RDP Security: Block Brute Force Attacks on Windows Server

Remote Desktop Protocol exposed directly to the internet is one of the most common ways ransomware enters a network. Attackers scan continuously for port 3389 and hammer it with credential guesses. The good news: a few configuration changes make RDP far harder to abuse.

Rule one: never expose RDP directly to the internet

The single most important step is to remove RDP from the public internet entirely. Put it behind a VPN, a Remote Desktop Gateway, or a Zero Trust access proxy. If port 3389 is reachable from anywhere, assume it is being attacked right now.

Step 1: Enable Network Level Authentication

Network Level Authentication (NLA) requires the user to authenticate before a full session is established, which blocks pre-authentication exploits and reduces the resources a brute force attempt can consume. Enable it under System Properties → Remote.

Step 2: Configure account lockout policy

Set an account lockout threshold via Group Policy so that after a handful of failed attempts the account is temporarily locked. A threshold of five attempts with a 15-minute lockout window stops automated guessing without overly punishing fat-fingered users.

Step 3: Restrict who can log in remotely

Do not leave the Remote Desktop Users group wide open. Grant remote logon rights only to the specific accounts that need it, and never allow the built-in Administrator account to log in over RDP. Rename or disable that account where possible.

Step 4: Add MFA and a gateway

Deploy a Remote Desktop Gateway with multi-factor authentication, or front RDP with a Zero Trust solution that enforces identity and device posture. This turns a single guessable password into a multi-layer challenge.

Step 5: Monitor failed logon events

Watch Windows Security event ID 4625 (failed logon). A spike indicates an active brute force campaign. Forward these events to a central log or SIEM so you are alerted rather than discovering the attack after it succeeds.

RDP is a powerful tool, but only when it is locked behind authentication layers. Get it off the open internet, enforce lockouts and MFA, and watch the logs.