I know, best way would be connecting through VPN first.
Besides this, any other methods?
Conversation Locked
This conversation has been locked by the site admins. No new comments can be made.
-
Follow
Oops, something didn't work.
Sign In to be begin to follow this thread
What does this mean?
Following an item on Channel 9 allows you to watch for new content and comments that you are interested in. You need to be signed in to Channel 9 to use this feature.Getting "follow" information
Start following this thread
What does this mean?
Following an item on Channel 9 allows you to watch for new content and comments that you are interested in and view them all on your notifications page.Removing your "follow"
Setting up your "follow"
Did you know you can
sign up for email notifications?
-
-
blowdart
Peek-a-boo
Set the account lockout feature - are you in an AD environment or just a workgroup?
-
Both.
I need to secure RD running on a computer that is in a AD and one that isn't.
-
blowdart
Peek-a-boo
OK so there's a security policy in both AD and locally which sets account lockouts.
Of course you don't want your Administrator account locked out; but then frankly, the built in Administrator account should be disabled in either scenario and another one used (which has lock-out disabled). In addition you shouldn't allow the built-in Administrator account (or at least one other Administrator account) to login via RDP anyway to avoid an admin lockout scenario.
Oh and don't forget to apply an SSL cert for RDP to avoid MITM attacks.
-
Thanks.
-
elmer
I'm on my very last life.
FWIW, we use our Firewall to limit RDP access to trusted IP addresses.
-
You can configure the listening port to something other than 3389. It doesn't prevent an attack, but it does make it a little tougher.
-
cheong
Recent Cheevo unlocked: You got cookied!
Jul 05, 2011 at 10:13 PM, blowdart wrote
In addition you shouldn't allow the built-in Administrator account (or at least one other Administrator account) to login via RDP anyway to avoid an admin lockout scenario.
Regarding this, I think all Administrators group members are automatically granted right to connect through RDP. I'm not aware of builtin ways to prevent them login through RDP sessions.
-
cheong
Recent Cheevo unlocked: You got cookied!
@elmer:This is so far the most effective way to block bad guys from brute force trying your passwords.
I always think it should be good idea to ban an IP if user trying too many bad attempts from there. Maybe I should add this suggestion to MS Connect.
EDIT: I'm making my suggestion here. See if there's something to add/change.
-
devSpeed
AKA gadget
Why hasn't anyone mentioned using a Remote Access Gateway server? I was under the impression that was the best way to secure RDP.
-
3 days ago, cheong wrote
*snip*
Regarding this, I think all Administrators group members are automatically granted right to connect through RDP. I'm not aware of builtin ways to prevent them login through RDP sessions.
You can, it's just a little more obscure. You do it by modifying the User Rights Assignment in the Local Security Policy (or via Domain Policies). Obviously you want to be careful doing this if it's a box you don't have physical access to.
A gateway server or edge firewall capable of blocking repeated connection attempts would probably be the best approach. Well, unless you have an IPv6 capable network and DirectAccess. Failing either of those I'd probably opt to use a VPN, directly exposing boxes is just a little bit risky unless you're very confident about how secure the accounts are.
-
evildictaitor
I'll live forever, or die trying!
Not trying to be stupid or anything, but generate a 12-character (a-zA-Z0-9+symbols) strong password, write it on a sticky note and stick that sticky note on your computer.
Congratulations. Your RDP server is now resistant to brute-forcing.
p.s. after doing this, don't let anyone you don't trust into your office.
-
@evildictaitor: Overkill if he has the default 15 minute lockout enabled. It would take near infinity to brute force that at 8 chars.
