HELP!!! I'M LOCKED OUT OF MY WINDOWS SERVER!!!!!!!

Windows servers are generally not intended to be open to the public Internet. We are a server host, and it's known that we are a server host, and malicious actors know that our IP ranges have servers associated with them. Therefore, malicious actors scan our IP ranges looking for easy entry into improperly secured servers. 

As the brute forcers hammer your improperly secured server, you may receive the following notification, coupled with inability to log into your server via RDP:

You can use Event Viewer to confirm this situation. More information here: https://trunc.org/learning/brute-force-attacks-against-windows-remote-desktop

As can be seen at this Shodan search: https://www.shodan.io/search/report?query=RDP there's only a few thousand servers on the public Internet that are responding to RDP login challenges. This means, relative to the number of servers on the Internet, there's not many targets available to be brute forced. Therefore, the malicious actors can concentrate all of their brute forcing on a very small number of targets, including your improperly secured server.

This article by a gray hat: https://0x4rk0.medium.com/corporate-espionage-with-shodan-ab4ca59ef3b9 describes an end-to-end method to easily locate targets with the intent of compromising them. If a gray hat can produce an 8 minute article describing this process, rest assured there's many more bad guys doing the same thing, and likely with faster and greater precision.


WHY DIDN'T YOU GUYS WARN ME ABOUT THIS!!!!!

We did. The email that you received your server credentials states the following:

WARNING: This is a baseline OS install using the defaults provided by the operating system vendor. Your server has not been secured, and it is your responsibility to do so before using the server as intended. We are unable to give advice or perform actions regarding security, and recommend you review published best practices for your chosen operating system and applications.


I JUST BOUGHT THE SERVER AND THE ACCOUNT IS ALREADY LOCKED!!!!!!

Yes, as noted above, malicious actors are using automated tools to scan for accessible servers and attempt to gain access to improperly secured servers. There is no specific time limit involved where this will/will not happen. 


I IGNORED THIS AND I'M LOCKED OUT. WHAT DO I DO NOW??????

Please either change your RDP port away from the default of 3389, or firewall RDP to only your static ISP IP or VPN IP.

Every dedicated server comes with an out-of-band console to log in to your server directly: IPMI KVM Console Help

If you do not have a static IP from your ISP or run your own VPN, you will need to change your RDP port instead. Note that changing your RDP port is not a one-time action; brute forcers will continue to scan your server, discover your new RDP port, and attack that instead.

Instructions are available here: https://docs.microsoft.com/en-us/windows-server/remote/remote-desktop-services/clients/change-listening-port

Before rebooting the server, please be sure to allow access to your new port in Windows Firewall or whatever firewall you may be running on the server. If you forget to do this, the KVM console can be used to reach your server and add the firewall rule. 

Additionally, please be sure to unlock the user before rebooting, using whichever Windows administrative tools you prefer to do so. 


CAN'T YOU JUST DO ALL OF THIS FOR ME??????

Unfortunately no, we are not a managed host and do not log into customer servers to perform management actions. We do not back door our customers and do not have any different access to your server than we've already provided to you.

You can easily perform these actions yourself, and furthermore as security is not a one-time once-and-done action, but instead an evolution and adaption over time, you will want to get comfortable with the tools we provide for you to be successful.

We're always happy to provide guidance, however when reaching out to inquire, please be sure to provide specifics on the situation you're encountering, things you've tried so far, results you're seeing, etc. General statements like "I cant" or "it didnt work" full stop with no further information are impossible for us to provide any meaningful guidance.

Please keep in mind that we are unable to give advice or perform actions regarding security, and recommend you review published best practices for your chosen operating system and applications.


THIS DOESNT HAPPEN AT <some other host>!!!!!!

We understand that our experience may differ from that of other hosts, as we are not that host. However, the experience happening at some other host cannot be applied here.

Our Windows deployments are completely unmodified as provided by Microsoft. We trust that Microsoft understands that producing operating system templates with this set is the correct method. If you choose to use a server from another host that the host has modified to be easier for you to log in, please be reminded that it's now easier for cybercriminals to log in too.


We hope that this document provides complete information about the situation your experiencing, and the actions necessary to ensure your server remains a good neighbor on the public Internet without being exposed for everyone and their Grandma to try to log in to. 

  • 2 Users Found This Useful
Was this answer helpful?

Related Articles

Reverse DNS (rDNS) Setup

Reverse DNS is set within SynergyCP by expanding the "rDNS Management" box at the bottom of the...

How to open the KVM Console

Please reference our new documentation tree for KVM console access here:...

Installing an operating system via the KVM console

Log into SynergyCP. This can be accomplished with either of the "Manage on SynergyCP" links while...