A high volume of failed RDP authentication attempts was logged on a critical server within a one-hour period. All of the attempts originated from the same remote IP address and made use of a single valid domain user account. Which of the following would be the most effective mitigating control to reduce the rate of success of this brute-force attack?
Enabling a user account lockout after a limited number of failed attempts is the most effective mitigating control in this scenario. This measure directly targets the behavior typical of brute-force attacks by preventing further attempts after a certain threshold of failed logins, thus reducing the likelihood of a successful unauthorized access. While blocking the IP address (option C) could temporarily mitigate the issue, it is not as robust since attackers can easily switch to a different IP. Increasing log-on event auditing verbosity (option D) is helpful for forensic analysis but does not actively prevent the attack. Installing a third-party remote access tool and disabling RDP (option B) could be effective, but it might not be practical or feasible in all situations. Account lockout is a widely recommended and straightforward countermeasure against brute-force attempts.
Account lockout is the best defense against brute-force attacks.
Locking down a administrator account especially if it's a production account can be disruptive, I don't like the options CompTIA gives here. A better answer would be to setup whitelisting from specific IP addresses. Locking the account due to many failed attemps can cause A LOT of problems. What is stopping the attacker from doing it again? Blocking them IP address here, would make the most real world practical sense as it does not affect production. But they can easily switch IP addresses, so that's why I think setting up whitelisting would be a better option, or even setting up rate limiting or requiring MFA are better options too. I'm gonna go with A, but I don't really agree with either of these answers.