Hello, we have a few servers where the security logs shows repeated brute force login attempts via RDP... shouldn't the IPS block these kind of "attacks" by default?
An IPS can't detect password guessing -- a guess looks like a legitimate login attempt. Detecting a brute force attempt against a RDP server (which, IMHO, should not have the RDP port directly exposed to the internet anyway) would require a plugin or log monitoring of the servers involved.
You may also want to look at implementing certificates for security on your RDP server(s), if the version of OS on the servers is new enough to support it.
CTO, Convergent Information Security Solutions, LLC
Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries. Use the advice given at your own risk.
An IPS can't detect password guessing -- a guess looks like a legitimate login attempt. Detecting a brute force attempt against a RDP server (which, IMHO, should not have the RDP port directly exposed to the internet anyway) would require a plugin or log monitoring of the servers involved.
You may also want to look at implementing certificates for security on your RDP server(s), if the version of OS on the servers is new enough to support it.
CTO, Convergent Information Security Solutions, LLC
Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries. Use the advice given at your own risk.
