How to Install BruteFence: RDP Protection in 5 Minutes

If you ran the free RDP audit and the numbers looked bad — hundreds or thousands of failed login attempts per day — the answer is BruteFence. It installs in under 5 minutes, requires no cloud connection, and starts blocking attackers automatically once the threshold you set is exceeded.

What follows is a step-by-step walkthrough: download, install, configure your blocking threshold, whitelist your own IP, and verify that protection is active. No configuration files, no command-line setup, no cloud enrollment.

What do you need before you install BruteFence?

The requirements are minimal. Before you start, confirm:

| Requirement | Minimum | |---|---| | Operating system | Windows Server 2016, 2019, 2022, 2025 — or Windows 10/11 Pro | | RAM | 2 GB | | Disk space | 100 MB free | | Privileges | Local administrator | | .NET runtime | .NET 8.0 (the installer installs it automatically if it is missing) |

That covers all Windows Server editions released since 2016, which represent the large majority of production deployments today. If you are running Server 2012 R2 or earlier, BruteFence is not supported — see the Windows Server Security Checklist 2026 for hardening options on legacy systems.

How do you download and run the BruteFence installer?

1. Go to brutefence.com and start the free 7-day trial. You will receive a download link for the installer .exe. The file is EV code-signed — Windows SmartScreen will not block it.

2. Right-click the installer and choose "Run as administrator." Administrator rights are required because BruteFence writes Windows Firewall rules and reads the Security Event Log. Without elevation, the installer will not complete successfully.

3. Follow the setup wizard. The default installation path is C:\Program Files\BruteFence. Default settings work for the vast majority of deployments — you do not need to change anything at this step. If .NET 8.0 is not present on the machine, the wizard installs it automatically before continuing. This is the only step that may add a few extra minutes on a fresh Windows install.

4. BruteFence starts automatically after installation completes. You will see the dashboard open. The service is already running and monitoring Windows Security Event Log Event ID 4625 for failed remote desktop logon attempts.

The entire process — download to first blocked IP — typically takes under 5 minutes on a machine that already has .NET 8.0 installed.

How do you configure the blocking threshold for your environment?

The threshold is the number of failed login attempts from a single IP before BruteFence adds a block rule to the Windows Firewall. Getting this right matters: too low and a legitimate user who mistyped their password once gets locked out; too high and a slow spray attack slips through.

Recommended thresholds by environment:

| Environment | Recommended threshold | |---|---| | Single-user server (only you log in) | 2–3 attempts | | Small team (5–10 users) | 5 attempts | | Multi-user Remote Desktop Services (RDS) | 10+ attempts |

The default after installation is 2 failed attempts — appropriate for single-user servers but worth raising if multiple users connect via RDP on different schedules. A user who fat-fingers their password once at 6am before coffee would trigger a block at threshold 2; at threshold 5, there is more room for error without a support call.

Block duration options are 1 hour, 24 hours, or permanent. For most environments, 24 hours is the right balance: long enough to interrupt an automated attack campaign, short enough that a legitimate IP caught by mistake is not blocked indefinitely. Permanent is appropriate for known scanning ranges and dedicated attackers you have identified in the top-10 IP list.

Set your whitelist before anything else

Before saving the threshold settings, add your own IP address or office CIDR range to the IP whitelist. This single step prevents the most common support scenario: an admin fat-fingers the password twice and blocks their own IP. The whitelist supports both individual addresses (e.g. 203.0.113.10) and CIDR ranges (e.g. 10.0.0.0/24). If you connect from multiple locations, add all of them now.

How do you verify that BruteFence is working?

Three places to check:

1. The BruteFence dashboard. The main screen shows blocked IPs in real time. On a server that has been exposed to the internet for more than a few hours, you should see blocked entries within minutes of installation. BruteFence detects and acts on attack patterns within 100–500 milliseconds of the threshold being crossed.

2. Windows Firewall rules. Open Windows Defender Firewall with Advanced Security and look in the Inbound Rules list. Every IP BruteFence has blocked appears as a rule with the prefix BruteFence-Block-. These rules are created via the NetSecurity PowerShell module and persist across service restarts.

3. The log files. BruteFence writes detailed activity logs to C:\ProgramData\BruteFence\Logs\. Each entry records the source IP, the event timestamp, the number of attempts, and the action taken. If you want to confirm that a specific IP was blocked or understand why a particular address is not being blocked, the logs are the authoritative source.

A quick sanity check for a freshly installed server: run the BruteFence Checker again after 30 minutes. You should see the same total attack count you saw before (the Checker reads historical Event ID 4625 records), but now the top source IPs should show blocked status in the dashboard.

What should you adjust after the first 24 hours?

After the first day, review the blocked IP log for false positives:

• Legitimate remote users blocked by mistake. If a contractor or remote employee appears in the blocked list, add their IP to the whitelist and remove the firewall rule from the dashboard. You do not need to touch Windows Firewall directly — the dashboard handles it.
• Threshold calibration. If you are seeing frequent blocks of IPs that appear in your own user base (company offices, VPN exit nodes), raise the threshold by 2–3 attempts.
• Auto-update. BruteFence performs daily version checks over HTTPS, with SHA256 hash verification before any update is applied. This is enabled by default. If the server has no outbound internet access, the auto-update check will fail silently — BruteFence continues protecting normally; it simply will not notify you of new versions.
• Language. The interface is available in English, Hungarian, and German. You can change the language in Settings without a service restart.

Can you deploy BruteFence on multiple servers at once?

Yes. BruteFence supports silent, unattended installation using Inno Setup command-line parameters. The standard syntax:

BruteFence-Setup.exe /VERYSILENT /DIR="C:\Program Files\BruteFence"

This runs the full installer without any UI prompt, using the specified installation path. You can wrap this in a PowerShell script, a PDQ Deploy package, a Datto RMM component, or a NinjaRMM script and push it across a fleet of machines in a single job.

Licensing is hardware-bound: one license activates on one machine. For MSPs managing multiple client servers, each machine requires its own license. Contact Infotipp Rendszerház Kft. for volume pricing.

The complete category breakdown of how tools like BruteFence actually work explains the detection and blocking mechanism in more depth if you want to understand what is happening under the hood.

Frequently asked questions

Does BruteFence work without an internet connection?

Yes. The core protection — monitoring Event ID 4625, detecting attack patterns, writing firewall rules — runs entirely locally. BruteFence uses Windows Firewall via the native NetSecurity PowerShell module, not any external service. The only feature that requires outbound internet is the daily auto-update check, and that fails silently if unavailable.

How much CPU and RAM does BruteFence use?

At steady state (no active attack), BruteFence uses less than 1% CPU and approximately 30–50 MB of RAM. During an active attack wave — when it is processing a high volume of Event ID 4625 entries and writing firewall rules rapidly — CPU usage rises to 5–10% temporarily, then drops back to near zero once the attacking IP is blocked. On any modern server hardware this is not a meaningful resource concern.

What exactly happens when an IP gets blocked?

BruteFence adds an inbound Windows Firewall rule named BruteFence-Block-<IP> that drops all traffic from that source address. The rule applies system-wide, not just to RDP port 3389. The block lasts for the duration you configured (1 hour, 24 hours, or permanent), after which BruteFence removes the firewall rule automatically.

How do I unblock a legitimate IP that got caught by mistake?

Open the BruteFence dashboard, find the IP in the blocked list, and click Unblock. BruteFence removes the firewall rule immediately. You do not need to touch Windows Defender Firewall directly. After unblocking, add the IP to the whitelist so it is never blocked again.

Is there a free trial?

Yes. BruteFence offers a 7-day free trial — no credit card required. The trial is the full product with no feature restrictions. You can start the trial at brutefence.com/en and cancel any time before the 7 days are up with no charge.

Does BruteFence work on Windows 10 and 11?

Yes. BruteFence supports Windows 10 Pro and Windows 11 Pro in addition to Windows Server editions (2016, 2019, 2022, 2025). The installation process and configuration are identical. The most common non-server use case is a small business using Windows 10/11 Pro with Remote Desktop enabled instead of a full Server edition.

For more on what BruteFence monitors and how the blocking mechanism works, see the Event ID 4625 deep-dive. If you are in a situation where a VPN is not available and RDP must stay exposed, the RDP security without VPN guide covers defense-in-depth for those environments.

If you want to see what's happening on your server, try BruteFence free for 7 days.