Securing RDP against brute force and dictionary attacks
Windows administration could be a pain. Many administrators need remote access to their servers, some of them are in insecure network environments, but need to make it secure against unauthorized logins. This is one of the most significant threat to Windows servers.
Some admins used scripts to read the Windows event log on a regular schedule to seek the security event ID 4625 - login failed - and to automatically configure the Windows Firewall with a netsh script to block this IP address. Unfortunately, these admins run into two issues:
- Windows does not log the IP address of the client from which the unsuccessful login came from, when using TLS/SSL for protocol encryption
- Even if they got an IP address out of the event log, this IP address remained locked out, which could lead to interruption of service for valid users, who had a typo or the caps lock enabled
Cyberarms provides a remote desktop security agent to catch the unsuccessful login to remote desktop directly on the network layer, so it does not solely rely on the Windows event log. It also uses lock durations to release the blocked client IP address after a given time frame.
The TLS/SSL security agent for Remote Desktop connections
Using TLS/SSL security for Remote Desktop connections, Windows does not log the attacker's IP address within the security log entry. This agent also runs on the network layer (like FTP and SMTP agents). Remote Desktop sessions using the legacy RDP protocol encryption are handled by the Windows Base Security Agent.