event Log:

Failed logon entries in Security event log

Failed logon attempt events for RD Web Access looks like below:
An account failed to log on.

Subject:
	Security ID:		IIS APPPOOL\RDWeb
	Account Name:		RDWeb
	Account Domain:		IIS APPPOOL
	Logon ID:		0x3091c6d6

Logon Type:			3

Account For Which Logon Failed:
	Security ID:		NULL SID
	Account Name:		Administrator
	Account Domain:		

Failure Information:
	Failure Reason:		Unknown user name or bad password.
	Status:			0xc000006d
	Sub Status:		0xc0000064

Process Information:
	Caller Process ID:	0x143c
	Caller Process Name:	C:\Windows\System32\inetsrv\w3wp.exe
Your IIS logs may also contain the entries like below:
2017-03-31 11:02:26 POST /RDWeb/Pages/en-US/login.aspx ReturnUrl=default.aspx - 176.62.100.189 HTTP/1.1 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:52.0)+Gecko/20100101+Firefox/52.0 https://server.com/RDWeb/Pages/en-US/login.aspx?ReturnUrl=default.aspx 200 4821
2017-03-31 11:02:26 POST /RDWeb/Pages/en-US/login.aspx ReturnUrl=default.aspx - 176.62.100.189 HTTP/1.1 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:52.0)+Gecko/20100101+Firefox/52.0 https://server.com/RDWeb/Pages/en-US/login.aspx?ReturnUrl=default.aspx 200 4821
2017-03-31 11:02:26 POST /RDWeb/Pages/en-US/login.aspx ReturnUrl=default.aspx - 176.62.100.189 HTTP/1.1 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:52.0)+Gecko/20100101+Firefox/52.0 https://server.com/RDWeb/Pages/en-US/login.aspx?ReturnUrl=default.aspx 200 4821
2017-03-31 11:02:27 POST /RDWeb/Pages/en-US/login.aspx ReturnUrl=default.aspx - 176.62.100.189 HTTP/1.1 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:52.0)+Gecko/20100101+Firefox/52.0 https://server.com/RDWeb/Pages/en-US/login.aspx?ReturnUrl=default.aspx 200 4821
2017-03-31 11:02:27 POST /RDWeb/Pages/en-US/login.aspx ReturnUrl=default.aspx - 176.62.100.189 HTTP/1.1 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:52.0)+Gecko/20100101+Firefox/52.0 https://server.com/RDWeb/Pages/en-US/login.aspx?ReturnUrl=default.aspx 200 4821
2017-03-31 11:02:27 POST /RDWeb/Pages/en-US/login.aspx ReturnUrl=default.aspx - 176.62.100.189 HTTP/1.1 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:52.0)+Gecko/20100101+Firefox/52.0 https://server.com/RDWeb/Pages/en-US/login.aspx?ReturnUrl=default.aspx 200 4821
Failed logon entries for RDWeb Access in IIS logs

These log entries mean that someone is trying to find the password to your server by brute-forcing your RDWeb Access page.

RdpGuard prevents brute-force attacks on your RDWeb Access server by blocking attacker’s IP address after specified number of failed login attempts.

For Windows XP/Vista/7/8/8.1/10 and Windows Server 2003/2008/2012/2016/2019

Brute-force protection for Remote Desktop Web Access

See also