Risk control script to prevent RDP brute-force attacks
Today, my Windows server account was automatically locked due to a series of login failures (Event ID 4740), preventing me from logging in normally. I urgently checked the firewall rules and found that manually blocking these IPs was too late, and the frequent account lockouts were impacting normal business operations. Overview This script is primarily used to automatically detect IPs that fail to log in via RDP. When the number of failed attempts by the same IP exceeds a threshold within a set time window, its access will be automatically blocked. It can also detect account lockout events (4740) and attempt to unlock locked accounts, reducing manual intervention. ...