RDP security/monitor

B

bekax5

Limp Gawd
Joined
Jun 4, 2012
Messages
132
Hello dear friends.

I am looking for some software which can deal with monitoring/managing the Windows RDP.

I am concerned with some brute-force attacks which some of my servers may be a targeted.
They are WXP, WS2003, WS2008R2.
Something like RDPGuard would be nice but also freeware.

Thanks in advance!
 
Do you have RDP publicly accessible? If so, look into standing up a RD-Gateway.
 
Yes, it's public at the moment.

Since it should be accessed from various locations.
I have never heard ov that, does it protect agains brute-force or it is supposed to just add a new layer of security in the connection?
 
bekax5 said:
Yes, it's public at the moment.

Since it should be accessed from various locations.
I have never heard ov that, does it protect agains brute-force or it is supposed to just add a new layer of security in the connection?
Click to expand...

I'm not sure what the "standard" is, but I would never open up RDP to the public. If you have to access it remotely, use a VPN.
 
First thing that came to mind is some sort of IPS that monitors RDP logons or RDP failures and to block after so many failures.
 
wizdum said:
I'm not sure what the "standard" is, but I would never open up RDP to the public. If you have to access it remotely, use a VPN.
Click to expand...

Newer RDP is fine exposed to the net, as long as you use a good password. At least 8 char's and complexity.

Now if its win2k then don't expose it. However the new RDP clients have encryption built in already.

Its more secure behind a VPN, but can be done either way.

OP. You could lock down your firewall so that only the required networks (US Based) can access RDP, or narrow it down more where only certian locations can pass through the firewalls to the RDP boxes.
 
DragonNOA1 said:
First thing that came to mind is some sort of IPS that monitors RDP logons or RDP failures and to block after so many failures.
Click to expand...

Sorry, but what does IPS stands for ? :D

This would be my best option for now, but most probabily I will use them behind a VPN.
But I would like to give this a try!
 
bekax5 said:
Sorry, but what does IPS stands for ? :D

This would be my best option for now, but most probabily I will use them behind a VPN.
But I would like to give this a try!
Click to expand...

Intrusion Prevention System, a popular open source on is SNORT. But most of the time they are a pain in the ass to setup.
 
bekax5 said:
Yes, it's public at the moment.

Since it should be accessed from various locations.
I have never heard ov that, does it protect agains brute-force or it is supposed to just add a new layer of security in the connection?
Click to expand...

An Rd Gateway puts the rdp traffic over standard ssl. This way you only expose port 443 and it looks like standard Internet traffic. This also gives another layer of encryption.

Finally, it provides a single exposed gateway that can have access to many internal machines without opening them all up to the outside individually.
 
I'd vote for a VPN. Even a PPTP tunnel (for ease of setup in windows) would be much better than relying on single Windows password for security.

I threw an RDP server on public port 3389 once - the amount of attempted intrusions was incredible (between 20-200 per second, 90% from China), and it was just on my home connection on a Dynamic IP.
 
Innocence said:
I'd vote for a VPN. Even a PPTP tunnel (for ease of setup in windows) would be much better than relying on single Windows password for security.

I threw an RDP server on public port 3389 once - the amount of attempted intrusions was incredible (between 20-200 per second, 90% from China), and it was just on my home connection on a Dynamic IP.
Click to expand...

That is why you do a full IP block for China,
 
k1pp3r said:
That is why you do a full IP block for China,
Click to expand...
That's all well and good, but an European or North American proxy isn't a big cost. Which is where I assume the other 10% come from.

"Blocking China" isn't for security, it's to decrease traffic.
 
Well, after being reading for a little bit, Do you guys use any Intrusion Detection software ?

I would be interested in some which could protect RDP, SSH, FTP, Telnet, and those kinds of services.
I would like to check which IPs tried to connect un/successfuly to these services.

If you know anything that can do this, please let me know.

Also I will put some of the services behind a VPN.
 
I don't know about IDS/IPS solutions, but I think k1pp3r had the easiest solution of simply locking down the firewall to specific hosts using the RDP port. Relatively easy and pretty damn secure. Of course the only downside is if you're trying to connect via anywhere and not a specific IP range.
 
You must log in or register to reply here.
Back
Top