Brute-force Protection for Remote Desktop Web Access (RD Web Access / TS Web Access)

RdpGuard

Intrusion prevention system for your Windows Server

Follow:

Twitter
Facebook
Google+
RSS

Like:

Remote Desktop Web Access (RD Web Access), formerly Terminal Services Web Access (TS Web Access), enables users to access RemoteApp and Desktop Connection through the Start menu on a computer that is running Windows 7 or through a Web browser.

If you have RD Web Access enabled on your server, you may notice a lot of brute-force attempts that look like below in your Security Event Log:

Failed logon entries in Security event log

Failed logon attempt events for RD Web Access looks like below:
An account failed to log on.

Subject:
	Security ID:		IIS APPPOOL\RDWeb
	Account Name:		RDWeb
	Account Domain:		IIS APPPOOL
	Logon ID:		0x3091c6d6

Logon Type:			3

Account For Which Logon Failed:
	Security ID:		NULL SID
	Account Name:		Administrator
	Account Domain:		

Failure Information:
	Failure Reason:		Unknown user name or bad password.
	Status:			0xc000006d
	Sub Status:		0xc0000064

Process Information:
	Caller Process ID:	0x143c
	Caller Process Name:	C:\Windows\System32\inetsrv\w3wp.exe
Your IIS logs may also contain the entries like below:
2017-03-31 11:02:26 POST /RDWeb/Pages/en-US/login.aspx ReturnUrl=default.aspx - 176.62.100.189 HTTP/1.1 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:52.0)+Gecko/20100101+Firefox/52.0 https://server.com/RDWeb/Pages/en-US/login.aspx?ReturnUrl=default.aspx 200 4821
2017-03-31 11:02:26 POST /RDWeb/Pages/en-US/login.aspx ReturnUrl=default.aspx - 176.62.100.189 HTTP/1.1 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:52.0)+Gecko/20100101+Firefox/52.0 https://server.com/RDWeb/Pages/en-US/login.aspx?ReturnUrl=default.aspx 200 4821
2017-03-31 11:02:26 POST /RDWeb/Pages/en-US/login.aspx ReturnUrl=default.aspx - 176.62.100.189 HTTP/1.1 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:52.0)+Gecko/20100101+Firefox/52.0 https://server.com/RDWeb/Pages/en-US/login.aspx?ReturnUrl=default.aspx 200 4821
2017-03-31 11:02:27 POST /RDWeb/Pages/en-US/login.aspx ReturnUrl=default.aspx - 176.62.100.189 HTTP/1.1 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:52.0)+Gecko/20100101+Firefox/52.0 https://server.com/RDWeb/Pages/en-US/login.aspx?ReturnUrl=default.aspx 200 4821
2017-03-31 11:02:27 POST /RDWeb/Pages/en-US/login.aspx ReturnUrl=default.aspx - 176.62.100.189 HTTP/1.1 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:52.0)+Gecko/20100101+Firefox/52.0 https://server.com/RDWeb/Pages/en-US/login.aspx?ReturnUrl=default.aspx 200 4821
2017-03-31 11:02:27 POST /RDWeb/Pages/en-US/login.aspx ReturnUrl=default.aspx - 176.62.100.189 HTTP/1.1 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:52.0)+Gecko/20100101+Firefox/52.0 https://server.com/RDWeb/Pages/en-US/login.aspx?ReturnUrl=default.aspx 200 4821
Failed logon entries for RDWeb Access in IIS logs

These log entries mean that someone is trying to find the password to your server by brute-forcing your RDWeb Access page.

RdpGuard prevents brute-force attacks on your RDWeb Access server by blocking attacker’s IP address after specified number of failed login attempts.

For Windows XP/Vista/7/8/8.1/10 and Windows Server 2003/2008/2012/2016/2019

Brute-force protection for Remote Desktop Web Access

See also