Brute-force protection for Remote Desktop Web Access
Remote Desktop Web Access (RD Web Access), formerly Terminal Services Web Access (TS Web Access),
enables users to access RemoteApp and Desktop Connection through the Start menu on a computer
that is running Windows 7 or through a Web browser.
If you have RD Web Access enabled on your server, you may notice a lot of brute-force attempts
that look like below in your Security Event Log:
Failed logon entries in Security event log
Failed logon attempt events for RD Web Access looks like below:
An account failed to log on.
Subject:
Security ID: IIS APPPOOL\RDWeb
Account Name: RDWeb
Account Domain: IIS APPPOOL
Logon ID: 0x3091c6d6
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: Administrator
Account Domain:
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xc000006d
Sub Status: 0xc0000064
Process Information:
Caller Process ID: 0x143c
Caller Process Name: C:\Windows\System32\inetsrv\w3wp.exe
Your IIS logs may also contain the entries like below: