Customer has a basic server Windows 2019 (64GB ram) set as a quick fix during covid period running terminal service. Small setup with RDP CAL licenses for 10 users. Office was install and activation via user’s own O365 credentials on each of their individual sessions.
Fortigate firewall was install with a RDP bruteforce protection policy that blocks invalid credentials. This works reasonable well in the range of 20 attempts within 20 minutes.
Setting too short, bruteforcer paced their attempts at a slow pace just to bypass the timeout period.
Setting too long, causes users that keep forgetting their passwords to get locked out when they close their sessions too frequently and connect again within timeout period and hitting the threshold.
Firewall also works as a DDNS updater & web filter. This is primarily to mitigate phishing links clickthrough and prevent spyware/malware popup ads that occur on some sites that they may unknowingly visited.
When they cannot connect via RDP, following are some of the workarounds/common issues that is encountered;
- client computer going to public network.
- client computer not set to stay on, goes into power saving mode and disconnects.
- administrator accidentally create account but set user must change password on next logon.
- legacy application locks up when user leaves session active and reconnects to a black screen.
- Users going offline unknowingly when they are too far away from their wireless access point.
Some users may require saving their RDP passwords. This has to be done under Credential Manager, generic credentials, add TERMSRV/ip-address as ip/hostname of server then specifying username and password. Saving from RDP session just keeps generating a prompt to retype password.
Users may save huge amount of data on remote local drive/desktop instead of share. hiding off C drive may help a little.
Batch scripting a link on their virtual c drive or desktop to client’s desktop \tsclient\C may help them locate their laptop C drive if they want to work offline for a while.