Wednesday, October 05, 2011

Review your Event Logs

I was just browsing my event log and found the following entry in system:

Remote session from client name a exceeded the maximum allowed failed logon attempts. The session was forcibly terminated.

This normally would not be a concern except I've the message was logged every minute or so.  After further review I see that this has been going on for the last 3 months! (as far back as my event goes)

Clearly someone is trying to hack into my computer through the Remote Desktop Service.  I do have a forwarding rule in my ISP's router that forwards port 3389 to my desktop.  Being as 3389 is the default port for remote desktop, I guess I should not be surprised that this was happening.

So what did I do?  I changed the default RDP port.  Yes, that's right "Security by obscurity"  Not the preferred solution but it should slow down the attacks.

I updated the forwarding rule in the ISP router/firewall and updated my desktop RDP port using  The desktop computer firewall also had to modified to support the new port.  The firewall rule for RDP on port 3389 is locked  so I just created a new one for the new port.

I also changed the Local Security Policy's Account Lockout Policy to 3 attempts and 30 minutes to reset.    This should slow someone down as well.

Luckily I have a strong password according to


So I suggest you do take some time to review your event logs.  It's surprising what you might learn.

1 comment:

Android app development said...
This comment has been removed by a blog administrator.