Set up IPS on Fortigte firewall to block brute force RDP attacks

Like most people, my terminal servers are constantly being probed via brute force attacks trying to find a weak spot.  The better answer is to put the terminal server behind a VPN.  Short of that, I like setting up Duo Security for two factor authentication.  Another alternative (and perhaps in addition to Duo) is to detect and protect against brute force attacks on your firewall.

Here's how I configure that on my Fortigate firewall.

First, enable the Intrusion Prevention module (if not already done) in Config -> Features

First, I enable the IPS rule for RDP brite force attacks. I set a threshold of 15 over 900 seconds (15 minutes) with a block duration of 259200 seconds (3 days).

Then you go to your RDP policy and set the default policy for your RDP policy.

That's all you need to do.  If you want to see what IP addresses have been blocked, go to Log & Report -> Security Log -> Intrusion Protection

Group policy changes to enable ping response and remote desktop (and remote desktop firewall exception)

I recommend these changes on Windows domains to enable ping/ICMP responses from domain connected computers and remote desktop enabling (with network level authentication) and a remote desktop exception on the firewall.  Not all of these items are default on Windows 10 and/or Group Policy.  I think these are best practices so here is how you can add them to Group Policy.

Open Group Policy Management on a domain controller.  Right click on default domain policy and choose edit.

Enable ping responses via Computer Configuration -> Policies -> Administrative Templates Policy -> Network -> Network Connections -> Windows Firewall -> Domain Profile and enable Windows Firewall: Allow ICMP exceptions

Choose the option for "allow inbound echo request."

To enable a remote desktop firewall exception, in the same location, change "Windows Firewall: Allow inbound Remote Desktop exceptions"

To enable network level authentication, go to:
Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections

Enable "Allow users to connect remotely by using Remote Desktop Services"

To make all remote desktop connections use network level authentication, go to:
Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Session Host -> Security

Enable "Require user authentication for remote connections by using network level authentication"

Remote web workplace connect to my computer at work has issue

If you are getting an error about the remote web workplace not having the necessary ActiveX control when trying to use remote desktop from Remote Web Workplace:




Then you can fix that by going to Tools -> Manage Add-ons -> Enable or Disable Add-ons

And then enable ‘Microsoft Terminal Services Client Control (redist)’