Edit

Share via

Cannot RDP into Azure VM because of a brute force attack

Applies to: ✔️ Windows VMs

Open ports on Internet-facing virtual machines are targets for brute force attacks. This article describes general errors you may experience when your Azure virtual machine (VM) is under attack and best practices for securing your VM.

Symptoms

  1. When you make a Remote Desktop Protocol (RDP) connection to a Windows VM in Azure, you may receive the following general error messages:

    • An internal error has occurred.
    • Remote Desktop Services session has ended. Your network administrator might have ended the connection. Try connecting again, or contact technical support for assistance.

  2. You're unable to RDP using the Public IP address, but you may be able to RDP using the Private IP address. This issue will depend on whether you have a performance spike because of the attack.

  3. There are many failed logon attempts in the Security Event Logs:

    • Events 4625 from the logon is logged almost every second, with the failure reason Bad Username Or Password.

    Screenshot of failed logon attempts Events 4625 in the Security Event Logs.

    Screenshot of the Event Properties - Event 4625 window, which shows the Failure Reason is Unknown users name or bad password.

Connect to the VM using Serial console

If you are unable to successfully RDP to the VM you can try using PowerShell and Serial Console to check for the log entries.

  1. On the command line, launch PowerShell by running powershell.exe.

  2. In PowerShell, execute this command:

    remove-module psreadline
Get-WinEvent -FilterHashtable @{LogName='Security'; StartTime=(Get-Date).AddDays(-1); Id='4625'}

You can alternately use Remote PowerShell to execute the Get-WinEvent command.

Cause

If there are many recent log entries indicating failed logon attempts the VM may be experiencing a brute force attack and will need to be secured. This activity may be consuming the RDP service resources preventing you from being able to successfully connect via RDP.

Solution

In this scenario the RDP TCP Port 3389 is exposed to the internet, please use one or more of the methods listed below to increase security for the VM:

  1. Use Just-In-Time access to secure the public facing ports of your VM.

  2. Use Azure Bastion to connect securely via the Azure portal, and block RDP traffic from the Internet in your Network Security Group (NSG).

  3. Use a VPN Gateway to provide an encrypted tunnel between your computer and your VMs, and block RDP traffic from the Internet in your Network Security Group (NSG).

  4. Edit your Network Security Group (NSG) to be more restrictive. Only allow specific internet protocols (IPs) or a range of IPs that belong to your organization in your inbound rule for RDP:

    For your inbound RDP (TCP Port 3389) rule, if the Source is set to "Any" or " * " then the rule is considered open. To improve the security of the rule, restrict the RDP port to a specific user's IP address, and then test RDP access again.

  5. Use Run Command to change the default RDP port from 3389 to a less common port number. This is not suggested as a long-term fix, but may help to temporarily mitigate the attack and regain access to the VM, we suggest using Just-In-Time access, Azure Bastion, or VPN Gateway.

    Screenshot of the description of the SetRDPPort command in the Run command page of Azure Portal.

Note

Use Azure Security Centre to assess the security state of your cloud resources. Visualize your security state, and improve your security posture by using Azure Secure Score recommendations.

Next Steps

Contact us for help

If you have questions or need help, create a support request, or ask Azure community support. You can also submit product feedback to Azure feedback community.