Brute Force RDP

SOLVED
Jack
Getting noticed

Brute Force RDP

Hi Everyone,

 

I have a 1:1 NAT setup for my outside users to login to my remote desktop server. Recently I notice some Brute Force attack to that server. Any best practice anyone can share to prevent this? 

 

Here is what I did so far....

 

- Layer 7 group policy to only allow 1 country ( still some attack coming within that country)

- Complex username / password ( users hate the complexity but a lot harder for a dictionary attack )

- ideally, I could set up only allow trusted IP but most clients do not have static IP / VPN.

 

So anyway within MX that allows me to set maximum connection retry within 1 hours to prevent brute force etc?

Any good 3rd party 2fa solution I could use?

 

Thanks in advance..

1 ACCEPTED SOLUTION
PhilipDAth
Kind of a big deal
Kind of a big deal

The RDP brute force password tools are every good.  The last one I tested didn't even cause event log entries to be generated.  After I tested that tool I don't like my clients exposing RDP directly to the Internet anymore.

 

You could consider using an RDP gateway.

 

Duo is really good for 2FA.

View solution in original post

8 REPLIES 8
PhilipDAth
Kind of a big deal
Kind of a big deal

The RDP brute force password tools are every good.  The last one I tested didn't even cause event log entries to be generated.  After I tested that tool I don't like my clients exposing RDP directly to the Internet anymore.

 

You could consider using an RDP gateway.

 

Duo is really good for 2FA.

Thanks PhilioDath as usual for your quick and useful solution... Do i need a RDP gateway if i need to do 2fa since i only have 1 TS?
PhilipDAth
Kind of a big deal
Kind of a big deal

With 1 TS I would personally go for Duo 2FA as my first choice.

Adam
Kind of a big deal

+1 on the MFA suggestion. 

 

This reminds me of an issue we had at one point.  In one of the environments where I consulted they used O365 e-mail which auth'd against the AD.  Their AD GPO was configured to lock for 15 minutes after 5 unsuccessful login attempts.  Some external user was trying to guess/brute one of our users accounts through the OWA platform and kept locking out that users account.  It occurred to me that it would also be hard to protect against this.  Effectively it resulted in a Denial of Service on that user's account.  

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
ww
Kind of a big deal
Kind of a big deal

isn't it possible to use cliënt vpn and then allow that vpn subnet to your rdp server

Jack
Getting noticed

I rather catch a cobra with my bare hand then setting up Meraki client vpn on hundreds of ever changing client. 🤣🤣🤣.. Hopefully 1 day Meraki will create a painless VPN app like Anyconnect.. 😁
WadeAlsup
A model citizen

+1 for RDP Gateway and using Duo for 2FA


Found this helpful? Give me some Kudos! (click on the little up-arrow below) and If my reply solved your issue, please mark it as a solution 🙂
IT_Bruh
New here

Why is it that Meraki doesn't have the ability to block these attacks? You will see them on any RDS server that's exposed to the internet. Usually anywhere from several to dozens of attempts per minute from the same IP address. There should be a mechanism to block this behavior regardless of the targeted port or protocol. 

 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels