Brute-force Protection for Remote Desktop Web Access (RD Web Access / TS Web Access)
RdpGuard
Intrusion prevention system for your Windows Server
 
Follow:
Facebook
Twitter
RSS
Share:

Brute-force protection for Remote Desktop Web Access

Remote Desktop Web Access (RD Web Access), formerly Terminal Services Web Access (TS Web Access), enables users to access RemoteApp and Desktop Connection through the Start menu on a computer that is running Windows 7 or through a Web browser.

If you have RD Web Access enabled on your server, you may notice a lot of brute-force attempts that look like below in your Security Event Log:

Failed logon entries in Security event log

Failed logon entries in Security event log

Failed logon attempt events for RD Web Access looks like below: 

An account failed to log on.

Subject:
	Security ID:		IIS APPPOOL\RDWeb
	Account Name:		RDWeb
	Account Domain:		IIS APPPOOL
	Logon ID:		0x3091c6d6

Logon Type:			3

Account For Which Logon Failed:
	Security ID:		NULL SID
	Account Name:		Administrator
	Account Domain:		

Failure Information:
	Failure Reason:		Unknown user name or bad password.
	Status:			0xc000006d
	Sub Status:		0xc0000064

Process Information:
	Caller Process ID:	0x143c
	Caller Process Name:	C:\Windows\System32\inetsrv\w3wp.exe

Your IIS logs may also contain the entries like below: 

2017-03-31 11:02:26 POST /RDWeb/Pages/en-US/login.aspx ReturnUrl=default.aspx - 176.62.100.189 HTTP/1.1 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:52.0)+Gecko/20100101+Firefox/52.0 https://server.com/RDWeb/Pages/en-US/login.aspx?ReturnUrl=default.aspx 200 4821
2017-03-31 11:02:26 POST /RDWeb/Pages/en-US/login.aspx ReturnUrl=default.aspx - 176.62.100.189 HTTP/1.1 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:52.0)+Gecko/20100101+Firefox/52.0 https://server.com/RDWeb/Pages/en-US/login.aspx?ReturnUrl=default.aspx 200 4821
2017-03-31 11:02:26 POST /RDWeb/Pages/en-US/login.aspx ReturnUrl=default.aspx - 176.62.100.189 HTTP/1.1 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:52.0)+Gecko/20100101+Firefox/52.0 https://server.com/RDWeb/Pages/en-US/login.aspx?ReturnUrl=default.aspx 200 4821
2017-03-31 11:02:27 POST /RDWeb/Pages/en-US/login.aspx ReturnUrl=default.aspx - 176.62.100.189 HTTP/1.1 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:52.0)+Gecko/20100101+Firefox/52.0 https://server.com/RDWeb/Pages/en-US/login.aspx?ReturnUrl=default.aspx 200 4821
2017-03-31 11:02:27 POST /RDWeb/Pages/en-US/login.aspx ReturnUrl=default.aspx - 176.62.100.189 HTTP/1.1 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:52.0)+Gecko/20100101+Firefox/52.0 https://server.com/RDWeb/Pages/en-US/login.aspx?ReturnUrl=default.aspx 200 4821
2017-03-31 11:02:27 POST /RDWeb/Pages/en-US/login.aspx ReturnUrl=default.aspx - 176.62.100.189 HTTP/1.1 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:52.0)+Gecko/20100101+Firefox/52.0 https://server.com/RDWeb/Pages/en-US/login.aspx?ReturnUrl=default.aspx 200 4821

Failed logon entries in IIS logs

Failed logon entries for RDWeb Access in IIS logs

These log entries mean that someone is trying to find the password to your server by brute-forcing your RDWeb Access page.

RdpGuard prevents brute-force attacks on your RDWeb Access server by blocking attacker's IP address after defined number of failed login attempts.

For Windows Vista/7/8/8.1/10/11 and Windows Server 2008/2012/2016/2019/2022


See also

How to Enable and Configure RDWeb Access Protection

RdpGuard 9.7.9 Free Trial

RdpGuard protects:

Social Connection
RdpGuard Logo
 
People like RdpGuard!
Our customers say

"This sotware is really great. It's a relief. Because my server is constantly under attack. Thanks RdpGuard" - Joaquim De Sousa Marques

"Nice product. I used to implement something similiar in a low-tech and cumbersome manner via a script called TSBlock (not mine). This makes it much easier and is well worth the pricetag for SMB's." - J. Johnson

"Absolutely amazed at your product. We are a church in the North Dallas area, and I discovered this morning multiple failed logon attempts via our Remote Access Server. A friend suggested your product, so I immediately downloaded the trial. It had a list of about five blocked IP addresses in minutes, and that was enough to lead me to push the BUY button. Over the past 10-15 minutes the list is now about thirty with at least a third being international attempts to break into our system. Thanks for a great product. You may have just saved us much grief." - John Hallford

"Love the software. RDP on our Windows servers is just ridiculous. We would block it in the router but we have lots of old-time customers that would have issues." - Scott Hirsch

"Love the software! Makes it easier than tailoring VB Scripts!!" - Nick Brennan

"It's a great product - really stopping those RDP attackers :-)" - Dave, UK

"First of all: Your application is very (!!!) useful and I like it very much securing my 2012 R2 server. RdpGuard is the best solution, I found on the market and after 10 minutes of testing it I ordered the fully-featured version. :-)" - Carsten Baltes

Our Other Products
TntDrive
Easily mount Amazon S3 Bucket as a Windows Drive
S3 Browser
Powerful Windows Client for Amazon S3 and Amazon CloudFront
Copyright © 2012-2024 NetSDK Software. All rights reserved.  Terms of Use.  Privacy Policy.