Win Server 2008 RDP Attack

Question

On one of my machines I run Win 2008 R2 server. It has been recently updated. My RDP session is limited to my IP address only and firewall is UP. Even though the main RDP post 3389 is blocked by firewall ( IP restricted) I am getting 1000's of attempts to break in on range of different ports from 1012 to 63000. I attached the snapshot of the issue. I am getting 1000's of every day so my log file fills up pretty quick.

I am not an expert on win Servers and all I can do at this point is to ad the culprit's IP address to blocked IP's in my firewall. But the IP changes after 500 attempts regularly. My question is, how do I prevent this so I do not have to monitor this server every day? Any help appreciated.

Below is the copy of the event details one of many hack attempts:

EventData 

  SubjectUserSid S-1-5-18 
  SubjectUserName MyServer12$ 
  SubjectDomainName WORKGROUP 
  SubjectLogonId 0x3e7 
  TargetUserSid S-1-0-0 
  TargetUserName administrator 
  TargetDomainName MyServer12 
  Status 0xc000006d 
  FailureReason %%2313 
  SubStatus 0xc000006a 
  LogonType 10 
  LogonProcessName User32  
  AuthenticationPackageName Negotiate 
  WorkstationName MyServer12 
  TransmittedServices - 
  LmPackageName - 
  KeyLength 0 
  ProcessId 0x3114 
  ProcessName C:\Windows\System32\winlogon.exe 
  IpAddress 27.151.120.145 
  IpPort 1214 

Answer 1

There are a few items in addition to what you've written that I would add.

1. Rename your admin account - Yes this might be a pain in the ass (especially if you've got services using the domain admin account) however this is a commonly attempted brute force username. Rename this account to something ambiguous that won't easily be guessed.
2. Don't use common names for accounts - If you audit the security logs you'll notice that a good chunk of the login names are common names (Administrator, admin, sql, sa, besadmin, guest, etc). Ensure that you are either not using these usernames, or if you need to use the username ensure it doesn't have the rights to logon to your remote desktop server
3. Enforce an Account Lockout Policy - With your administrator account renamed and your other service accounts renamed or not given access to the remote server, this will disable someone's attempt to login with that username. Make sure you set this as a local policy on the remote server and not a domain policy. Users will attempt the wrong password with your account for X amount of tries, get locked out and move on to the next IP address.
4. Investigate TS Gateway - TS Gateway allows for your RDP sessions to connect to your network via the standard SSL port of TCP 443. This will allow you to completely shut off port 3389 from the outside world. The one pitfall I've found with this technology is there is no free Mac RDP client that will allow you to utilize TS Gateway so if you have Macs you'll either need to pay for the client or disrergard TS Gateway.
5. Windows SSHD_Block - A talented SysAdmin by the name of Evan Anderson wrote a nice little VBScript that will block IPs attempting to Brute Force your Terminal server. Check it out HERE

Hope these little tips and tricks help you secure your network.

Answer 2

...Wow, I did not expect that no one would be able to answer my question. I searched through many sources and came up with following:

1. I make sure my server login password meets complexity requirements (below) and it at least 10 char long.

   English uppercase characters (A through Z).
   English lowercase characters (a through z).
   Base 10 digits (0 through 9).
   Non-alphabetic characters (for example, !, $, #, %).
   

2. Some things meant to be changed, some ignored. If my RDP connection is already restricted to my IP address only, the chance someone will break in through the port 3389 is less than slim.

   It is a good idea to set one more allowed trusted IP address in the firewall rules in case my local IP address changes. (happens all the time, ISP providers often re-assign new IP addresses after some time) This way I still have a chance to RDP log in.

3. The IpPort 1214 (Source Port) or other ports between 1012 to 63000 or more are not the ports of the 2008 Server but they are the ports of the host computer which tried to log-in, so I am not being attacked on those ports! The only port under the attack is the firewalled 3389 (RDP port).

4. to prevent my security event log from filling up, I open Server Manager -> Diagnostics -> Event Viewer -> Windows Logs -> Security and click properties.

In Properties (under General Tab) I keep the box "Enable Logging" checked and select "Overwrite events As Needed". Also I can lower the maximum log size to 500kb or so to keep some log records.

That's it :) That seems to be the best solution. If you have a better one, please post it.

Answer 3

It's always a good idea to have a strict password policy.

Also a account lockout policy is a good thing. The main problem with account lockout policies is that if someone knows the name standard for your users, it's far too easy to cause a DOS attack simply by locking out the user accounts by logging in with wrong passwords and that can be a problem if someone's out to cause problems for you.

There's also a software called Syspeace that automatically traces, blocks and reports every brute force attempt and I think it's really easy to use with its GUI.

(Dislosure - my company sells this software)