Rate Limiting Remote Desktop Service Gateway

Recently had an issue where the RDweb Gateway was being brute forced locking out Accounts

The client did not want to hide the RDGateway behind the AppProxy due to issues with a shortcut not working 🙁

Unfortunately RDWeb Gateway proxy’s RDP Traffic over HTTP so normal WAF’s done work well with RDGateways ( WAFs usually have protection for Rate Limiting Connections )

But we can do this with IIS 🙂

Install this Role on IIS

Enable Default Dynamics Restrictions on Logging Only Mode

With enable logging only mode, request status as 200 and substatus code 501 or 502.

With enable logging only mode off , request status as 403 substatus code 501 or 502.

E.g. per below

  #Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs-version cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status time-taken  
( log for normal dynamic restriction)  
    2018-01-08 04:30:34 192.168.2.50 GET / - 80 - 192.168.2.50 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+10.0;+WOW64;+Trident/8.0;+.NET4.0C;+.NET4.0E;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.30729;+.NET+CLR+3.5.30729) - 403 501 0 15  
( log entry for log only mode)  
    2018-01-08 05:37:11 192.168.2.50 GET /a.aspx - 80 - 192.168.2.50 HTTP/1.1 Mozilla/4.0+(compatible;+M

Let make it easier for us to monitor this

Find and download Log Parser and Studio on webserver

How to emulate BruteForce

Open Chrome or Edge \ Developer tools , open network tab \ navigate to site , do a test login then copy the process login.aspx as fetch

Paste it into the Console , press enter and keep repeating 10 times!

Go to Log Parser Studio

Import Logs

C:\inetpub\logs\LogFiles\W3SVC1

Create a new Query

SELECT c-ip,cs-uri-stem as Uri,

sc-status as HttpStatus,

sc-substatus as SubStatus,

sc-win32-status as Win32Status,

       COUNT(*) AS Total

FROM '[LOGFILEPATH]'

WHERE (sc-substatus = 501) OR (sc-substatus = 502)

GROUP BY Uri, HttpStatus, SubStatus, Win32Status, c-ip

ORDER BY Total DESC

Then Execute ! We should see the blocks

Keep this on for a week then turn logged off for it to start blocking

You can see the IP List here for any blocks

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...

Powered by WordPress | Made with ❤ by Themely