Back

Windows administration

How to protect your Administrator account from brute-force lockout

By default, Windows exposes its RDP port to the Internet. That's why it becomes an attractive target for brute-force attacks. When an attack occurs, the Administrator account may be blocked after numerous attempts to log in by the attacker. If this happens, you could lose access to the server until the issue is resolved.

To prevent this happening, we recommend you use our Powershell script that changes default RDP settings and makes it difficult for attackers to target you with malicious activity.

The script consists of two blocks:

  1. The first one allows you to customize settings.

  2. The second one is technical.

You can manage each option by adding the octothorpe sign (#) to a line of code. Once added, that line of code will be ignored during execution.

The script should be inserted into the User data field while ordering a server or reinstalling an operating system. All parameters are described in the script below as comments.

The script is designed and applicable only for Windows 2016, 2019, 2022 Standard and Datacenter editions.
#ps1
 
# Add the octothorpe sign if you want a parameter to be ignored.
 
# A new name of the account instead of Administrator.
# Make sure that none of your software and scripts expect Administrator as a default name.
  
    $AdministratorAccountLogin = "SampleLogin"
  
# A new RDP port number instead of default 3389.
# Changing the RDP port will trigger an additional reboot.
  
    $RDPPort = 3403
  
# Disabling the local security policy of the Administrator account.
# It's not recommended to use this parameter for security reasons. It's better to keep it ignored.

#    $DisableAdministratorAccountLockoutSecurityPolicy = $true
  
# RDP access will be granted only for trusted IP addresses.
# This parameter is recommended when reaching a server from static IP addresses. Unselect this option in case of using dynamic IP addresses.
# You can specify here a range of IP addresses that your provider may allocate to you.
  
    $TrustedClients = @("192.168.1.2", "10.0.0.0/8")
  
# Disabling Remote Desktop services.
# It's recommended when accessing the server via WinRM or SSH protocols.
  
    $DisableRemoteDesktop = $true
  
  
# The commands below will be applied depending on the previous settings. Here is no need to add or remove the octothorpe sign.
  
# A new name of the account
if ($AdministratorAccountLogin) {
    ([adsi]"WinNT://localhost/Administrator,user").psbase.rename($AdministratorAccountLogin)
}
  
# RDP access from trusted IP addresses
if ($TrustedClients) {
    Set-NetFirewallRule -DisplayName 'Remote Desktop - User Mode (TCP-In)' -RemoteAddress $TrustedClients -Enabled True
    Set-NetFirewallRule -DisplayName 'Remote Desktop - User Mode (UDP-In)' -RemoteAddress $TrustedClients -Enabled True
}
  
# Disabling the local security policy of Administrator
if ($DisableAdministratorAccountLockoutSecurityPolicy) {
    secedit /export /cfg securityconfig.cfg
    (Get-Content securityconfig.cfg).replace("AllowAdministratorLockout = 1", "AllowAdministratorLockout = 0") | Set-Content securityconfig.cfg
    secedit /configure /db C:\Windows\security\local.sdb /cfg securityconfig.cfg /areas SECURITYPOLICY
    Remove-Item securityconfig.cfg
}
  
# Disabling Remote Desktop services
if ($DisableRemoteDesktop) {
    C:\Windows\System32\reg.exe ADD "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
}
  
  
# A new RDP port number
if ($RDPPort) {
    C:\Windows\System32\reg.exe ADD "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d $RDPPort /f
    Set-NetFirewallRule -DisplayName 'Remote Desktop - User Mode (TCP-In)' -Enabled True -Protocol TCP -LocalPort $RDPPort
    Set-NetFirewallRule -DisplayName 'Remote Desktop - User Mode (UDP-In)' -Enabled True -Protocol UDP -LocalPort $RDPPort
    # Exit code 1001 triggers cloudbase-init to reboot host after finishing userscripts plugin and not run it again after reboot
    exit 1001

Share

Suggested Articles

  • Windows administration

    How to configure network on Windows Server 2012

  • Windows administration

    How to provide the technical support team with network diagnostic results