Brute force protection on Windows Server

Brute force attacks and being targeted.

Brute force attacks are a constantly ongoing thing. Basically they’re all automated and they (usually) try usernames such as administrator, root, backup etc .

If you don’t have these usernames in your systems or even if you do and still have a good password policy set up the risk of intrusion isn’t that big really.
It more annoying and it will still steal and waste bandwidth, CPU, RAM etc having the attempts go on indefinitely. There’s also the risk of hackers trying to hide in the buzz so to speak.

There’s a not that many tools to use natively in a Windows Server environment apart from Account Lockout Policies (which in some cases can do more harm than good to be honest).

Imagine having 100 000 deliberately using all of your usernames but faulty passwords.
This will simply render all of your user accounts locked out from your systems and nobody except Administrator is allowed to login (since that account can’t be locked out)

Now, there are other ways of taking care of this problem and one is to use a brute force prevention software (which I do )

With a useful brute force prevention system, youl’ll also get relevant information about what’s actually going on.

An alert from a brute force prevention system

In this case, I got this alert earlier today

Brute force protection Windows

The email tells me that an IP address from Moscow (yep, I verified it with Geo IP) tried to logon to the rCloud services.
Sadly, I’m not in in Moscow btw .
Haven’t been there in years but I wil go back someday.

A few hours later the same thing happens from the Netherlands (some town called Bodegraven), but targeting another system at Red Cloud.

Brute force prevention Windows

So far, nothing unusual about brute force attacks as a phenomenon though. If it’s reachable somehow, peolpe will try to log in. Simple as that.

There are literally 100s of attacks (some days 1000s) being blocked there everyday so that’s nothing new.
What was interesting was a few other things though.

Interpreting the alerts from the intrusions

If one reads the alert a bit closer one notices a few interesting things.

First of all, this attacking IP address has been trying to login for a few days but slowly (with a few days apart) .
One possible explanation is that the attacker is trying to avoid any brute force prevention systems in place.

The second interesting fact is that someone is clearly targeting me since they do use my username when trying to get in.
This tells me that I am being targeted somehow.
I do know my emailddress is here and there online so finding out metadata about me isn’t very hard and I’ve also written a few … tips .. on how to think when it comes to guessing usernames

The third interesting fact is of course that my username is being used from two geographically spread locations within a short timespan and I’m nowhere near any of these locations. Sad to say.

These pieces of information tells me that my username / mailaddress has ben added to someones list trying to get in to systems where at least that part correct. and that it’s somehow coordinated and spread over multiple attacking computers.

Any good solution should be able to provide you with this information so that you as a system administrator will get alerted and can act on any unexpected behaviour in your systems (for instance if you start getting 100s of failed login atttempts with all of the users in your company, something’s probably up or hundreds of 404 error on your sites etc .. )
If you have your IT in a cloud environment or outsourced,
I do stronlgy believe they shoudl keep track of this for you and also have historical data.

Anyhoo.. just a short post on the matter of brute force prevention on Windows and what it can do for yu.

As always, should you need assistance with these things, just drop me an email or use the form to the right /below

Cheers /Juha