Configure RDP Attack Settings

Applies To: WatchGuard Advanced EPDR, WatchGuard EPDR, WatchGuard EDR

RDP Attack Containment mode enables WatchGuard Endpoint Security to automatically stop remote desktop (RDP) attacks. WatchGuard Endpoint Security monitors for brute-force attacks on RDP and credentials compromised after brute force attacks.

In an Indicators of Attack settings profile, you can configure the behavior when WatchGuard Endpoint Security identifies an RDP attack. When you enable the RDP Attack toggle in the settings profile, WatchGuard Endpoint Security executes these actions on the recipient computers:

  • Logs remote access attempts via RDP on each protected computer over the last 24 hours, which originated outside the customer network.
  • Determines whether the computer is subject to an RDP brute force attack.
  • Detects if any of the computer accounts have already been compromised to access resources on the system.
  • Blocks RDP connections to mitigate the attack.

To configure RDP Attack response settings:

  1. In WatchGuard Cloud, select Configure > Endpoints.
  2. Select Settings.
  3. From the left pane, select Indicators of Attack.
  4. Select an existing security settings profile to edit, copy an existing profile, or in the upper-right corner of the window, click Add to create a new profile.
    The Add Settings or Edit Settings page opens.
  5. Enter a Name and Description for the profile, if required.
  6. Enable the RDP Attack toggle.

Screen shot of WatchGuard Endpoint Security, Add Indicators of Attack settings

  1. Select Advanced Settings.

Screen shot of WatchGuard Endpoint Security, Indicators of Attack Advanced Settings

  1. In the Automatic Response section, specify the automatic remediation for workstations and servers (Report or Report and Block).
  2. In the Trusted IPs section, add IP addresses and IP ranges to exclude.
    Thi s is a list of computers you consider secure. These IPs are reported but not blocked.
  3. Enable the toggles for any other Indicators of Attack you want to include in the profile.
    For information on the type of IOA, click the information icon. WatchGuard periodically updates the list of indicators of attack to reflect new strategies used by cybercriminals. In Advanced EPDR, you can also enable Advanced IOA. Advanced IOA provide in-depth monitoring of the applications on your computers, detect suspicious behavior, and determine if the event is an IOA.
  4. Click Save.
  5. Select the profile and assign recipients, if required.
    For more information, go to Assign a Settings Profile.

Related Topics

Manage Settings Profiles

RDP Attack Containment Modes