RDP Attack Containment mode enables WatchGuard Endpoint Security to automatically stop remote desktop (RDP) attacks. WatchGuard Endpoint Security monitors for brute-force attacks on RDP and credentials compromised after brute force attacks.
In an Indicators of Attack settings profile, you can configure the behavior when WatchGuard Endpoint Security identifies an RDP attack. When you enable the RDP Attack toggle in the settings profile, WatchGuard Endpoint Security executes these actions on the recipient computers:
- Logs remote access attempts via RDP on each protected computer over the last 24 hours, which originated outside the customer network.
- Determines whether the computer is subject to an RDP brute force attack.
- Detects if any of the computer accounts have already been compromised to access resources on the system.
- Blocks RDP connections to mitigate the attack.
To configure RDP Attack response settings:
- From the top navigation bar, select Settings.
- From the left pane, select Indicators of Attack.
- Select an existing security settings profile to edit, copy an existing profile, or in the upper-right corner of the window, click Add to create a new profile.
The Add Settings or Edit Settings page opens.
- Enter a Name and Description for the profile, if required.
- Enable the RDP Attack toggle.
- Select Advanced Settings.
- In the Automatic Response section, specify the automatic remediation for workstations and servers (Report or Report and Block).
In the Trusted IPs section, add IP addresses and IP ranges to exclude.
These IPs are reported but not blocked.
- Enable the toggles for any other Indicators of Attack you want to include in the profile.
For information on the type of IOA, click the information icon. WatchGuard periodically updates the list of indicators of attack to reflect new strategies used by cybercriminals.
- Click Save.
- Select the profile and assign recipients, if required.
For more information, see Assign a Settings Profile.