Brute force attacks against Remote Desktop Protocol (RDP) services are among the most common security threats facing Windows servers. When managing a Windows Server 2008 R2 Terminal Server, you need layered defenses since the OS doesn't include modern protection mechanisms like Windows Defender Firewall with Advanced Security.
First, implement account lockout policies through Registry edits:
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System] "DisableAutomaticRestartSignOn"=dword:00000001 "DefaultDomainName"="YOURDOMAIN" "DefaultUserName"=""
While not as robust as Linux's iptables, Windows Firewall can be configured to block repeated RDP attempts:
# PowerShell script to create dynamic block rules
$threshold = 5 # Failed attempts threshold
$logPath = "C:\RDP\Security.log"
# Monitor security events
Get-WinEvent -FilterHashtable @{
LogName='Security'
ID='4625'
} | ForEach-Object {
$ip = $_.Properties[19].Value
$count = (Get-WinEvent -FilterHashtable @{
LogName='Security'
ID='4625'
} | Where-Object {$_.Properties[19].Value -eq $ip}).Count
if ($count -ge $threshold) {
New-NetFirewallRule -DisplayName "BlockRDP_$ip" -Direction Inbound -Action Block -Protocol TCP -RemoteAddress $ip -LocalPort 3389
Add-Content $logPath "$(Get-Date) - Blocked $ip after $count failed attempts"
}
}
For enterprises, commercial tools like:
- RDPGuard (specifically designed for RDP protection)
- Fail2Ban for Windows (port of the Linux classic)
- EventSentry (comprehensive monitoring solution)
Configure your edge firewall to:
- Limit RDP access to specific source IP ranges
- Implement geofencing if applicable
- Set connection rate limits (e.g., max 3 connection attempts per minute)
For domain-joined servers, apply these Group Policy settings:
Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Account Lockout Policy: - Account lockout duration: 30 minutes - Account lockout threshold: 5 invalid attempts - Reset account lockout counter after: 30 minutes
Windows Server 2008 R2's Terminal Services present a prime target for brute force attacks, with RDP being the most exploited entry point. Unlike Linux with fail2ban, Windows requires custom solutions for automatic IP blocking.
First, configure these native protections:
# Enable Account Lockout Policy via GPO:
net accounts /lockoutthreshold:5
net accounts /lockoutwindow:30
net accounts /lockoutduration:60
Set threshold to 5 attempts, lockout duration to 60 minutes, and reset counter after 30 minutes.
Create this script to parse Event Logs and block repeat offenders:
# RDPBruteBlocker.ps1
$maxAttempts = 5
$eventLog = Get-WinEvent -LogName 'Security' -FilterXPath "*[System[EventID=4625]]" -MaxEvents 100
$ipList = $eventLog | ForEach-Object {
if($_.Properties[19].Value -match '\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}') {
$_.Properties[19].Value
}
}
$offenders = $ipList | Group-Object | Where-Object { $_.Count -ge $maxAttempts }
foreach ($ip in $offenders.Group) {
if (-not (Get-NetFirewallRule -DisplayName "BlockRDP_$ip" -ErrorAction SilentlyContinue)) {
New-NetFirewallRule -DisplayName "BlockRDP_$ip" -Direction Inbound -Action Block -RemoteAddress $ip -Protocol TCP -LocalPort 3389
Write-Output "Blocked IP: $ip"
}
}
Modify these registry settings for enhanced protection:
# Change default RDP port:
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -Name PortNumber -Value 3390
# Enable Network Level Authentication:
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -Name UserAuthentication -Value 1
For those preferring GUI tools:
- RDPGuard (commercial with free trial)
- EvlWatcher (open source alternative)
Schedule the PowerShell script to run hourly via Task Scheduler. Check blocked IPs with:
Get-NetFirewallRule -DisplayName "BlockRDP_*" | Format-Table DisplayName,Enabled