Best Practices - Securing your Windows Server 2016 VM on Vultr
-
I a little past day 2 and I realize my server is getting bombarded with login attempts, to the point that it crashed the entire system. Some of you may have seen my posts about deploying RDSH on Azure and I have now moved it to Vultr.
It is a Domain Controller and RDSH server all-in-one.
I would guess its a brute force attempt to access my system vs a DDoS attack. So I am trying to decide what the best way to block these attempts (which I imagine are more common on Vultr than Azure) would be.
I have copied the administrator account to create a new admin username and disabled the default administrator account.
-
@bigbear said in Best Practices - Securing your Windows Server 2016 VM on Vultr:
I would guess its a brute force attempt to access my system vs a DDoS attack.
Correct, if it was DDoS you'd know it.
-
@bigbear said in Best Practices - Securing your Windows Server 2016 VM on Vultr:
So I am trying to decide what the best way to block these attempts (which I imagine are more common on Vultr than Azure) would be.
Use a Windows equivalent to Fail2Ban to shut down IP addresses that are doing this dynamically. This is what keeps attacks on Linux at bay.
-
I assume that part of the issue is that RDP is directly exposed from this machine? How else are they attacking you?
-
Yes at the moment it is exposed. The only difference on Azure is that the use a high level port instead of 3389.
I would guess those who are scanning would also discover those higher number ports.
Or do I create a Vultr firewall and restrict login attempts to particular IP address ranges?
-
@bigbear said in Best Practices - Securing your Windows Server 2016 VM on Vultr:
Yes at the moment it is exposed. The only difference on Azure is that the use a high level port instead of 3389.
I would guess those who are scanning would also discover those higher number ports.
Or do I create a Vultr firewall and restrict login attempts to particular IP address ranges?
Well general rule of thumb is that RDP should never be exposed directly, it's not considered a secure protocol and it is the absolutely number one target of attacks because being exposed flags you as being on Windows (making you a high profile target because you are less likely to be properly secured), flagging you as not following security best practices (making you a high profile target because you are less likely to be properly secured) and lets people know that you are paying a premium over UNIX, so you have money to spend and something to lose (the poor can't consider Windows.) So if attackers see RDP, they go after it like crazy. And the expectation from the Microsoft side is that it will never be exposed to the Internet.
This is where a proxy or VPN are expected, always. Not that those won't also get attacked, but they have a different exposure profile, provide another layer of defence, use stronger security, can fail closed, and provide stronger authentication. Same as we were discussing in the other thread about Exchange the other day.
-
I have no idea of a fail to ban for windows... do you have something in mind?
If RDP is running on port 50000+ can it still be identified as RDP?
-
@bigbear said in Best Practices - Securing your Windows Server 2016 VM on Vultr:
I have no idea of a fail to ban for windows... do you have something in mind?
-
@bigbear said in Best Practices - Securing your Windows Server 2016 VM on Vultr:
If RDP is running on port 50000+ can it still be identified as RDP?
Yes. Moving ports does nothing.
-
Thanks for the link.
Seems like launching a firewall and only allowing access from my office IP range would be the best start. That would at least keep the load off the server.
I am not sure if Vultr firewall has VPN. That could be the roaming solution though. Or Windows DirectAccess?
-
@bigbear said in Best Practices - Securing your Windows Server 2016 VM on Vultr:
Thanks for the link.
Seems like launching a firewall and only allowing access from my office IP range would be the best start. That would at least keep the load off the server.
Yes, that will do a lot. you should have the firewall on teh Windows box doing that already anyway as a best practice. So this would only be additional to that, hopefully.
-
@bigbear said in Best Practices - Securing your Windows Server 2016 VM on Vultr:
I am not sure if Vultr firewall has VPN. That could be the roaming solution though. Or Windows DirectAccess?
It does not, but you are free to implement anything that you want. OpenVPN is very good. ZeroTier is very good. Loads of options. Most are free.
-
@scottalanmiller said in Best Practices - Securing your Windows Server 2016 VM on Vultr:
@bigbear said in Best Practices - Securing your Windows Server 2016 VM on Vultr:
Thanks for the link.
Seems like launching a firewall and only allowing access from my office IP range would be the best start. That would at least keep the load off the server.
Yes, that will do a lot. you should have the firewall on teh Windows box doing that already anyway as a best practice. So this would only be additional to that, hopefully.
Firewall is on but not configured to allow RDP from a specific range. Honestly I didn't have trouble with Azure but I planned to go through some security best practices before launching it to my employees. Not surprised its happening though.
-
-
@black3dynamite said in Best Practices - Securing your Windows Server 2016 VM on Vultr:
nice find. Anyone using it?
-
@scottalanmiller Since I'm in testing phase, and because the logo is basically a photo of a drawing, I am going all in...
-
/sarcasm
Turn it off
sarcasm/
-
JB was using a Windows version of fail2ban awhile ago.
-
@Dashrender said in Best Practices - Securing your Windows Server 2016 VM on Vultr:
JB was using a Windows version of fail2ban awhile ago.
I looked into and tested. Did not deploy.
Related: I completely forgot about that project. WTF server was I testing that on. -
Have had some issues with it banning the servers external WAN address when behind NAT instead of the remote IP Address. Have been sifting through code but its not an active project, just a one time port.
Using the VULTR firewall to restrict all inbound traffic and to allow RDP sessions based on our office WAN IP has stopped the issues. However, I am still trying to decide how that helps my roaming users.
Outside of VPN or DirectAccess I am not sure what other secure access methods there could be. Looking for ideas.