Staying Safe from RDP Brute Force Attacks

In a RDP (Remote Desktop Protocol) brute force attack, an attacker gains access to a victim’s computer by using brute force techniques which can effectively crack weak passwords.

Typically, the attacker scans a list of IP ranges for RDP port 3389 (default RDP port) which are open for connection. Once a port is found, the brute force attack is launched. The brute force technique uses a trial and error password guessing attack with a list of commonly used credentials, dictionary words, and other combinations.

Once the access is gained, the attacker can disable the system’s antivirus and run the malware payload. This means, even if the antivirus is updated and has a detection against the malware, turning off its protection renders the system defenseless.

The Thirtyseven4 Firewall feature can effectively prevent RDP brute force attacks by allowing only trusted IP addresses from accessing the system via remote desktop.

How to configure the Thirtyseven4 Firewall?

Thirtyseven4 Dashboard => Select Internet and Network => Firewall Protection=> Advanced Settings – Configure=> Traffic Rules.

A) To block all RDP connections:

•Scroll down and double click on the Allow Remote Desktop rule.
•Click on Next till you reach the last window i.e., Select Action
•Here, change the action from Allow to Deny and click on Finish.

B) To add an exception for trusted systems:

•In the Traffic rule window, click on Add for adding an exception.
•Give any Name for the rule e.g., RDP white-list and select Next twice.
•In the Local TCP/UDP Port window, enter the RDP port in the Specific port option and click Next. By default the RDP port is 3389.
•In the Remote IP Address, enter the IP address of the system from which you would want to accept RDP connections.
•You can also enter an IP range to allow RDP connections from multiple systems of the specified range. E.g., 192.168.0.1 to 192.168.0.255.
•Select Next for the Remote TCP/UDP port window.
•Select an action to be taken as Allow in the last window and click Finish.

Now, save the changes made by clicking on OK and selecting Save Changes.

Please Note: Make sure that the RDP White-list rule is higher than the Allow Remote Desktop rule in the Firewall rule list.


Here are some security practices to help avoid RDP brute-style forced attacks:

– Use strong and unique passwords on user accounts that cannot be easily guessed. Weak passwords like Admin, admin@123, user, 123456, password, Pass@123, etc., can be easily brute forced in the first few attempts.

– Configure password protection for your security software. Doing so would prevent any unauthorized users accessing the system from disabling or uninstalling it. Thirtyseven4 users can enable this feature from the Settings => Password Protection.

– Disable the Administrator account and use a different account name for administrative activities. Most brute-force attempts are done on an Administrator user account as it is present by default. Also, remove any other unused or guest accounts if configured on the system.

– Change the default RDP port from the default‘3389’. Most attacks of such type focus on targeting the port 3389 of RDP.

– Enable Network Level Authentication (NLA) feature in your RDP settings available in Windows Vista and later OS.

Ref: https://technet.microsoft.com/en-us/library/cc732713.aspx

– Configuring Account Lockout Policies that automatically lock the account after a specific number of failed attempts. This feature is available in Windows and the threshold can be customized as per the administrator.

Ref: https://technet.microsoft.com/en-us/library/dd277400.aspx

 

Thirtyseven4, LLC is dedicated to serving customers with a full palette of security solutions including AntiVirus, AntiMalware, Anti-Ransomware and Zero-Day Threat Protection.