How to setup Syspeace for RDP – Intrusion prevention for Windows servers

This is actually just a post based on some of the search terms that have led to people finding this blog.

So,

How to setup Syspeace for RDP

…
Actually, it might take you longer to read this blog entry than actually set it up.

1. Go to the Syspeace website and download the software

2. Read the requirements in the manual:

System requirements
Operating system: Windows 7, Windows Server 2003, Windows Server 2008/2008 R2 (32 or 64 bit), Windows Small Business Server SBS 2008 and so on. (We are currently working on the Windows Server 2012 validation, and we have tested it successfully, but in certain scenarios, the source IP address isn’t displayed in the event log. This is a Windows Server issue)
.Net 4 (if not installed, it will be installed for you )
1GB free disk, minimum 500M RAM.
Auditing
Auditing for failed login and successful login switched on in the local security policy or the group policy for the domain. This will enable events in the event log that Syspeace listens for.
Firewall
The built-in firewall in Windows must be up and running.

3. Install Syspeace which is quite straightforward

4. Start the GUI and type in a valid email address to get your 30-day free trial license key emailed to you. This email address will also be the account email you need to use when purchasing the license.

4. Paste the license number, and the GUI will start.

5. By default, the Syspeace service is NOT started.

6. Click the Settings button and review the default rules (called the “Catch-all” rule and also set up messaging for blocked attacks (whom to alert, whom to email license information, and so on )

7. Close the Settings section. Click the “START” button, and you’re done.

Now, your Windows server is instantly protected from brute force and dictionary attacks against your Exchange Webmail OWA, Terminal Servers on RDP (terminal services, remote desktop services, remote app sessions) and the web interface called RDWEB, your Sharepoint login, your Citrix server, Winlogon services and even more.

There’s really not that much more to it.
Since the intrusion prevention for Syspeace monitors the Windows Server Event log, it doesn’t matter if you have set up RDP on other ports or are using a proxy. Syspeace is a HIDS (Host Intrusion Protection System) thus eliminating the need for separate hardware, expensive consultants, and redesigning your infrastructure.

Just sit back and start receiving reports and emails when an attack is blocked, tracked, and reported.