Secure Remote Desktop: How to Protect RDP from Brute Force Attacks
Practical manual to secure Remote Desktop (RDP) on Windows Server. Learn how to block brute force attacks and isolate your infrastructure.
In summary: How to protect Remote Desktop (RDP) on Windows? Remote Desktop (RDP) is the preferred entry point for hackers. To protect it, follow these 3 fundamental steps: 1. Never expose port 3389 directly to the Internet. 2. Implement Multi-Factor Authentication (MFA). 3. Use a secure VPN (like SecBox Shield) to create an encrypted tunnel before attempting to access the server. 60% of ransomware exploits unprotected RDP.
Microsoft Remote Desktop Protocol (RDP) is an indispensable tool for remote Windows server management. However, if left exposed to the Internet without proper precautions, it becomes a constant target for automated "brute force" attacks.
The Dangers of Exposed RDP
A Windows server with port 3389 open to the world receives thousands of unauthorized access attempts every single hour. Attackers use botnets to test common username and password combinations (administrator, admin, user123). Once the password is obtained, the attacker can disable the antivirus, encrypt data, and demand a ransom.
Why changing the port is not enough?
Many sysadmins think they can "hide" the RDP service by changing the default port (e.g., from 3389 to 4455). This technique, called security by obscurity, is useless against modern scanners like Shodan or Censys, which identify the RDP protocol regardless of the port used in seconds.
RDP Hardening Manual: Technical Checklist
1. Enable Network Level Authentication (NLA)
NLA forces the user to authenticate before the RDP session is actually established, reducing the attack surface for vulnerabilities like BlueKeep.
How to do it:
- Open System Properties.
- Remote tab.
- Check "Allow connections only from computers running Remote Desktop with Network Level Authentication".
2. Account Lockout Policy
To counter brute force, the server must lock the account after a certain number of failed attempts.
PowerShell Command:
Set-WinUserAccountLockout -Threshold 5 -Duration 30 -ResetWindow 30
This command locks the user for 30 minutes after 5 incorrect attempts.
3. Windows Firewall Restriction
Do not allow RDP connections from "Any". If possible, allow access only from known static IP addresses.
The Ultimate Solution: SecBox Shield
All the measures described above are useful, but they don't eliminate the risk 100%. The only way to be 100% secure is to make the server invisible.
With SecBox Shield:
- RDP Stealth: Port 3389 is completely closed to the outside. The server does not respond to any connection attempts.
- VPN Tunnel: To access the server, the collaborator must activate the SecBox VPN with MFA (Multi-Factor Authentication).
- Isolation: Only once authenticated via VPN does the server become reachable.