I'm running some windows servers which seem to be getting a lot of attempts to brute force the terminal services account. I've changed the administrator account name etc., but is there a way to block or tarpit multiple attempts to log into a remote or terminal service connection on a windows server?
Asked
Active
Viewed 608 times
1 Answers
0
There is no way to do this built in to Windows as far as I am aware. Your best bet is to change the RDP port to something non-standard (most RDP worms will simply target 3389) and, if possible, restrict RDP connections to VPN clients only.
You can change the rdp port in the registry at:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TerminalServer\WinStations\RDP-Tcp\PortNumber
Josh Atkins
- 783
- 4
- 6
-
I considered this, but it wont stop all scripts as they will sniff out the port. It will certainly stop some BF attempts. – Adrian Brown Jan 19 '12 at 11:10
-
You're correct in that sense but you will find the vast majority of brute force attempts will be from RDP worms. It's certainly not harmful to do so. Consider the time/overhead of scanning 65,535 ports looking for your RDP port just so it can try and brute force it and then multiply it by a couple of million hosts; almost all worms just don't do it. It's not worth it. No 3389? Move along, someone else will. – Josh Atkins Jan 19 '12 at 11:12