Since we don’t use RPC over HTTP, RDS-Knight “Brute Force Protection” only monitors RDP connections, for technical reasons.
RDS-Knight “Brute Force Protection” has no effect for HTML5 connections, logging being done on the server itself (so IP source 127.0.0.1, that it would be annoying To block).
For other connection modes (mstsc, client generated, RemoteApp web client) RDP Defender works correctly, provided that the Windows logs include the source IP address.
The Windows logs used by RDP defender are :
– Log ID 4625 present in the security log.
– Log ID 140 present in Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational
There is always a log 4625, but the IP address is not always there, if SSL connection method is used.
There is not always a log 140, because it is only present on the most recent version of Windows.
If this log is present, the IP address will always be there.
If this log is not present and the log 4625 does not display the IP address, the solution is to disable the SSL for RDP.
The GPO below can also be set to allow these logs to be present :
“Computer Configuration \ Windows Settings \ Security Settings \ Local settings \ Security Options”:
“Network security: Restrict NTLM: Incoming NTLM traffic” and set it to : Deny all accounts”.
I recommend you to download and install the latest release of RDP-Knight, available here: