This article provides best-practice instructions to secure remote connections to your server. It is aimed at helping system administrators and advanced users reduce the potential attack surface on their internet-facing server operating systems.
Protect Your Administrator Access
If an attacker knows your username, they already have half of your login credentials. We strongly recommend that you do not use the account named “Administrator” for administrator-level logins at all. It is safer to only use a unique admin user account and disable the default “Administrator” account.
If you absolutely have to use the default Administrator account, then the best practice is to rename this account to something unique and to create a strong password.
Disable the Administrator account
- Press Win + X and select “Computer Management”:
- In the sidebar, select “Local users” -> “Users” -> Right-click the username “Administrator” and select “Properties”. On the “General” tab is the option to disable this account.
Rename the Administrator account
- Press Win + X and select “Computer management”:
- In the sidebar, select “Local users” –> “Users” –> Right-click the username “Administrator” and select “Rename”.
Change the Administrator account password
- Press Win + X and select “Computer management”:
- In the sidebar, select “Local users” –> “Users” –> Right-click the username “Administrator” and select “Set Password…”.
- You will see a warning dialog box like this. Select “Proceed” to continue:
- You will be prompted for a new password. Please use a complex password.
Securing Your Remote Desktop Connection
Block RDP connections for accounts with an empty password
Security can be improved by prohibiting connections to accounts with empty passwords. To do this, you should enable security policy “Accounts”: permit to use empty passwords only for log-in from the console”:
- Open local security policy: Press Win + R and run the command secpol.msc)
- Browse to “Local policies” –-> “Security Options”.
- Double click on the policy “Accounts: Limit local account use of blank passwords to console logon only” and make sure that it is marked “Enabled” as per the above.
Change Standard Remote Desktop Protocol Port
It is good practice to change the standard port number that your remote access service listens on so as to make it harder for attackers to figure out how to connect to your server. If you’re using a firewall, make sure to configure your firewall to permit connections to the new port number. Let’s do that now so we don’t lock ourselves out later.
Allow the new RDP port through the firewall:
- Windows Firewall: In the Win-R command prompt, run “wf.msc” -> Inbound Rules -> Select New Rule…
- Select Port and click Next -> Select TCP and enter your new port in the Specific local ports: field.
- Click Next -> select Allow the connection -> Click Next.
- Under “When does this rule apply?”, make sure all the options are ticked. Give your new rule a Name and optionally a Description -> Select Finish.
Next, we will change the RDP service port:
- Start the registry editor. (Type regedit in the Search box.)
- Navigate to the following registry subkey: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp
- Find PortNumber
- Click Edit > Modify, and then click Decimal.
- Type the new port number, and then click OK.
- Close the registry editor, and restart your computer.
- The next time you connect to this computer by using the Remote Desktop connection, you must type the new port.
Protecting Against Brute Force Attacks
In order to block multiple attempts to connect using the wrong data, it is possible in theory for one to trace the event log and manually block attacking IP addresses using Windows’ firewall. This solution does not however sustainably scale; in practice, we use software to automate this process for us. This part of the guide will walk you through installing and configuring one such application.
We recommend using the free software IPBan. This application is verified to be secure thanks to its open-source nature. IPBan requires at least Windows 8 or Windows Server 2012 to run; older Windows versions are not supported.
IPBan’s operation is relatively simple: the program monitors the Windows event log for failed log-in attempts and notes the amount of failed login attempts in a certain time period. Should there be too many login attempts from a given IP address within a certain amount of time, IPBan blocks that originating IP address(es) for a configurable amount of time.
E.g. More than 10 failed Remote Desktop logins within 5 minutes = 24 hour IP block.
On Windows, IPBan watches and protects RDP, OpenSSH, VNC, MySQL, SQL Server, and Exchange. More applications can easily be added by editing the config file.
IPBan Installation and Configuration
IPBan is supported on Windows Server 2012 and Windows 8, or newer. It will not work on older Windows versions. IPBan has an easy one-line installation process. Simply open Powershell (as admin) and run the following command as a single command:
The installation should look as follows:
After the installation finishes successfully, the script will open your C:\Program Files\IPBan\ipban.config file in Notepad. it is encouraged to whitelist your trusted IP address(es) in order to prevent yourself from being locked out. In the ipban.config file, find the section that looks like this:
As the commented instructions say, the trusted whitelisted addresses are to be added in between the quote marks after value=”” — These addresses can take the form of standard IP addresses (eg. 192.168.0.1), CIDR masks aka network ranges (eg. 172.16.10.0/24), URLs (e.g. https://www.1-grid.com/), or dynamic DNS hostnames. After saving your trusted whitelist, you can restart the IPBan service by clicking “Start –> Services –> Services (Local) –> right-click IPBan –> Restart”.
You can also use Task Manager to verify that IPBan is running:
MANUAL BANS & UNBANS
There are a couple of ways in which to ban and unban IP addresses with IPBan:
Windows Firewall: In the Win-R command prompt, run “wf.msc” -> Inbound Rules -> find rule “IPBan_Block_0” -> Right-click and select Properties -> in the Scope tab, you will find the list of blocked IP addresses; here you can add or remove IP addresses at will.
In case you need to ban or unban a large amount of IP addresses at once:
- You can manually ban ip addresses by placing a ban.txt file in the same folder as the IPBan service. The ip addresses are in plain text, one ip address per line. On the next cycle, IPBan will ban each ip address in the file, then delete the file. This is great for external applications such as traffic monitors, syn flood detectors, etc. that just want to cause an ip address ban.
- You can manually unban ip addresses by placing a unban.txt file in the same folderas the IPBan service. The ip addresses are in plain text, one ip address per line. On the next cycle, IPBan will unban any ip address in the file and then delete the file.Each ip will be removed from the firewall and IPBan database.
Additional Windows Security Notes
- It is highly recommended to disable NTLM logins and only allow NTLM2 logins. Use secpol -> local policies -> security options -> network security restrict ntlm incoming ntlm traffic -> deny all accounts. You must disable NLA if you do this or you will be locked out of your machine (Control Panel -> System and Security -> System -> Advanced Settings -> Remote Tab (uncheck NLA)).
- Please ensure your server and clients are patched before making the above change: https://support.microsoft.com/en-us/help/4093492/credssp-updates-for-cve-2018-0886-march-13-2018. You may need to manually edit group policy as specified in the link.
- Instead of the above, you can try: local policy “Network Security -> LAN Manager authentication level” to “NTLMv2 response only/refuse LM and NTLM”.
- NLA is not supported with IPBan on Windows Server 2012 or older. You must use Windows Server 2016 or newer if you want NLA. Failed logins do not log properly with NLA on the older Windows editions, regardless of any settings, registry or group policy changes.
- On Windows Small Business Server 2011 (and probably earlier) and Windows Server running Exchange, with installed PowerShell v.2 that does not know Unblock-File command, and the newer version can’t be installed (as some scripts for managing OWA stop working correctly). Easier way is to manually unblock downloaded ZIP file(s) and then unzip content.
- On Windows Server running Exchange, it is impossible to disable NTLM (deny all clients in Security restrict incoming NTLM traffic) as then Outlook on client computers permanently asks users for entering username and password. To workaround this, set LAN Manager authenticating level in Security Options of Local Policies to “Send NTLMv2 response only. Refuse LM & NTLM”. There is one small issue – when somebody tries to login with an undefined username, the log does not contain an IP address. Not sure why Microsoft can’t log an ip address properly.
- If using Exchange, disabling app pool ‘MSExchangeServicesAppPool’ can eliminate quite a lot of problems in the event viewer with ip addresses not being logged.
The IPBan wiki: https://github.com/DigitalRuby/IPBan/wiki