Windows Server 2022: Recovering from Brute Force Lockout

13-12-2024 - 1 minute, 48 seconds -
windows server brute force attack password reset security

Introduction

Brute force attacks on Windows servers can lock you out of your administrator account, leaving you unable to log in. This guide explains how to regain access to a Windows Server 2022 Datacenter instance and provides steps to harden security after recovery.


Steps to Recover Access

Option 1: Using Installation Media

  1. Create Bootable Windows Server 2022 Media
    Use a Windows Media Creation Tool to prepare a bootable USB or DVD.

  2. Boot into Repair Mode

    • Insert the installation media and boot from it.
    • Navigate to Repair your computer > Troubleshoot > Advanced Options > Command Prompt.
  3. Identify the System Drive

    • Run the following commands to find the Windows installation drive:
      diskpart
      list volume
    • Note the drive letter for the system partition (commonly C:).
  4. Replace utilman.exe with cmd.exe

    • Back up the original utilman.exe:
      ren c:\windows\system32\utilman.exe utilman_copy.exe
    • Replace it with cmd.exe:
      copy c:\windows\system32\cmd.exe c:\windows\system32\utilman.exe
  5. Reboot and Reset the Password

    • Restart the server.
    • At the login screen, click the Ease of Access button to open Command Prompt.
    • Reset the administrator password:
      net user administrator newpassword
  6. Restore utilman.exe

    • After regaining access, restore the original file:
      copy c:\windows\system32\utilman_copy.exe c:\windows\system32\utilman.exe

Additional Notes and Tools

Quick Commands

  • Verify Available Volumes:
    diskpart
    list volume
  • Backup and Copy Utilities:
    ren utilman.exe utilman_copy.exe
    copy cmd.exe utilman.exe

Third-Party Tools (If Installation Media is Unavailable)


Securing Your Server

After regaining access, improve security to prevent future attacks:

  1. Enable Account Lockout Policy
    Open Group Policy Editor (gpedit.msc) and configure:

    • Account lockout threshold
    • Account lockout duration
  2. Change RDP Port
    Modify the default RDP port (3389) to a custom value.

  3. Restrict Remote Access

    • Use firewalls to limit access by IP.
    • Enable Two-Factor Authentication (2FA) for remote login.
  4. Monitor Server Logs
    Use tools like Event Viewer to track failed login attempts and suspicious activity.

  5. Apply Security Patches
    Keep your system updated with the latest patches from Microsoft.


Conclusion

Brute force attacks can be a significant threat to server security. Using the methods outlined above, you can regain access to your Windows Server 2022 and implement critical measures to protect it from future incidents. Regularly monitor and update your server to ensure its continued security.