Hello, I'm having an issue with several bruteforce attempts on my system through remote desktop. I have disabled the default windows administrator account and created one with a different name. Security audit logs indicate that all the attempts so far have been trying to log in using the adminisrator account so they will fail everytime and the system is safe for the time being. What I would like to know is if there is a way to automatically ban an IP if there's a given number of failed log on attempts within a given time period, for example 5 failed logon attempts in 2 minutes? Any assistance in this matter would be greatly appreciated.

Except for lockout policy there is no native defense that you demand. I would rely of active network devices, namely manageable routers or/and switches. Regards Milos

As things stand now, I manually look at the Windows Security Event logs and look at the audit failures, add entries to my windows firewall to block the subnet that the offending IP belongs to. Is there no way to automate this process? Something that reads the event logs and adds the offending IP to the firewall's block list?

You can write script yourself that is triggered by event and use function netsh http://technet.microsoft.com/en-us/library/cc771920(v=ws.10).aspx In previous versions of Windows operatig systems it was eventtrigger, in the newest ones there is "Attach task to this event..." (by right clicking on particular event). Perhaps you should use regular expression to retrieve information in attackers IP address. Using powershell is another alternative. There are commertial solutions to this problem (by "random" serach - http://www.beethink.com/BeeGuardian/IPBlocker/IPBlocker.htm) Regards Milos

Hi, As Milos Puchta says, your purpose cannot be achieved by the built-in tools. You may refer to his suggestion to compose a script. If you need help on composing script, please post a thread at http://social.technet.microsoft.com/Forums/en/ITCG/threads/. Thanks for understanding. Juke Chou TechNet Subscriber Support If you are TechNet Subscription user and have any feedback on our support quality, please send your feedbackhere.Juke Chou TechNet Community Support

Hi, As Milos Puchta says, your purpose cannot be achieved by the built-in tools. You may refer to his suggestion to compose a script. If you need help on composing script, please post a thread at http://social.technet.microsoft.com/Forums/en/ITCG/threads/. Thanks for understanding. Juke Chou TechNet Subscriber Support If you are TechNet Subscription user and have any feedback on our support quality, please send your feedbackhere.Juke Chou TechNet Community Support

Hi, Since this cannot be achieved by built-in tools. I will mark the thread as "Answered". If you have any further question, please let me know. Juke Chou TechNet Community Support

I would turn off icmp ping requests for your server so when the attacker ping sweeps your network, they dont find anything from that form of reconnaissance. ask your isp company if they would change your external ip address for free for security reasons. change the port on your remote desktop at the firewall. find a old computer, and download security onion and install it with snort IDS, and sguil and squerty, these are great Intrusion detection systems which will catch the IP address of the attack, and has tons of rich features like whois, geographical placing of subnet of attacker, once you find enough evidence, and want to move forward, submit the evidence to the local police department, perferrably the computer forensics department, & the ISP company, but you may need a subpoena, or a legal department behind you, but make sure you have your evidence in line before you go wasting the police and isp companies time, once you find the guy, administer some administrative smack down. this guys probably DOS attacking you if anything, and far most trying to get in, which that part is obvious. id also change the administrative account name. also if this a large network, check your pyshical security around equiptment, because logical security is nothing if you have access right to the pyshical device, and if you have switches, make sure you have the equivalent to switch port security enabled to block someone from just walking up, & plugging in a rj45 ethernet to your switch.