Windows Remote Desktop Protocol (RDP) includes basic protections against brute force attempts through Account Lockout Policies. By default, Windows Server doesn't automatically lock out accounts after failed attempts unless specifically configured. The security settings are found in:
Local Security Policy -> Account Policies -> Account Lockout Policy
For production servers exposed to the internet, I recommend these settings:
Account lockout threshold: 5 invalid attempts
Account lockout duration: 30 minutes
Reset account lockout counter after: 30 minutes
For more robust protection, we can automate IP blocking using PowerShell. This script blocks IPs with multiple failed attempts:
# Get failed RDP attempts from Event Viewer
$events = Get-WinEvent -FilterHashtable @{
LogName='Security'
ID=4625
} -MaxEvents 1000
# Group by IP and filter repeated offenders
$badIPs = $events | ForEach-Object {
($_.Properties[19].Value -split ':')[0]
} | Group-Object | Where-Object {$_.Count -gt 3} | Select-Object -ExpandProperty Name
# Add firewall rules for suspicious IPs
foreach ($ip in $badIPs) {
netsh advfirewall firewall add rule name="Block RDP Brute Force $ip" dir=in action=block protocol=TCP localport=3389 remoteip=$ip
}
For enterprise environments, consider these additional measures:
- Enable Network Level Authentication (NLA)
- Implement RD Gateway with pre-authentication
- Change default RDP port from 3389
- Use certificate-based authentication
Create a scheduled task to monitor security logs and send alerts:
# Create event filter for failed logins
$query = @'
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">
*[System[(EventID=4625)]]
</Select>
</Query>
</QueryList>
'@
# Create scheduled task action
$action = New-ScheduledTaskAction -Execute "Powershell.exe" -Argument "-File C:\Scripts\Send-RDPAlert.ps1"
Register-ScheduledTask -TaskName "RDP Brute Force Monitor" -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Action $action -Settings (New-ScheduledTaskSettingsSet)
Windows Server 2008 includes several native protections against RDP brute force attempts:
- Account Lockout Policy: Configured via Group Policy (gpedit.msc > Computer Configuration > Windows Settings > Security Settings > Account Policies)
- Failed Attempt Logging: Events logged in Windows Security log (Event ID 4625)
- Network Level Authentication (NLA): Requires authentication before establishing session
# Sample PowerShell to check current lockout threshold
Get-ADDefaultDomainPasswordPolicy | Select-Object LockoutThreshold
To properly secure RDP on Windows Server 2008:
# Recommended registry modifications
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableRestrictedAdmin" /t REG_DWORD /d 1 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0 /f
For additional security layers:
- Enable RDP over VPN for remote access
- Implement IP restriction rules in Windows Firewall
- Change default RDP port from 3389 (requires registry edit)
# Firewall rule to restrict RDP to specific IPs
netsh advfirewall firewall add rule name="Restricted RDP" dir=in action=allow protocol=TCP localport=3389 remoteip=192.168.1.100/32
Create automated monitoring for brute force attempts:
# PowerShell script to parse security logs for RDP attacks
Get-WinEvent -FilterHashtable @{
LogName='Security';
ID=4625;
StartTime=(Get-Date).AddHours(-24)
} | Where-Object {
$_.Properties[5].Value -like "*3*" -and
$_.Properties[19].Value -like "*3389*"
} | Select-Object TimeCreated,@{Name='AttackerIP';Expression={$_.Properties[19].Value}}
Consider these additional security measures:
- RDP Gateways (Windows Server feature)
- Fail2Ban for Windows (third-party port)
- Duo Security two-factor authentication