cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Brute Force RDP

SOLVED
Getting noticed

Brute Force RDP

Hi Everyone,

 

I have a 1:1 NAT setup for my outside users to login to my remote desktop server. Recently I notice some Brute Force attack to that server. Any best practice anyone can share to prevent this? 

 

Here is what I did so far....

 

- Layer 7 group policy to only allow 1 country ( still some attack coming within that country)

- Complex username / password ( users hate the complexity but a lot harder for a dictionary attack )

- ideally, I could set up only allow trusted IP but most clients do not have static IP / VPN.

 

So anyway within MX that allows me to set maximum connection retry within 1 hours to prevent brute force etc?

Any good 3rd party 2fa solution I could use?

 

Thanks in advance..

1 ACCEPTED SOLUTION

Accepted Solutions
Kind of a big deal

Re: Brute Force RDP

The RDP brute force password tools are every good.  The last one I tested didn't even cause event log entries to be generated.  After I tested that tool I don't like my clients exposing RDP directly to the Internet anymore.

 

You could consider using an RDP gateway.

 

Duo is really good for 2FA.

View solution in original post

8 REPLIES 8
Kind of a big deal

Re: Brute Force RDP

The RDP brute force password tools are every good.  The last one I tested didn't even cause event log entries to be generated.  After I tested that tool I don't like my clients exposing RDP directly to the Internet anymore.

 

You could consider using an RDP gateway.

 

Duo is really good for 2FA.

View solution in original post

Getting noticed

Re: Brute Force RDP

Thanks PhilioDath as usual for your quick and useful solution... Do i need a RDP gateway if i need to do 2fa since i only have 1 TS?
Kind of a big deal

Re: Brute Force RDP

With 1 TS I would personally go for Duo 2FA as my first choice.

Highlighted
Kind of a big deal

Re: Brute Force RDP

+1 on the MFA suggestion. 

 

This reminds me of an issue we had at one point.  In one of the environments where I consulted they used O365 e-mail which auth'd against the AD.  Their AD GPO was configured to lock for 15 minutes after 5 unsuccessful login attempts.  Some external user was trying to guess/brute one of our users accounts through the OWA platform and kept locking out that users account.  It occurred to me that it would also be hard to protect against this.  Effectively it resulted in a Denial of Service on that user's account.  

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
Kind of a big deal ww
Kind of a big deal

Re: Brute Force RDP

isn't it possible to use cliënt vpn and then allow that vpn subnet to your rdp server

Getting noticed

Re: Brute Force RDP

I rather catch a cobra with my bare hand then setting up Meraki client vpn on hundreds of ever changing client. 🤣🤣🤣.. Hopefully 1 day Meraki will create a painless VPN app like Anyconnect.. 😁
A model citizen

Re: Brute Force RDP

+1 for RDP Gateway and using Duo for 2FA


Found this helpful? Give me some Kudos! (click on the little up-arrow below) and If my reply solved your issue, please mark it as a solution 🙂
New here

Re: Brute Force RDP

Why is it that Meraki doesn't have the ability to block these attacks? You will see them on any RDS server that's exposed to the internet. Usually anywhere from several to dozens of attempts per minute from the same IP address. There should be a mechanism to block this behavior regardless of the targeted port or protocol. 

 

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.