Windows servers constantly face brute force attacks where attackers try countless username/password combinations via RDP (Remote Desktop Protocol). While Windows has account lockout policies, they only protect individual accounts - leaving your server vulnerable to distributed attacks trying different usernames.
The built-in Windows security features like Account Lockout Policy don't solve the core issue because:
- They only lock individual accounts after failed attempts
- Attackers can simply switch to trying other usernames
- No IP-based blocking exists in native Windows tools
We can automate IP blocking using PowerShell scripts that:
- Monitor Windows Event Logs for failed login attempts
- Count attempts per IP address
- Automatically add firewall rules to block repeat offenders
Here's a complete script that bans IPs after 5 failed attempts:
# Failed RDP Login Attempts Tracker
$maxAttempts = 5
$logPath = "C:\temp\RDPAttackers.txt"
$windowSize = (Get-Date).AddHours(-1)
# Query Event Log for failed login attempts
$events = Get-WinEvent -FilterHashtable @{
LogName = 'Security'
ID = 4625
StartTime = $windowSize
} -ErrorAction SilentlyContinue
# Count attempts per IP
$ipCounts = $events | ForEach-Object {
$xml = [xml]$_.ToXml()
$ip = $xml.Event.EventData.Data | Where-Object { $_.Name -eq "IpAddress" } | Select-Object -ExpandProperty "#text"
if ($ip -ne "-") { $ip }
} | Group-Object | Where-Object { $_.Count -ge $maxAttempts }
# Block malicious IPs
foreach ($ip in $ipCounts.Name) {
$ruleName = "BlockRDPBruteForce_$ip"
if (-not (Get-NetFirewallRule -DisplayName $ruleName -ErrorAction SilentlyContinue)) {
New-NetFirewallRule -DisplayName $ruleName -Direction Inbound -Action Block -RemoteAddress $ip -Protocol TCP -LocalPort 3389
Add-Content -Path $logPath -Value "$(Get-Date -Format 'yyyy-MM-dd HH:mm:ss') - Blocked IP: $ip (Failed attempts: $($ipCounts | Where-Object { $_.Name -eq $ip } | Select-Object -ExpandProperty Count))"
}
}
Create a scheduled task to run this script every 15 minutes:
$action = New-ScheduledTaskAction -Execute "PowerShell.exe" -Argument "-File C:\scripts\BlockRDPAttackers.ps1"
$trigger = New-ScheduledTaskTrigger -Once -At (Get-Date) -RepetitionInterval (New-TimeSpan -Minutes 15)
Register-ScheduledTask -TaskName "RDP Brute Force Protection" -Action $action -Trigger $trigger -RunLevel Highest
For enterprise environments, consider:
- Network-level protection (Cisco Firepower, Palo Alto Networks)
- RDP Gateways with pre-authentication
- Third-party tools like RDPGuard
- Monitor your block list to avoid locking out legitimate users
- Combine with other protections like RDP port changing
- Regularly review your security logs for new attack patterns
Windows Server's built-in account lockout policies only protect individual user accounts. When attackers perform distributed brute force attacks across multiple accounts, these policies become ineffective. Our security logs show thousands of failed login attempts from single IPs trying hundreds of username/password combinations.
Windows doesn't provide native IP-based blocking after X attempts, but we can combine several built-in tools:
# PowerShell script to parse security logs and block IPs
$FailedAttempts = Get-WinEvent -FilterHashtable @{
LogName='Security'
ID=4625
StartTime=(Get-Date).AddHours(-1)
} | Group-Object -Property {$_.Properties[19].Value}
$BlockThreshold = 5
$FailedAttempts | Where-Object {$_.Count -ge $BlockThreshold} | ForEach-Object {
$IP = $_.Name
if ($IP -ne "-") {
New-NetFirewallRule -DisplayName "BlockBruteForce_$IP" -Direction Inbound -RemoteAddress $IP -Action Block
}
}
For more sophisticated protection, consider Fail2Ban (ported to Windows):
# Sample fail2ban filter for Windows Security Log
[Definition]
failregex = ^.*Audit Failure.*Logon Type:3.*Source Network Address:\s*\s*.*
ignoreregex =
When implementing IP-based blocking:
- Monitor firewall rule count (Windows has limits)
- Consider temporary blocks (24-48 hours) rather than permanent
- Whitelist critical IP ranges first
- Log all blocking actions for audit purposes
For larger environments:
- Microsoft Defender for Identity
- Third-party IPS/IDS systems
- Network-based firewalls with threat intelligence feeds