Most Network admins or any basic server security expert knows that leaving the RDP or Remote Desktop Protocol Port open for the Internet or using a weak password makes the network vulnerable to cyberattacks. In this post, we are going to discuss such tips and see how to block Brute Force Attacks on Windows Server.
What is a Brute Force Attack?
Brute Force Attacks basically works on the hit and trial method and is one of the least sophisticated hacking techniques. In this scenario, the hacker will attempt to guess your password multiple times and eventually find the correct one. However, these are no less dangerous than the hacking techniques depicted in movies. Just think about it, a wide number of hackers are trying to guess your password. Therefore, if your password is weak or if you are not taking steps to block these attacks, you are vulnerable to data theft, losing access to your network, and other potential risks.
Block Brute Force Attacks on Windows Server
If you want to prevent or block Brute Force Attacks on Windows Server, then the following tips are for you.
- Use Strong Password
- Limit Failed Login Attempts
- Protect Root account
- Change your Port
- Enable CAPTCHA
- Use Two Factor Authentication
- Install EvlWatcher
Let us talk about them in detail.
1] Use Strong Password
First and foremost, when setting up your account, ensure that you use a strong password. It is fairly self-explanatory: if attackers are trying to guess your password, don’t give them any clues about your username or password. Ensure that your username doesn’t contain any clues about your password. Your password shouldn’t be related to you or any publicly available information about your enterprise.
Read: How to customize the Password Policy in Windows.
2] Limit Failed Login Attempts
As you may already know, how the Brute Force attacks work. Therefore, there will be numerous failed attempts. If you limit failed login attempts then you will rest assured that the attack won’t be successful.
You can also deploy the ‘Account lockouts with progressive delays‘ feature. This way, your account will be locked after a certain number of failed attempts for a specified period, making life easier for the network administrator.
Read: How to restrict the number of Login attempts in Windows.
3] Protect Root account
The Root account, in a physical or virtual network, holds the utmost importance. It is like the king in a game of chess. You need to make sure that it is inaccessible. To do that, you can configure the sshd_config file and set the ‘DenyUsers root’ and ‘PermitRootLogin no’ options.
Read: Harden Windows Login Password Policy & Account Lockout Policy.
4] Change your Port
More often than not, the attacker will try to attack port number 22, as it is the standard port. So, you need to change the port on which the SSHD is supposed to run. To do that, go to the sshd_config file and use a non-standard port.
Read: Password Spray Attack Definition and Defending yourself
5] Enable CAPTCHA
The Brute Force attack can be prevented by using the CAPTCHA. It is a great way to delay or stop the process completely if a robot or AI is carrying out the attack. In some cases, the attacker may bypass the CAPTCHA using specialized tools. However, not all attackers are equipped with this tool and hence, you should configure this feature. But keep in mind that CAPTCHAs are not really user-friendly and can deteriorate user experience.
Read: What is a Credential Stuffing Attack.
6] Use Two Factor Authentication
Many large enterprises, such as Google and Microsoft, utilize two-factor authentication to protect their servers from various types of attacks, including brute force attacks. You can also employ this security measure and secure your server.
Read: How Attackers can Bypass Two-factor Authentication.
7] Install EvlWatcher
EvlWatcher is a great tool to stop Brute Force Attacks. It keeps an eye on your server logs and checks if there are numbers of failed attempts with a certain IP or IPs. It then blocks that very IP for 2 hours lowering the pace of those attacks. You can even configure the application if you want to make exceptions or adjust the block time. You can download EvlWatcher from github.com.
UPDATE: The new Allow Administrator account lockout policy setting determines whether the built-in Administrator account is subject to account lockout policy. Brute force attacks are one of the top three ways Windows machines are attacked today. To prevent further brute force attacks/attempts, Microsoft has started implementing account lockouts for Administrator accounts. Thus, Windows 11 now has a DEFAULT account lockout policy to mitigate RDP and other brute-force password vectors.
Hope you find the article useful.
Read: Ransomware Attacks, Definition, Examples, Protection, Removal.
How to know if my server is under Brute Force Attacks?
If you want to know whether your computer is under Brute Force attack or not, you should check your server logs. If you are seeing a number of failed attempts, then you are under a Brute Force Attack. If there are a lot of failed attempts by a single IP address or even multiple IPs in a certain time period then you should immediately check your client IPs and if you conclude that these IPs are of attackers then block them.
Can you prevent brute force attacks?
You can prevent brute force attacks up to a certain point. For that, there are several key points to consider. For example, you need to use a very strong password, limit failed login attempts, protect your Root account, change the port, enable CAPTCHA, etc. Additionally, you can utilize two-factor authentication to add an extra layer of security.
Read Next: Microsoft Assessment and Planning Toolkit: Identify Security Vulnerabilities.
