Coffeehouse Thread

13 posts

Conversation Locked

This conversation has been locked by the site admins. No new comments can be made.

What's the best way to secure Remote Desktop against brute force attacks?

Back to Forum: Coffeehouse
  • User profile image
    wastingtime​withforums

    I know, best way would be connecting through VPN first.

    Besides this, any other methods?

  • User profile image
    blowdart

    Set the account lockout feature - are you in an AD environment or just a workgroup?

  • User profile image
    wastingtime​withforums

    Both.

    I need to secure RD running on a computer that is in a AD and one that isn't.

  • User profile image
    blowdart

    OK so there's a security policy in both AD and locally which sets account lockouts.

    Of course you don't want your Administrator account locked out; but then frankly, the built in Administrator account should be disabled in either scenario and another one used (which has lock-out disabled). In addition you shouldn't allow the built-in Administrator account (or at least one other Administrator account) to login via RDP anyway to avoid an admin lockout scenario.

    Oh and don't forget to apply an SSL cert for RDP to avoid MITM attacks.

  • User profile image
    wastingtime​withforums

    Thanks.

  • User profile image
    elmer

    FWIW, we use our Firewall to limit RDP access to trusted IP addresses.

  • User profile image
    cbae

    You can configure the listening port to something other than 3389. It doesn't prevent an attack, but it does make it a little tougher.

  • User profile image
    cheong

    , blowdart wrote

    In addition you shouldn't allow the built-in Administrator account (or at least one other Administrator account) to login via RDP anyway to avoid an admin lockout scenario.

    Regarding this, I think all Administrators group members are automatically granted right to connect through RDP. I'm not aware of builtin ways to prevent them login through RDP sessions.

    Recent Achievement unlocked: Code Avenger Tier 4/6: You see dead program. A lot!
    Last modified
  • User profile image
    cheong

    @elmer:This is so far the most effective way to block bad guys from brute force trying your passwords.

    I always think it should be good idea to ban an IP if user trying too many bad attempts from there. Maybe I should add this suggestion to MS Connect.

    EDIT: I'm making my suggestion here. See if there's something to add/change.

    Recent Achievement unlocked: Code Avenger Tier 4/6: You see dead program. A lot!
    Last modified
  • User profile image
    devSpeed

    Why hasn't anyone mentioned using a Remote Access Gateway server? I was under the impression that was the best way to secure RDP.

  • User profile image
    AndyC

    , cheong wrote

    *snip*

    Regarding this, I think all Administrators group members are automatically granted right to connect through RDP. I'm not aware of builtin ways to prevent them login through RDP sessions.

    You can, it's just a little more obscure. You do it by modifying the User Rights Assignment in the Local Security Policy (or via Domain Policies). Obviously you want to be careful doing this if it's a box you don't have physical access to. Wink

    A gateway server or edge firewall capable of blocking repeated connection attempts would probably be the best approach. Well, unless you have an IPv6 capable network and DirectAccess. Failing either of those I'd probably opt to use a VPN, directly exposing boxes is just a little bit risky unless you're very confident about how secure the accounts are.

  • User profile image
    evildictait​or

    Not trying to be stupid or anything, but generate a 12-character (a-zA-Z0-9+symbols) strong password, write it on a sticky note and stick that sticky note on your computer.

    Congratulations. Your RDP server is now resistant to brute-forcing.

    p.s. after doing this, don't let anyone you don't trust into your office.

  • User profile image
    ManipUni

    @evildictaitor: Overkill if he has the default 15 minute lockout enabled. It would take near infinity to brute force that at 8 chars.   

Conversation locked

This conversation has been locked by the site admins. No new comments can be made.