Hi Everyone,
I have a 1:1 NAT setup for my outside users to login to my remote desktop server. Recently I notice some Brute Force attack to that server. Any best practice anyone can share to prevent this?
Here is what I did so far....
- Layer 7 group policy to only allow 1 country ( still some attack coming within that country)
- Complex username / password ( users hate the complexity but a lot harder for a dictionary attack )
- ideally, I could set up only allow trusted IP but most clients do not have static IP / VPN.
So anyway within MX that allows me to set maximum connection retry within 1 hours to prevent brute force etc?
Any good 3rd party 2fa solution I could use?
Thanks in advance..
Solved! Go to solution.
The RDP brute force password tools are every good. The last one I tested didn't even cause event log entries to be generated. After I tested that tool I don't like my clients exposing RDP directly to the Internet anymore.
You could consider using an RDP gateway.
Duo is really good for 2FA.
The RDP brute force password tools are every good. The last one I tested didn't even cause event log entries to be generated. After I tested that tool I don't like my clients exposing RDP directly to the Internet anymore.
You could consider using an RDP gateway.
Duo is really good for 2FA.
With 1 TS I would personally go for Duo 2FA as my first choice.
+1 on the MFA suggestion.
This reminds me of an issue we had at one point. In one of the environments where I consulted they used O365 e-mail which auth'd against the AD. Their AD GPO was configured to lock for 15 minutes after 5 unsuccessful login attempts. Some external user was trying to guess/brute one of our users accounts through the OWA platform and kept locking out that users account. It occurred to me that it would also be hard to protect against this. Effectively it resulted in a Denial of Service on that user's account.
isn't it possible to use cliënt vpn and then allow that vpn subnet to your rdp server
+1 for RDP Gateway and using Duo for 2FA
Why is it that Meraki doesn't have the ability to block these attacks? You will see them on any RDS server that's exposed to the internet. Usually anywhere from several to dozens of attempts per minute from the same IP address. There should be a mechanism to block this behavior regardless of the targeted port or protocol.