Protecting Remote Desktop (RDP) Host from Brute Force Attacks

Any Windows host directly connected to the Internet with an open RDP port is periodically logged for remote brute-force password attempts. To effectively protect the default Remote Desktop protocol port (3389) from password brute-force attacks and vulnerability exploitations, it is recommended that the RDP host be placed behind a VPN or Remote Desktop Gateway. If it is not possible to implement such a scheme, you will need to configure additional means of RDP protection:

• Don’t use the default user account names in Windows. If this is not done, users with popular account names (admin, administrator, user1) will be locked regularly according to the account lockup policy.
• Enable users to use complex passwords through the Windows password policy;
• Change the default RDP port number 3389 to a different one;
• Configure 2FA for RDP logins (learn how to use the open-source MultiOTP service to enable RDP two-factor authentication).

In this article, we will configure a PowerShell script that mitigates brute-force Remote Desktop (RDP) logins and automatically blocks the IP addresses from which failed RDP authentication attempts are logged.

Detect and Block RDP Brute Force Attacks with PowerShell

If an attempt to authenticate in Windows over RDP fails, event ID 4625 will appear in the Security event log ( An account failed to log on with LogonType = 3 , See: Analyzing RDP connection event logs ). The event description includes the username under which the connection was attempted and the source IP address.

You can use the Get-WinEvent PowerShell cmdlet to list events with failed RDP logon attempts in the past 12 hour:

$result = Get-WinEvent -FilterHashtable @{LogName='Security';ID=4625; StartTime=(get-date).AddHours(-12)} | ForEach-Object {
    $eventXml = ([xml]$_.ToXml()).Event
    [PsCustomObject]@{
        UserName  = ($eventXml.EventData.Data | Where-Object { $_.Name -eq 'TargetUserName' }).'#text'
        IpAddress = ($eventXml.EventData.Data | Where-Object { $_.Name -eq 'IpAddress' }).'#text'
        EventDate = [DateTime]$eventXml.System.TimeCreated.SystemTime
    }
}
$result

You can use a PowerShell script to parse the Event Viewer log. If there are more than 5 failed RDP login attempts from a specific IP address in the last 3 hours, the script will add that IP to the Windows Firewall blocking rule.

# The number of failed login attempts from an IP address, after which the IP is blocked.
$badAttempts = 5
# Check the number of failed RDP logon events for the last N hours.
$intervalHours = 2
# Create a new Windows Firewall rule if the previous blocking rule contains more than N  unique IP addresses
$ruleMaxEntries = 2000
# Port number on which the RDP service is listening
$RdpLocalPort=3389
# Log file
$log = "c:\ps\rdp_block.log"
# A list of trusted IP addresses from which RDP connections should never be blocked
$trustedIPs = @("192.168.1.100", "192.168.1.101","8.8.8.8")  
 $startTime = [DateTime]::Now.AddHours(-$intervalHours)
$badRDPlogons = Get-EventLog -LogName 'Security' -After $startTime -InstanceId 4625 |
    Where-Object { $_.Message -match 'logon type:\s+(3)\s' } |
    Select-Object @{n='IpAddress';e={$_.ReplacementStrings[-2]}}
$ipsArray = $badRDPlogons |
    Group-Object -Property IpAddress |
    Where-Object { $_.Count -ge $badAttempts } |
    ForEach-Object { $_.Name }
# Remove trusted IP addresses from the list
$ipsArray = $ipsArray | Where-Object { $_ -notin $trustedIPs }
if ($ipsArray.Count -eq 0) {
    return
}
[System.Collections.ArrayList]$ips = @()
[System.Collections.ArrayList]$current_ip_lists = @()
$ips.AddRange([string[]]$ipsArray)
$ruleCount = 1
$ruleName = "BlockRDPBruteForce" + $ruleCount
$foundRuleWithSpace = 0
while ($foundRuleWithSpace -eq 0) {
    $firewallRule = Get-NetFirewallRule -DisplayName $ruleName -ErrorAction SilentlyContinue
    if ($null -eq $firewallRule) {
  New-NetFirewallRule -DisplayName $ruleName –RemoteAddress 1.1.1.1 -Direction Inbound -Protocol TCP –LocalPort $RdpLocalPort -Action Block
        $firewallRule = Get-NetFirewallRule -DisplayName $ruleName
        $current_ip_lists.Add(@(($firewallRule | Get-NetFirewallAddressFilter).RemoteAddress))
        $foundRuleWithSpace = 1
    } else {
        $current_ip_lists.Add(@(($firewallRule | Get-NetFirewallAddressFilter).RemoteAddress))        
        if ($current_ip_lists[$current_ip_lists.Count – 1].Count -le ($ruleMaxEntries – $ips.Count)) {
            $foundRuleWithSpace = 1
        } else {
            $ruleCount++
            $ruleName = "BlockRDPBruteForce" + $ruleCount
        }
    }
}
# Remove IP addresses already in the blocking firewall rule 
for ($i = $ips.Count – 1; $i -ge 0; $i--) {
    foreach ($current_ip_list in $current_ip_lists) {
        if ($current_ip_list -contains $ips[$i]) {
            $ips.RemoveAt($i)
            break
        }
    }
}
if ($ips.Count -eq 0) {
    exit
}
# Block the IP address in Windows Firewall and log the action.
$current_ip_list = $current_ip_lists[$current_ip_lists.Count – 1]
foreach ($ip in $ips) {
    $current_ip_list += $ip
    (Get-Date).ToString().PadRight(22) + ' | ' + $ip.PadRight(15) + ' | The IP address has been blocked due to ' + ($badRDPlogons | Where-Object { $_.IpAddress -eq $ip }).Count + ' failed login attempts over ' + $intervalHours + ' hours' >> $log
}
Set-NetFirewallRule -DisplayName $ruleName -RemoteAddress $current_ip_list

The PowerShell script creates a Windows Defender Firewall rule that blocks connections to the RDP port for the resulting list of IP addresses.

The PowerShell script also writes to the log file the list of blocked IP addresses.

You can run the script automatically when event 4625 appears in the Event Viewer. You can do this by creating a task trigger by assigning a Task Scheduler job to an Event ID. Such a scheduled task can be created using a PowerShell script:

$taskname="Block_RDP_Brute_Force_Attacks_PS"
$scriptPath="C:\PS\block-rdp-brute-force.ps1"
$triggers = @()
$triggers += New-ScheduledTaskTrigger -AtLogOn
$CIMTriggerClass = Get-CimClass -ClassName MSFT_TaskEventTrigger -Namespace Root/Microsoft/Windows/TaskScheduler:MSFT_TaskEventTrigger
$trigger = New-CimInstance -CimClass $CIMTriggerClass -ClientOnly
$trigger.Subscription =
@"
<QueryList><Query Id="0" Path="Security"><Select Path="Security">*[System[(EventID=4625)]]</Select></Query></QueryList>
"@
$trigger.Enabled = $True
$triggers += $trigger
$User='Nt Authority\System'
$Action=New-ScheduledTaskAction -Execute "Powershell.exe" -Argument "-NoProfile -NoLogo -NonInteractive -ExecutionPolicy Bypass -File $scriptPath"
Register-ScheduledTask -TaskName $taskname -Trigger $triggers -User $User -Action $Action -RunLevel Highest -Force

The triggered scheduled task will run on every failed RDP logon attempt. It will analyze the Event Viewer logs and block IP addresses in the firewall rule. The task runs under a LocalSystem account and is independent of whether the user is logged on or not.