Most Network admin or any basic server security expert knows that leaving the RDP or Remote Desktop Protocol Port open for the Internet or using a weak password makes the network vulnerable to cyberattacks. In this post, we are going to discuss such tips and see how to block Brute Force Attacks on Windows Server.
What is a Brute Force Attack?
Brute Force Attacks basically works on the hit and trial method and is one of the least sophisticated hacking techniques. In this, the hacker will make a number of attempts to guess your password and will eventually find the right one. But these are not any less dangerous than the hacking techniques you see in movies. Just think about it, a wide number of hackers trying to guess your password. So, if your password is weak or if you are not doing anything to block these attacks, you are vulnerable to data theft, losing access to your network, and more.
Block Brute Force Attacks on Windows Server
If you want to prevent or block Brute Force Attacks on Windows Server, then the following tips are for you.
- Use Strong Password
- Limit Failed Login Attempts
- Protect Root account
- Change your Port
- Enable CAPTCHA
- Use Two Factor Authentication
- Install EvlWatcher
Let us talk about them in detail.
1] Use Strong Password
First and foremost, while setting up your account, you need to make sure that you are using a strong password. It is pretty self-explanatory, if the attackers are trying to guess your password, don’t give them any clue about your username or password. You should make sure that your username doesn’t contain any clue about your password. Your password shouldn’t be related to you or any information about your enterprise that’s public.
Read: How to customize the Password Policy in Windows.
2] Limit Failed Login Attempts
As you may already know, how the Brute Force attacks work. So, there will be a lot of failed attempts. If you limit failed login attempts then you will rest assured that the attack won’t be successful.
You can also deploy the ‘Account lockouts with progressive delays‘ feature. This way, your account will be locked after some failed attempts for a certain period of time, making life a lot easier for the network admin.
Read: How to restrict the number of Login attempts in Windows.
3] Protect Root account
Root account, in a physical or virtual network, holds the utmost importance. It is like the king in a chess game. You need to make sure that it is inaccessible. To do that, you can configure the sshd_config file and set the ‘DenyUsers root’ and ‘PermitRootLogin no’ options.
4] Change your Port
More often than not, the attacker will try to attack port number 22, as it is the standard port. So, you need to change the port on which the SSHD is supposed to run. To do that, go to the sshd_config file and use a non-standard port.
Read: Password Spray Attack Definition and Defending yourself
5] Enable CAPTCHA
The Brute Force attack can be prevented by using the CAPTCHA. It is a great way to delay the process or stop the process completely if the attack is being carried out by a robot or an AI. In some cases, the attacker will breach the CAPTCHA by using some tools. However, not all attackers are equipped with this tool and hence, you should configure this feature. But keep in mind that CAPTCHAs are not really user-friendly and can deteriorate user experience.
Read: What is a Credential Stuffing Attack.
6] Use Two Factor Authentication
Many big enterprises such as Google and Microsoft use 2-Factor authentication to prevent their servers from many different kinds of attacks and Brute Force attacks are one of them. You can also employ this security measure and secure your server.
7] Install EvlWatcher
EvlWatcher is a great tool to stop Brute Force Attacks. It keeps an eye on your server logs and checks if there are numbers of failed attempts with a certain IP or IPs. It then blocks that very IP for 2 hours lowering the pace of those attacks. You can even configure the application if you want to make some exceptions or increase or decrease the block time. You can download EvlWatcher from github.com.
UPDATE: The new Allow Administrator account lockout policy setting determines whether the built-in Administrator account is subject to account lockout policy. Brute force attacks are one of the top three ways Windows machines are attacked today. To prevent further brute force attacks/attempts, Microsoft has started implementing account lockouts for Administrator accounts. Thus, Windows 11 now has a DEFAULT account lockout policy to mitigate RDP and other brute-force password vectors.
How to know if my server is under Brute Force Attacks?
If you want to know whether your computer is under Brute Force attack or not, you should check your server logs. If you are seeing a number of failed attempts then you are under a Brute Force Attack. If there are a lot of failed attempts by a single IP address or even multiple IPs in a certain time period then you should immediately check your client IPs and if you conclude that these IPs are of attackers then block them.
Can you prevent brute force attacks?
You can prevent brute force attacks up to a certain point. For that, there are several things you need to keep in mind. For example, you need to use a very strong password, limit failed login attempts, protect your Root account, change the port, enable CAPTCHA, etc. Apart from that, you can also use two-factor authentication to add an additional layer of security.
Hope you find the article useful.