![brute force port 3389 brute force port 3389](https://support.heimdalsecurity.com/hc/article_attachments/360019343077/a.png)
BRUTE FORCE PORT 3389 HOW TO
Microsoft tells you how to disable it. The reason you want to disable it is that if hackers know the username all they have to focus on is guessing the password. It is well documented to use something other than the default Administrator account on a server. You should probably do them all, we have.ġ – Disable and do not use Admin or Administrator as a server login
![brute force port 3389 brute force port 3389](https://antoanthongtin.files.wordpress.com/2012/04/rdp51.jpg)
Here’s three server options to beef up security and help fend off these kinds of Remote Desktop attacks. This is a very bad scenario, you must take steps to ensure it never happens. They can install malicious software and potentially lock you out of the administration. If a hacker manages to figure out your credentials and establish a Remote Desktop login to your server then you no longer own the server. It’s obvious this isn’t a legitimate request. Open one of the audit failure records and you see login names like: staff, admin, fronttest, server, administrator, reception, reception2, etc. The goal is to try as many username/password combinations as possible in the hope that one will work. This is commonly referred to as a Brute Force attack. That many attempts in that short period of time means that this is likely an automated bot looking for open RDP ports (all connections are trying port 3389, the default RDP port). We saw over 100 attempts in a few hours of that morning. See all those Audit Failures, and look at the times there’s 11 login attempts in two minutes. Here’s what we saw under the Security section of the Windows Event Logs: While onsite at a customer location we reviewed the server Event Logs and discovered multiple login attempts to the server. They are working their way though various username and password combinations in the hope that one of them will work. Here’s what we found, and how we resolved it. Discovered that some nefarious hacker is trying a brute force Remote Desktop attack to a Windows Server belonging to a customer of ours.