Wednesday, October 05, 2011

Review your Event Logs

I was just browsing my event log and found the following entry in system:

Remote session from client name a exceeded the maximum allowed failed logon attempts. The session was forcibly terminated.

This normally would not be a concern except I've the message was logged every minute or so.  After further review I see that this has been going on for the last 3 months! (as far back as my event goes)

Clearly someone is trying to hack into my computer through the Remote Desktop Service.  I do have a forwarding rule in my ISP's router that forwards port 3389 to my desktop.  Being as 3389 is the default port for remote desktop, I guess I should not be surprised that this was happening.

So what did I do?  I changed the default RDP port.  Yes, that's right "Security by obscurity"  Not the preferred solution but it should slow down the attacks.

I updated the forwarding rule in the ISP router/firewall and updated my desktop RDP port using http://support.microsoft.com/kb/306759  The desktop computer firewall also had to modified to support the new port.  The firewall rule for RDP on port 3389 is locked  so I just created a new one for the new port.

I also changed the Local Security Policy's Account Lockout Policy to 3 attempts and 30 minutes to reset.    This should slow someone down as well.

Luckily I have a strong password according to http://www.passwordmeter.com/


Score:
79%
Complexity:
Strong


So I suggest you do take some time to review your event logs.  It's surprising what you might learn.

1 comment:

Android app development said...
This comment has been removed by a blog administrator.