Remote Desktop Protocol (RDP) is a tool for remotely controlling a Windows device, but is also frequently abused to allow threat actors access to devices and used as a primary attack vector for ransomware. This is done with brute force attacks to identify login credentials and gain access to an environment.
Nebula protects RDP through the Web Protection real-time protection layer and Brute Force Protection. This article provides an understanding of how Nebula protects your environment from brute force attacks and additional preventative measures to consider.
Blocked inbound connections
Detections from public IP addresses with the following fields reported typically occur when ports such as RDP 3389 are open and exposed to the internet:
- Type: Inbound Connection
- Category: Website
- Action Taken: Blocked
These detections were prevented by the Web Protection real-time protection layer. When these detections occur, it means the IP address being blocked is scanning or attempting to force its way into the endpoint. Nebula blocks IP addresses that have a history of abuse and is correctly preventing malicious connections.
Found inbound connections
Detections from public IP addresses with the following fields reported are a result of having open RDP ports in the router or firewall:
- Type: Inbound Connection
- Category: Remote Intrusion
- Action Taken: Found
- Detection Name: RDP Intrusion Detection
These detections occur based on your Brute Force Protection trigger rule settings specified in the Nebula policy. For more information, see Brute Force Protection policy settings in Nebula.
These alerts notify you that the trigger rule was met. To prevent unauthorized brute force attacks, set the Brute Force Protection setting mode to Block.
CAUTION - Setting to Block mode automatically enables the local Windows Firewall.
Securing RDP
If RDP is allowed for your business operations, see our article How to protect RDP on how best to secure this service.
If the inbound ports are unintentionally open and you would like to prevent detections from public IP addresses, configure the router or firewall appliance rules the endpoint is behind and close them. If the inbound ports appear to be closed but the detections still occur, verify that Universal Plug and Play is disabled in the router.