Like most people, my terminal servers are constantly being probed via brute force attacks trying to find a weak spot. The better answer is to put the terminal server behind a VPN. Short of that, I like setting up Duo Security for two factor authentication. Another alternative (and perhaps in addition to Duo) is to detect and protect against brute force attacks on your firewall.
Here's how I configure that on my Fortigate firewall.
First, enable the Intrusion Prevention module (if not already done) in Config -> Features
First, I enable the IPS rule for RDP brite force attacks. I set a threshold of 15 over 900 seconds (15 minutes) with a block duration of 259200 seconds (3 days).
Then you go to your RDP policy and set the default policy for your RDP policy.
That's all you need to do. If you want to see what IP addresses have been blocked, go to Log & Report -> Security Log -> Intrusion Protection
This post will go over what you need to do to enable two factor authentication in Office 2013 with a backend Office365 mail server (so you don't need to use app passwords). This process sets up the 'modern authentication' login window for Office 2013 programs.
Step one - from a Powershell command prompt run this command (info from here):
Set-OrganizationConfig -OAuth2ClientProfileEnabled $true
Step two - Add group policy to push modern authentication registry entries to Office 2013 computers
As of March 2017, I rarely ever touch a Windows 7 machine anymore, but I did today, and the machine was checking for updates over and over again. I googled and found a solution in my case (below). The machine I was working on had installed updates in October 2016. In general, I'd say my process for updating Windows 7 machines is this:
If the convenience update is installed, then I'd recommend these commands from an elevated command prompt:
net stop wuauserv net stop cryptSvc net stop bits net stop msiserver ren C:\Windows\SoftwareDistribution SoftwareDistribution.old ren C:\Windows\System32\catroot2 catroot2.old net start wuauserv net start cryptSvc net start bits net start msiserver
I used to leave the Windows 10 menu alone with all the default bloatware garbage on it, but I've started arranging the menu and putting the critical programs, weather, and news (changed from small to large window size) on the start menu, I prefer a nicely organizard tile section in my start menu, so why not make it that way for the users? This is what my typical start menu looks like: