We recommend applying the steps below to help secure RDP and prevent this type of attack:
Preventing scanning for an open port:
- Restrict RDP to a whitelisted IP
- Require two-factor authentication, i.e. smartcards
- Use protection software to prevent RDP brute force
- Create a GPO to enforce strong password requirements: https://technet.microsoft.com/en-us/library/cc786468(v=ws.10).aspx
- Change the default RDP port* from 3389 to another unused port
REG ADD "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /t REG_DWORD /v PortNumber /d XXXX /f
The parameter “XXXX” is the port number you would like to move RDP to. It is recommended to choose a random port number that is not in use and outside of the 33XX port range.
- Block RDP entirely (port 3389) via firewall
- Restrict RDP to a whitelisted IP range
The information presented in this article has been taken from the Malware Prevention Guide.