Proactive Approach to Thwarting RDP Attacks

What is an RDP Attack?

Remote Desktop Protocol (RDP) attacks have been a popular way for hackers to breach the security of a device or company network.  An RDP attack takes place when an unauthorized person or entity is accessing a network through the device’s RDP ports.  The attack may be an actual person using brute force to hack into the RDP port, or it could be an automated technology, also using brute force to access the RDP port.  Brute force is a term used when someone, or something, is guessing user credentials over and over again until they are able to gain access.

Best Defense — Disabling Ports

In September, we wrote to home users regarding this threat, and how a home user can disable their RDP ports to proactively thwart these attacks.  Since, the PC Matic Pro and MSP teams have also added an Endpoint Vulnerabilities tab to the MSP and Pro portals.  This report will show all devices that have Remote Desktop enabled and allows for a one-stop shop for IT admins to close RDP ports that have remained unnecessarily opened.

How to Mitigate Attack Risk While Leaving Ports Open

For those who opt out of disabling the port, there is another way to mitigate your risk.  Users are able to put a limit on the number of incorrect login attempts that can happen in a set period of time. Below, we’ll detail two ways that you can accomplish this process depending on if you’re using Windows 10 Pro or Windows 10 Home.

Windows 10 Pro
  1. To begin, start typing in the Windows Search bar at the bottom of your screen for “Administrative Tools”. Double click it from the results.

  1. Within the Administrative Tools, look for Local Security Policy. You will only find Local Security Policy if you are on Windows 10 Pro. If you don’t see it in the list, move down this page and follow the process for Windows 10 Home.

  1. Inside Local Security Policy, expand Account Policies at the top and click on Account Lockout Policy. You should see the three entries we’re showing on the right. Don’t worry if your security settings look different, that’s what we’re going to change.

  1. Double Click on Account Lockout Threshold on the right side. We’re now going to set this number to 3. This setting is the number of times that someone can incorrectly guess your password before it is restricted. Click OK at the bottom to apply.

  1. Now double click on Account lockout duration. We’re also going to set this number to 3 minutes. This setting is to determine how long your computer will be locked for after there are 3 incorrect guesses. Click OK at the bottom to apply.

  1. Once you set the duration, it will also ask if you want to set the Reset account lockout time for the same value. You can click OK here to apply a 3 minute time to that setting as well. Now we can review our final settings. If you incorrectly type your password in 3 times within 3 minutes, the computer will lock and allow no attempts for a 3 minute period.

Windows 10 Home
  1. The process for changing this setting in Windows 10 Home takes a little bit more work, but we’ll detail it to follow along. Start by typing “cmd” in the search bar at the bottom. Now right click on the entry for Command Prompt and choose Run as administrator. This is an important step.

  1. To bring up the current settings we’re going to type “net accounts” and press enter. Now you’ll see the three Lockout settings that we’ll be adjusting are set currently to 3. We’ll be changing them to 4 to demonstrate that process.

  1. To change the first value, type: “net accounts /lockoutthreshold:4” and press enter. You should then see the command completed successfully below. If there is an error, make sure that you opened the Command Prompt as an administrator in step 1.

  1. To change the next setting, type: “net accounts /lockoutduration:4” and press enter. This will set our duration of 4 minutes if someone tries and fails to login 4 times.

  1. To change the last setting, type: “net accounts /lockoutwindow:4” and press enter. This will set a window of 4 minutes for login attempts. If there are four failed login attempts within four minutes, the computer will be locked for four minutes.

  1. Now we can very that all of our settings have been changed. Type “net accounts” again and press enter. You’ll see that each Lockout setting now has the value of 4 that we set in the previous steps. You can always adjust the number of login attempts in step 3, the number of minutes the device will lock for in step 4, or the window of time for login attempts in step 5 to any value you choose. We believe that anywhere between 3 and 10 is a good place to be.

 

2,819 total views, 15 views today

(Visited 1,900 times, 1 visits today)

7 thoughts on “Proactive Approach to Thwarting RDP Attacks

  1. When you try to set /lockoutduration=4 as outlined above, you get System Error 87. you cannot use the value of 4, the minimum value you can use is 30. There is no reason to change this from 30 anyway, as 4 is less secure than 30.

  2. Is a RDP attack taking place when my browser is breached? You know, the attack that freezes your browser, then a pop-up message tells you to contact MS Support @ phone #, to have your computer repaired or restored. Is this an example of a RDP?

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.