Stop RDP Brute Force Attacks

TL;DR

RDP brute force attacks happen when someone tries lots of usernames and passwords to get into your computer remotely. This guide shows you how to block these attacks using account lockout policies, strong passwords, network level authentication (NLA), changing the RDP port, limiting access by IP address, and monitoring logs.

1. Account Lockout Policies

Account lockout stops attackers from guessing passwords endlessly. It temporarily disables an account after a certain number of failed login attempts.

1. Open Local Security Policy: Press the Windows key, type secpol.msc and press Enter.
2. Navigate to Account Policies: In the left pane, go to Security Settings > Account Policies > Account Lockout Policy.
3. Configure settings:
   • Account lockout duration: How long an account stays locked (e.g., 30 minutes).
   • Account lockout threshold: Number of failed attempts before locking (e.g., 5 invalid login attempts). Lower numbers are more secure but can inconvenience legitimate users.
   • Reset account lockout counter after: How long before the attempt count resets (e.g., 15 minutes).

2. Strong Passwords

Weak passwords are easy to crack. Use strong, unique passwords for all accounts.

• Length: At least 12 characters.
• Complexity: Mix uppercase and lowercase letters, numbers, and symbols.
• Uniqueness: Don’t reuse passwords across different services.
• Password Managers: Consider using a password manager to generate and store strong passwords securely.

3. Network Level Authentication (NLA)

NLA authenticates the user before establishing an RDP connection, making brute force attacks much harder.

1. Open System Properties: Press the Windows key, type sysdm.cpl and press Enter.
2. Remote Tab: Click on the Remote tab.
3. Enable NLA: Check the box “Allow connections only from computers running Network Level Authentication”.

4. Change the RDP Port

The default RDP port (3389) is a common target for attackers. Changing it makes your system less visible.

1. Open Registry Editor: Press the Windows key, type regedit and press Enter.
2. Navigate to RDP Port Key: Go to HKEY_LOCAL_MACHINESystemCurrentControlSetControlTerminal ServerWinStationsRDP-Tcp.
3. Change Port Number: Find the “PortNumber” key (it’s likely in decimal format). Change it to a different port number (e.g., 50000). You’ll need administrator privileges.
4. Restart RDP Service: Open Command Prompt as an Administrator and run

   net stop "Remote Desktop Services" && net start "Remote Desktop Services"

   .

5. Firewall Rule: Update your firewall to allow connections on the new port.

Warning: Changing the RDP port is security through obscurity and shouldn’t be relied upon as a primary defense.

5. Limit Access by IP Address

Only allow RDP access from trusted IP addresses.

1. Open Windows Defender Firewall with Advanced Security: Press the Windows key, type wf.msc and press Enter.
2. Inbound Rules: Click on “Inbound Rules” in the left pane.
3. Find RDP Rule: Locate the rule for Remote Desktop (usually named something like “Remote Desktop – User Mode (TCP-In)”).
4. Properties: Right-click and select “Properties”.
5. Scope Tab: Go to the “Scope” tab.
6. Local IP Addresses: Add the specific IP addresses or address ranges that are allowed to connect via RDP. Remove any broad allow rules (e.g., Any IP Address).

6. Monitor Logs

Regularly check event logs for failed login attempts and suspicious activity.

• Event Viewer: Open Event Viewer (type eventvwr.msc in the Windows search bar).
• Security Log: Navigate to Windows Logs > Security.
• Filter for Event IDs: Filter the log for Event ID 4625 (failed login attempt) and 4624 (successful login).
• Look for Patterns: Investigate any unusual patterns of failed logins from the same IP address or user account.