Remote session from client name a exceeded the maximum allowed failed logon attempts. The session was forcibly terminated.
This normally would not be a concern except I've the message was logged every minute or so. After further review I see that this has been going on for the last 3 months! (as far back as my event goes)
Clearly someone is trying to hack into my computer through the Remote Desktop Service. I do have a forwarding rule in my ISP's router that forwards port 3389 to my desktop. Being as 3389 is the default port for remote desktop, I guess I should not be surprised that this was happening.
So what did I do? I changed the default RDP port. Yes, that's right "Security by obscurity" Not the preferred solution but it should slow down the attacks.
I updated the forwarding rule in the ISP router/firewall and updated my desktop RDP port using http://support.microsoft.com/kb/306759 The desktop computer firewall also had to modified to support the new port. The firewall rule for RDP on port 3389 is locked so I just created a new one for the new port.
I also changed the Local Security Policy's Account Lockout Policy to 3 attempts and 30 minutes to reset. This should slow someone down as well.
Luckily I have a strong password according to http://www.passwordmeter.com/
| Score: | 79% |
|---|---|
| Complexity: | Strong |
So I suggest you do take some time to review your event logs. It's surprising what you might learn.
1 comment:
Post a Comment