So lately, many low lives from the third world countries love to try RDP into a computer by bruteforce since it's likely that the security against such tactics isn't strong enough in RDP.
I've met a couple of such attacks. They found a password that works by bruteforce, RDP in, encrypt all documents and then left a window message demanding for ransom in bitcoins costing at least $8k.
So, I finally decided to put some restriction on this. Took a while to get this, which was why I delayed until now. Though it's not hard. The idea is to grant only certain IPs to RDP in.
- Go to the control panel->Administrative Tools
- Windows Firewall with Advanced Settings
- Inbound Rules
- Remote Desktop (TCP-In)
- Go to the Properties->Scope tab
- Add the IP (or IP range) in the Remote IP addresses section
I've also learned that this Windows Firewalls settings is required at a domain level, not just (or quite) private or public.
- Open Control Panel -> Windows Defender Firewall
- Click Advanced settings
- Adjust the default action for each profile:
After setting several IP ranges, tested, awesome!
A netstat -an test also show that some IPs that were trying the 3389 port got disconnected/disappeared once I applied the inbound rules with Domain Profile Firewall State "ON".