After a lot of buzz about Bluekeep, a remote, wormable vulnerability in the Windows RDP Protocol and adding to the great article by my colleague Mike Mastrole about protecting RDP servers from authorized network access, Sophos just published some research on how vulnerable those servers might be to brute force attacks.
The research shows how quickly RDP servers were targeted (less than 2 minutes up to 15 hours, probably depending on the network range).
They also received 4.3 million login attemtps and while it may seem obvious, the conclusion makes a lot of sense, do not leave any RDP server open to the internet, turn off unneeded RDP access whereever possible and segment access to it off.
While there are a number of things that administrators can do to harden RDP servers, most notably two-factor authentication, the best protection against the dual threat of password guessing and vulnerabilities like BlueKeep is simply to take RDP off the internet. Switch off RDP where it isn’t absolutely necessary, or make it accessible only via a VPN (Virtual Private Network) if it is.