Discovered that some nefarious hacker is trying a brute force Remote Desktop attack to a Windows Server belonging to a customer of ours. They are working their way though various username and password combinations in the hope that one of them will work. Here’s what we found, and how we resolved it.
The Remote Desktop Attack Scenario
While onsite at a customer location we reviewed the server Event Logs and discovered multiple login attempts to the server.
Here’s what we saw under the Security section of the Windows Event Logs:
See all those Audit Failures, and look at the times; there’s 11 login attempts in two minutes. We saw over 100 attempts in a few hours of that morning.
That many attempts in that short period of time means that this is likely an automated bot looking for open RDP ports (all connections are trying port 3389, the default RDP port). This is commonly referred to as a Brute Force attack. The goal is to try as many username/password combinations as possible in the hope that one will work.
Open one of the audit failure records and you see login names like: staff, admin, fronttest, server, administrator, reception, reception2, etc. It’s obvious this isn’t a legitimate request.
Secure Your Server
If a hacker manages to figure out your credentials and establish a Remote Desktop login to your server then you no longer own the server. They can install malicious software and potentially lock you out of the administration. This is a very bad scenario, you must take steps to ensure it never happens.
Here’s three server options to beef up security and help fend off these kinds of Remote Desktop attacks. You should probably do them all, we have.
1 – Disable and do not use Admin or Administrator as a server login
It is well documented to use something other than the default Administrator account on a server. Microsoft tells you how to disable it. The reason you want to disable it is that if hackers know the username all they have to focus on is guessing the password.
Set up a new administrator account with a different cryptic name and now they have to guess both the username and the password – much more difficult. Make sure your domain administrator account is also something different.
2 – Change the RDP Port to something other than 3389
This may or may not help you, as automated bots may be looking for any open port numbers, however it is easy to change the RDP port. Now when you connect remotely you just need to add the port number after the name or IP address, such as: 192.168.168.168:3391.
(Make sure you change the Windows Firewall and your router fowarding table to match the new port number)
3 – Block access via Windows Server Firewall
The Windows Server firewall is good, and very granular. Set up an Inbound Firewall rule on the server and call it something like RDP Hacking Block. Under the scope tab you can add the IP addresses that you want to deny access to. You should be able to find these IP addresses from the logs of your router.
Secure Your Router
If you can, try to block these incoming connections right at the edge of your network. Use your router firewall to block incoming IP’s.
Most routers will have a firewall capabilities these days. Using the logs, find inbound IP addresses using port 3389 and record them. Now deny those IP addresses in the router firewall.
The log may look something like this:
These days security is more important than ever, and attacks come at you from many angles.
Focus on security up front, and always be watching and monitoring to catch potential issues early.