Results 1 to 3 of 3

Thread: Rdp ips

  1. #1
    Newbie
    Join Date
    Oct 2010
    Posts
    1

    Default Rdp ips

    There was a previous post about this:
    forums.untangle.com/intrusion-prevention/15751-rdp-remote-desktop.html

    Remote Desktop Intrusion Prevention:

    I "THINK" that the 'hackers' are using a 'script' to send username/passwords to the RDP Session using the 'client-side' authentication process.

    With this 'theory' in mind; the 'hacker' is opening and closing RDP sessions for each user/password attempt.

    Can we set a IPS limiter of 10 connect/reconnect events within a 5 minute span to set off an IPS block?

  2. #2
    Master Untangler richie's Avatar
    Join Date
    Apr 2007
    Posts
    396

    Default

    i think you can do this via GPO / local security policy by creating account lockout and login to terminal services restriction.

  3. #3
    Master Untangler Louisd's Avatar
    Join Date
    Jan 2008
    Location
    Montreal, QC
    Posts
    168

    Default

    You can also use a higher port number, say 53389, and create a port forward rule. You access your remote desktop by adding ":53389" (without quotes, of course) after the address that you normally use. I did something similar, with a different port number, and I since had virtually no attempts to connect. Couple that with a local policy to lock a user account with 10 failed attempts and you are quite safe. I personnaly did not bother with the lock rule, once I saw that connexion attempts essentially ceased.

    LD

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2