Remote Desktop Protocol (RDP) is one of the most widely used methods for remote administration in Windows environments. Unfortunately, it’s also a prime target for attackers. Brute force attacks—where attackers repeatedly guess usernames and passwords—are among the most common RDP attack vectors.
Without proper hardening, exposed RDP services can lead to account compromise, ransomware infections, or full domain breaches.
This guide explains how to secure RDP effectively and reduce your attack surface.
Why RDP Is a Target
- Default port exposure (TCP 3389): Attackers constantly scan the internet for open RDP ports.
- Weak or reused passwords: Makes brute force guessing easier.
- Credential stuffing: Attackers use stolen passwords from breaches.
- Direct access to critical servers: Successful compromise often leads to lateral movement.
Step 1: Restrict Access to RDP
- Firewall Rules: Allow RDP access only from trusted IP ranges (e.g., corporate VPN).
- Network Level Authentication (NLA): Requires authentication before establishing an RDP session.
- Remote Desktop Gateway (RD Gateway): Tunnels RDP over HTTPS with additional authentication layers.
Step 2: Change the Default RDP Port
Although security through obscurity isn’t foolproof, changing the default port can reduce automated scans.
Edit the registry key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TerminalServer\WinStations\RDP-Tcp\PortNumber
Restart the server and adjust firewall rules accordingly.
Step 3: Enforce Strong Authentication
- Complex Password Policies: Require long, unique passwords.
- Account Lockout Policies: Temporarily lock accounts after repeated failed attempts. Example:
- Lockout threshold: 5 attempts
- Lockout duration: 15 minutes
- Reset account lockout counter: 15 minutes
Configure in Group Policy:
Computer Configuration → Windows Settings → Security Settings → Account Policies → Account Lockout Policy
- Multi-Factor Authentication (MFA): Use MFA with RD Gateway, smartcards, or third-party MFA solutions.
Step 4: Limit User Privileges
- Avoid enabling RDP for domain admins.
- Create a dedicated Remote Desktop Users group with least-privilege principles.
- Enforce Just-In-Time (JIT) access where accounts are enabled only when needed.
Step 5: Implement RDP Session Timeouts
Configure Group Policy to log off idle sessions:
Computer Configuration → Administrative Templates → Windows Components → Remote Desktop Services → Remote Desktop Session Host → Session Time Limits
This reduces risk from unattended sessions.
Step 6: Deploy Brute Force Mitigation Tools
- Windows Firewall + Security Logs: Monitor and block repeated failed logins.
- Account lockout monitoring tools: Identify targeted accounts.
- Third-party intrusion prevention tools (e.g., Fail2Ban for Windows equivalents): Automatically block IPs after repeated login failures.
Step 7: Monitor and Audit RDP Usage
- Event Viewer: Check
Securitylogs for Event IDs:- 4625 – Failed login attempt
- 4624 – Successful login attempt
- SIEM Integration: Forward logs to a central security monitoring solution.
- Alerting: Trigger alerts on multiple failed logins from the same IP.
Step 8: Consider Alternatives to RDP
Where possible, use alternatives to reduce exposure:
- VPN + Admin Tools: Use PowerShell Remoting or SSH via VPN.
- Privileged Access Workstations (PAWs): Dedicated hardened machines for admin tasks.
- Azure Bastion / Jump Hosts: Cloud-native or on-prem bastion servers that provide secure access.
Best Practices Summary
✅ Restrict RDP access to trusted IPs or VPN users
✅ Change the default RDP port
✅ Enable NLA and use RD Gateway for layered protection
✅ Enforce account lockout and strong password policies
✅ Require MFA for administrative sessions
✅ Regularly audit logs and monitor login attempts
✅ Consider alternatives like bastion hosts for critical access
Conclusion
Hardening RDP is essential for protecting Windows environments against brute force attacks. With layered security—firewalls, MFA, account lockouts, and monitoring—you can significantly reduce the risk of compromise.
RDP should never be left exposed on the internet without protections. By applying the strategies above, you ensure administrative access remains secure and compliant with modern best practices.
