Windows Remote Desktop / Terminal Server honeypot configuration

Windows Remote Desktop is a very useful way of administrating a remote machine and as such provides the perfect method of attacking and compromising a remote machine if the security details can be guessed or obtained. Often attackers will try dictionary attacks against port 3389 in order to gain access via insecure commonly used passwords.

There are two options to enable these type of attacks to be monitored.

1. Enable the KFSensor Terminal Server Sim Server.

If remote desktop access is not required to the KFSensor machine the most secure option is to disable remote access on the machine and then allow KFSensor to take over TCP 3389 and run its Terminal Server Sim Server. This will allow attempted remote connections to be logged with no danger of compromise.

2. Monitor actual remote desktop connection attempts

Remote desktop connections often provide the only practical means for the security administrator to configure and maintain a remote KFSensor machine. For deployed virtual machines this may be the only method available. In this case the best option is to enable KFSensor to monitor use of remote desktop and in particular to monitor unsuccessful connection attempts.

In KFSensor the port TCP 3389 should be set to Native. Once Windows auditing policy is configured as described in the manual then failed logons will be automatically picked up by KFSensor.

KFSensor On-Line Manual Contents