How to lock down your Windows Server Remote Desktop to defend against brute force attacks

CG - Software Development Director

21/01/20

The WHY you should lock down access

If you are permitting connections to Remote Desktop (whether you realise or not!) means you are an instant target for pests to try and brute force their way in.

They do this because its all an automated process and they can just sit back, relax, and wait for a notification from their scripts to tell them they have gained access.

HOW Do I know if i’m being attacked?

Windows server will record all login attempts, be it successful or not, in the Event Viewer.  Windows Event Viewer is a fantastic resource to see what is happening on your server, check it out and discover if you are being brute forced!

Don’t know how to read the event viewer? Scroll to the bottom and check out the video which covers everything in this article in more depth (including how to read the event viewer for signs of brute force login attempts).

Oh crap, I am being attacked, WHAT do I do?!

First ask yourself, do you actually use Remote Desktop?  If not, you have the easiest solution; just disable Remote Desktop, or block the port it uses (port 3389).

If you do need it, fear not, this guide will walk you through restricting your IP.  Check out the video below to have this shown step by step, but for those averse to watching videos (I’m looking at you @Andy G) then follow the steps below:

But wait, a disclaimer… The below steps will walk you through restricting access to only a single / list of IP’s or IP ranges.  If you lose access to this entire list of IP’s, you will not be able to connect back onto your server! Only proceed if you’re happy you have regular and consistent access to the IP you add to the approved list.

On to the steps:

  1. Open up Windows Firewall
  2. Identify your “active profile” (usually Public for online servers!)
  3. Click into “Inbound Rules”
  4. Locate the RDP port rules, narrow down to your “Public” rule and the TCP entry
  5. Double click and load the settings
  6. Select the “Scope” tab
  7. In the lower half box labelled “Remote IP Addresses” click Add
  8. Enter your IP or IP range, click OK
  9. Click Apply to save the changes 
  10. ???
  11. Profit

And finally…

If you’ve not already seen the video, and want to know a bit more detail on topics covered here, check out the video below.