Recently had an issue where the RDweb Gateway was being brute forced locking out Accounts
The client did not want to hide the RDGateway behind the AppProxy due to issues with a shortcut not working 🙁
Unfortunately RDWeb Gateway proxy’s RDP Traffic over HTTP so normal WAF’s done work well with RDGateways ( WAFs usually have protection for Rate Limiting Connections )
But we can do this with IIS 🙂
Install this Role on IIS
Enable Default Dynamics Restrictions on Logging Only Mode
With enable logging only mode, request status as 200 and substatus code 501 or 502.
With enable logging only mode off , request status as 403 substatus code 501 or 502.
E.g. per below
#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs-version cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status time-taken
( log for normal dynamic restriction)
2018-01-08 04:30:34 192.168.2.50 GET / - 80 - 192.168.2.50 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+10.0;+WOW64;+Trident/8.0;+.NET4.0C;+.NET4.0E;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.30729;+.NET+CLR+3.5.30729) - 403 501 0 15
( log entry for log only mode)
2018-01-08 05:37:11 192.168.2.50 GET /a.aspx - 80 - 192.168.2.50 HTTP/1.1 Mozilla/4.0+(compatible;+M
Let make it easier for us to monitor this
Find and download Log Parser and Studio on webserver
How to emulate BruteForce
Open Chrome or Edge \ Developer tools , open network tab \ navigate to site , do a test login then copy the process login.aspx as fetch
Paste it into the Console , press enter and keep repeating 10 times!
Go to Log Parser Studio
Import Logs
C:\inetpub\logs\LogFiles\W3SVC1
Create a new Query
SELECT c-ip,cs-uri-stem as Uri,
sc-status as HttpStatus,
sc-substatus as SubStatus,
sc-win32-status as Win32Status,
COUNT(*) AS Total
FROM '[LOGFILEPATH]'
WHERE (sc-substatus = 501) OR (sc-substatus = 502)
GROUP BY Uri, HttpStatus, SubStatus, Win32Status, c-ip
ORDER BY Total DESC
Then Execute ! We should see the blocks
Keep this on for a week then turn logged off for it to start blocking
You can see the IP List here for any blocks