Brute force RDP attacks depend on your mistakes

Brute force RDP attacks depend on your mistakes

Summary: Kaspersky reports that brute force attacks against RDP servers are on the rise. But they don't work unless you have done a poor job securing your server.

SHARE:
TOPICS: Security
8

Kaspersky Lab has added generic protection for an attack form they say is on the rise: brute force RDP attacks.

RDP stands for Remote Desktop Protocol and is the protocol for Windows Remote Desktop and Terminal Server. It is sometimes used for remote user access to servers, but very commonly used for remote administrator access. RDP "remotes" the Windows UI, allowing a remote user with an RDP client to log into Windows and use it as if local.

A brute force RDP attack would scan IP ranges and TCP port ranges (the default being 3389) for RDP servers, which could be either client or server systems. Once an attacker finds an RDP server, he would attempt to log on, particularly as Administrator. The IDS in Kaspersky products will now detect this type of attack as Bruteforce.Generic.RDP.

As Kaspersky says, a successful RDP attack against a server has the potential to be quite lucrative. But even as they call it a "brute force" attack, the Kaspersky account overstates its sophistication. Very simple and obvious actions on your part can prevent this attack from having any success:

  • Use complex passwords, especially for accounts with administrator access
  • Consider disabling the Administrator account and using a different account name for that access
  • Set the system to lock a user out for a period of time after some number of failed login attempts. Numerous group policies for these rules have been in Windows for a long time
    account-lockout-threshold
  • Require two-factor authentication, especially for administrator access

These guidelines are best practice for many reasons, not just to block brute force attacks, but they are good general advice against brute for attacks, not just those for RDP. As the Kaspersky story says, last year there was a major brute force campaign of this type against Wordpress accounts. It was so intense that it was effectively a DDOS. Good password and account lockout policies can't stop a DDOS, but they can stop a brute force login attack.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

8 comments
Log in or register to join the discussion
  • use ipsec policy that requires certificate auth on port 3389

    Again, standard feature in Windows since 2000 and can be managed via Group Policy as well.
    greywolf7
    • Lockout policy is good

      but you get locked out too. Rather annoying; talk about DDOS.
      LarsDennert
  • VPN?

    Don't most places only do RDP behind a VPN?
    Buster Friendly
    • VPN!

      RDP without VPN isn't very smart at all. When I begin any contract involving a firewall it's one of the first things I look for as a security hole. Sure enough, last place I started at it had an RDP IP forwarding to the DOMAIN CONTROLLER! Ouch.
      wontonotnow
      • belt and suspenders

        RDP itself is encrypted by default, but it doesn't hurt to use a VPN
        larry@...
      • you mean just let them have access to the whole network over vpn

        Rather than just the applications they need... that's so last century. :-)
        greywolf7
        • Who said that?

          Who said let the VPN logins access everything? We're only talking about remote RDP.
          Buster Friendly
      • What do you mean?

        What do you mean it's not smart at all? You wouldn't have an RDP forwarded to a domain controller if you were first signing into a VPN. That's the whole point using the VPN to add a level of protection to those services.
        Buster Friendly