How to Check RDP Brute Force Attacks on Your Server (Free Tool)

Most Windows admins have no idea whether their RDP server is being hammered with login attempts right now. The Event Viewer holds the answer, but nobody opens it at 8am with coffee. Run a free, open-source tool that reads the same Security Event Log and gives you a clean report in about 30 seconds: total attacks, unique attacker IPs, top 10 sources, and a daily breakdown.

If the number looks ugly, the sections below cover what to do next. The diagnostic is free — run it first, decide later.

Why don't you already know if you're being attacked?

Because checking manually is painful. Every failed RDP login writes a Windows Event ID 4625 entry to the Security log, and on any internet-facing server that number grows fast. One Microsoft Sentinel honeypot run by researcher Jeffrey Appel recorded 209,335 failed logins in 7 days — roughly 30,000 per day. A Sophos RDP honeypot recorded more than 2,000,000 failed login attempts in 15 days from 999 unique IPs (Sophos — Exposed RDP is dangerous). That's the background radiation of the modern internet.

If you don't check RDP brute force attacks in your log regularly, you simply don't know whether you're getting 5 attempts a day or 30,000. And Event ID 4625 is hard to read in bulk — the default Event Viewer doesn't summarize, doesn't count by IP, and doesn't draw a daily trendline. You get raw entries, one at a time, which is why the question "what is an RDP brute force attack?" turns into "I have no idea how bad mine is."

What is BruteFence Checker?

BruteFence Checker is a free, open-source audit tool that reads your local Windows Security Event Log, filters for RDP-related Event ID 4625 entries from the last 30 days, and prints a human-readable summary.

It is:

• Free for personal and commercial use
• Portable — a single EXE, no installation, no registry writes
• Read-only — it does not change any system setting, firewall rule, or log
• Open source — full code on GitHub
• EV code-signed by Certum CA — significantly reduced SmartScreen friction, no unsigned-binary dance
• Offline — 0 bytes of telemetry leave the machine

Full disclosure: the same team that builds BruteFence (Infotipp Rendszerház Kft., established 2002) maintains the Checker. We published it as a free diagnostic because most admins we talk to have never seen their own 4625 numbers. The Checker is not a trial, not crippled, and not limited — it is genuinely free for commercial use.

How do you run BruteFence Checker in 3 steps?

You need Windows 10 or Windows Server 2016 (or newer), administrator privileges on the machine, and about 30 seconds.

1. Download the latest release from github.com/bohemtucsok/brutefence-checker/releases. You'll get a single signed .exe file.
2. Run as administrator. Right-click the EXE and choose "Run as administrator". Admin rights are required because reading the Windows Security Event Log is a privileged operation; without them the tool cannot see Event ID 4625 entries.
3. Wait about 30 seconds. The Checker walks the Security log for the past 30 days, filters for remote desktop failed logons, and prints the report. On very busy servers the Security log may not hold a full 30 days of events because Windows rotates logs by size (default 20 MB), not by time.

That's the whole workflow. No configuration file, no agent, no service.

What does the output actually mean?

The report has four fields. Each one answers a different question.

• Total failed login attempts — the raw count of Event ID 4625 entries tagged as remote interactive logons over the past 30 days. This is your gross attack volume.
• Unique attacker IPs — how many distinct source addresses tried to log in. A high total with low unique IPs means one or two persistent attackers; a high total with high unique IPs means you're in a botnet's crosshairs.
• Top 10 source IPs — the most aggressive individual attackers, sorted by attempt count. Useful for spot-blocking in the firewall and for checking against threat-intel lists.
• Daily breakdown — a per-day count for the past 30 days. This is where you spot a sudden spike (a new campaign just picked you up) or a slow ramp (someone is probing patiently).

How do you interpret your results?

Use this rough guide. It's not a scientific threshold, but it matches what we see on real customer servers.

| Attacks per day | What it probably means | |---|---| | 0 – 10 | Normal internet noise. Not a problem. | | 10 – 100 | Suspicious. Someone is probing your IP specifically. | | 100 – 1,000 | Active automated attack. You need lockout or rate-limiting. | | 1,000 – 30,000 | Server is under sustained attack. Immediate action required. | | 30,000+ | Honeypot-level. This is the Appel and Sophos range — attackers are dedicated. |

If your daily number is in the bottom row, you are not paranoid. You are a target.

What should you do if you see a lot of attacks?

Two tiers: free fixes you can apply today, and automated protection if the free fixes aren't enough.

Short-term free fixes

These are all built into Windows. None of them cost money.

1. Enable Account Lockout Policy. By default, Windows Server 2016 and 2019 ship with the lockout threshold set to 0 — meaning lockout is disabled. Newer builds of Server 2022 and Server 2025 default to 10 attempts, but many existing installations still run the old 0 setting. Set it to 5–10 failed attempts via Group Policy. See Microsoft's Account Lockout Policy documentation.
2. Require Network Level Authentication (NLA). NLA forces authentication before an RDP session is created, which blocks many unauthenticated probe tools.
3. Rename the default Administrator account. Bots hammer Administrator by name. Renaming it forces attackers to guess both the username and the password.
4. Restrict RDP in Windows Firewall to a known office IP range if you can. CISA's Stop Ransomware guidance lists this as a baseline control.

The full list lives in our Windows Server Security Checklist 2026.

Long-term: automated protection

Free fixes help, but a lockout policy that locks out the real admin account at 3am on a weekend isn't operationally viable for everyone. Automated protection — software that watches 4625 events in real time and adds the attacking IP to the Windows Firewall block list — removes the humans-in-the-loop problem.

We cover the full category in How RDP Brute Force Protection Works in 2026. If the Checker shows active attacks and the quick free fixes aren't enough for your environment, BruteFence's 7-day free trial gives you automatic blocking in about 5 minutes of setup. It is one option among several — the point of the Checker is to make sure you know the number first.

Frequently asked questions

Is BruteFence Checker safe to run?

Yes. The tool is read-only — it does not modify files, registry keys, firewall rules, or any log. It is EV code-signed by Certum CA, and the full source is on GitHub if you want to audit it before running.

Why does it only look back 30 days?

Thirty days is a reasonable audit window. Windows rotates the Security log by size (default 20 MB) rather than by time, so on busy servers older events have often already been overwritten. If you raise the max log size in Event Viewer, the Checker will happily read further back on the next run.

Does it send my data anywhere?

No. The Checker runs entirely locally. It does not phone home, does not upload logs, and does not include any telemetry SDK. If you run it on an air-gapped server it works exactly the same.

How often should I run it?

Once a month is a reasonable baseline for a quiet server. Run it immediately if you notice slow RDP logons, random account lockouts, or an unexplained CPU spike on LSASS — those are classic signs of an active brute force wave. More detail in our breakdown of Event ID 4625.

What is the license?

Free for personal and commercial use. You can run it on client machines, on production servers, and on machines you manage for third parties. The license is in the repository.

The Checker exists for one reason: so that when an admin asks "am I being attacked?", the answer can be a concrete number instead of a shrug. Whatever you do next — lockout policy, firewall rules, a trial of BruteFence, or nothing at all — is easier to decide once you've seen the real volume on your own server.

If you want to see what's happening on your server, try BruteFence free for 7 days.