Guide · Published 2026-07-08

How to Block RDP Brute-Force Attacks on Windows

Remote Desktop (RDP) is the single most attacked service on public-facing Microsoft Windows Server. This guide shows how to detect brute-force attempts, why the built-in Windows defences aren't enough, and how to lock RDP down with automated RDP brute force protection.

What an RDP brute-force attack looks like

Attackers scan the internet for port 3389, then hammer any exposed host with credential lists — often tens of thousands of guesses per hour from botnets across dozens of countries. A successful login usually ends in ransomware, cryptomining, or a pivot into the rest of the network. Even unsuccessful attempts flood the Security event log, spike CPU, and can lock out legitimate accounts.

Detecting RDP brute-force attempts

Failed RDP logins appear in the Windows Security log as Event ID 4625 with logon type 3 (network) or 10 (RemoteInteractive). A quick PowerShell check:

Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4625} -MaxEvents 200 |
  Where-Object { $_.Properties[10].Value -in 3,10 } |
  Group-Object { $_.Properties[19].Value } |
  Sort-Object Count -Descending |
  Select-Object -First 20 Count, Name

The Name column is the source IP. If a handful of addresses account for thousands of 4625s in a day, you're already under attack.

Built-in Windows options

1. Account Lockout Policy

Under Local Security Policy → Account Policies → Account Lockout Policy, set Account lockout threshold to something like 5 invalid attempts and Account lockout duration to 15 minutes. This slows password spraying but does not stop the attacker — it just locks your users.

2. Network Level Authentication (NLA)

System Properties → Remote → Allow connections only from computers running Remote Desktop with Network Level Authentication. NLA forces authentication before a session is created, which reduces resource use but still lets attackers guess passwords.

3. Windows Firewall scope rules

You can restrict RDP to specific source IPs by editing the inbound rule for TCP 3389:

Set-NetFirewallRule -DisplayName "Remote Desktop - User Mode (TCP-In)" \
  -RemoteAddress 203.0.113.10, 198.51.100.0/24

Great when you have a fixed office IP. Useless when admins connect from home or roaming laptops.

4. Manual block scripts

A common recipe is a scheduled task that reads 4625 events and adds bad IPs to a Windows Firewall block rule. This works — until the log rolls over, the script crashes, the rule hits its size limit, or an admin's IP ends up on the block list. It also has no UI, no whitelist, and no country filtering.

Why the built-in tools fall short

  • They punish the wrong side. Lockout policies lock your accounts, not the attacker's IP.
  • No source-based blocking. Windows will happily let the same botnet try again from a new IP a second later.
  • No visibility. Nothing shows "who tried to log in as Administrator in the last hour".
  • Scripts drift. Home-grown PowerShell blockers break silently after a Windows update or a certificate rotation.
  • Multi-protocol blind spots. Attackers also hit MSSQL, SSH, FTP, and SMB — none of which the RDP-focused defences above cover.

Automated protection with AntiBrute

AntiBrute is a lightweight Windows service that watches the Security log in real time and blocks attackers with Windows Firewall rules — no PowerShell to maintain, no third-party firewall to license. It's built specifically for Microsoft Windows and Microsoft Windows Server.

  • Real-time detection across RDP, MSSQL, SSH, FTP, and SMB — a single agent, one dashboard.
  • Automatic firewall blocks after a configurable threshold (default: 5 failures in 5 minutes).
  • Country and active-hours rules — reject logins from countries you don't operate in, or outside business hours.
  • Whitelists so your office IP, VPN range, or monitoring host can't be accidentally locked out.
  • Local dashboard with live attack feed, blocked IP list, and per-service stats.
  • Runs as a Windows service — starts before login, survives reboots, no cloud dependency.

Compared to a hand-rolled script, AntiBrute gives you a supported product with an installer, a UI, upgrades, and a documented workflow. Compared to a full network firewall or SIEM, it's cheaper, host-local, and takes about two minutes to install.

Hardening checklist

  1. Change the RDP port only if it doesn't break your workflow — it slows scanners but does not stop them.
  2. Enable Network Level Authentication (NLA).
  3. Enforce strong passwords (14+ chars) and multi-factor auth for administrators.
  4. Disable the built-in Administrator account or rename it.
  5. Restrict RDP with Windows Firewall scope rules where a fixed IP list is realistic.
  6. Install AntiBrute to auto-block attackers across RDP, MSSQL, SSH, FTP, and SMB.
  7. Review the AntiBrute dashboard weekly — a sudden spike in blocked IPs usually means a new campaign is scanning your ASN.
Have questions about deploying AntiBrute across multiple Windows Servers? Contact us — we answer within one business day.