On your router forward some non default SSH port (22) for example 20202 as you did it for RDP to this windows machine to port 22 on Windows PC (Don't forget also to DISABLE forwarding to RDP). Set cygwin on the windows PC, run SSH service and enable in sshd_config tunneling and set public key authentication while disabling plain password authentication(test ssh connection while you are on your home LAN if it successfully work). You almost answered your question by mentioning SSH. Policy isn't depended on IP of originator, just counting login attempts and trigger account lockout event, so effectively disabling access to both - the owner and attacker as well.Īnother IMHO much more stronger protection is to use SSH public key authentication that is much more stronger than password based authentication. The problem with Windows Account Lockout Policy is that your computer would be locked if someone else trying to brute force password. Double-click the ResetTime (mins) value and change default value 0xB40 which is hexadecimal for 2,880 minutes (two days) to something reasonable, say 15-20 minutes.Double-click the MaxDenials value and enter the number of failed attempts before you want the account to be locked out.
If you are an owner of home version then you can activate Account Lockout policy by editing directly registry in followed Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess\Parameters\AccountLockout
There is Account Lockout policy(that has some disadvantage, read further) that described very well in nice answer, so those who having at lest Windows Pro version can use such workflow. It is really good decision since Microsoft still can't figure out how to prevent brute-forcing attack to RDP sessions.
0 kommentar(er)
