1. Introduction
The Remote Desktop Protocol (RDP) stands as a cornerstone technology for enabling remote access to and management of computer systems. Its utility spans various critical functions, from facilitating remote workforces and providing essential technical support to enabling efficient server administration and access to shared resources across networks.1 In today's increasingly distributed IT environments, the reliance on RDP has grown significantly, making it an indispensable tool for maintaining business continuity and operational efficiency.
However, the widespread adoption and inherent accessibility of RDP have also made it a prime target for malicious actors. The protocol's ubiquity and the potential access it grants to critical systems have attracted considerable attention from cybercriminals seeking to exploit vulnerabilities for various nefarious purposes, including ransomware deployment, data theft, and establishing a foothold for further network intrusion.1 Security research indicates the significant focus of threat actors on RDP, with a substantial portion of malicious traffic in 2022 being related to this protocol.14 This prevalence underscores the urgent need for organizations to implement robust security measures to protect their RDP infrastructure.
This report aims to provide a detailed analysis of seven essential defenses that organizations must implement immediately to significantly enhance the security of their RDP environments. These defenses address various attack vectors and vulnerabilities commonly associated with RDP, offering practical guidance for system administrators and security analysts seeking to strengthen their remote access security posture. While RDP incorporates certain built-in security features, relying solely on these default settings is no longer sufficient to counter the sophisticated tactics employed by modern cyber adversaries.18 A proactive and layered approach to security is paramount, and the implementation of these seven key defenses represents critical steps in that direction.
2. Blocking Unsigned.RDP Files
2.1 What are.RDP files and the significance of digital signatures
Remote Desktop Protocol (RDP) leverages configuration files, typically with the .rdp extension, to store the necessary settings for establishing a remote connection to another computer.3 These files serve as a convenient way to save connection parameters, including the target server's IP address or hostname, user credentials (which can be optionally stored), display preferences, and settings for resource redirection, thereby streamlining the process of initiating remote sessions.3
Digital signatures play a crucial role in verifying the authenticity and integrity of electronic files, including .rdp files.9 A digital signature acts as a virtual seal of approval, confirming that the file originates from a known and trusted publisher and that its content has not been altered since it was signed.9 When an .rdp file is digitally signed, it provides a level of assurance to the user that the connection settings have been created and endorsed by the legitimate source. This can help in establishing trust and often results in the suppression or reduction of security warnings that might otherwise be presented when opening an unsigned file.9 For instance, a digitally signed .rdp file might bypass the standard yellow warning banner that Windows typically displays for unsigned files, making it appear more trustworthy to the user.9
2.2 Security risks associated with unsigned.RDP files
Attackers frequently exploit the convenience of .rdp files by crafting and distributing malicious versions through various social engineering tactics, such as phishing emails, or by strategically placing them in easily accessible or seemingly legitimate directories to lure unsuspecting users into executing them.1 These malicious .rdp files can be meticulously configured to initiate connections to servers under the attacker's control, often mimicking legitimate login portals or services to deceive users.9
A significant risk associated with these files is the ability to embed malicious configurations within them. For example, an attacker can preconfigure an .rdp file to automatically redirect the victim's local resources, such as their hard drives and clipboard, to the attacker's server upon establishing the connection.9 This allows the attacker to gain unauthorized access to sensitive data stored on the victim's machine and to potentially capture any information copied to the clipboard, including passwords and other confidential details.9
Sophisticated threat actors, such as the group known as Midnight Blizzard (APT29), have been observed using even signed malicious .rdp files to bypass security mechanisms that are designed to flag unsigned or otherwise suspicious files.10 These actors might utilize readily available digital certificates, such as those issued by Let's Encrypt, to sign their malicious files, thereby adding a veneer of legitimacy and increasing the likelihood that users will open them without suspicion.10 Campaigns involving the widespread distribution of .rdp files via email attachments, targeting government agencies and other organizations, have been reported, highlighting the active exploitation of this attack vector.9 Unsigned files, particularly those originating from unknown or untrusted sources, are inherently more susceptible to tampering and may directly contain malicious configurations or initiate connections to harmful destinations.26
2.3 How blocking unsigned.RDP files enhances system security
Blocking the execution of unsigned .rdp files is a fundamental security measure that significantly enhances system protection by preventing the use of potentially malicious remote connection configurations originating from untrusted or unknown sources.9 This action effectively reduces the attack surface available to cybercriminals who often rely on tricking users into opening and executing these files to gain initial access or to deploy malicious payloads.9
By preventing the execution of unsigned .rdp files, organizations can thwart attempts by attackers to leverage embedded malicious configurations that could lead to data theft, malware infections, or further system compromise.9 This measure also adds a critical layer of defense against social engineering attacks, where users might be deceived into opening seemingly harmless .rdp files that are, in fact, malicious if the system is configured to only trust signed files from known publishers.9 Disabling the ability to run .rdp files from unsigned and unknown publishers ensures that only those from verified and trusted sources can be utilized to establish remote connections, thereby bolstering the overall security posture of the organization.9
2.4 Implementation methods (Group Policy)
The most effective way to block the execution of unsigned .rdp files across an organization is by leveraging the power of Group Policy. Within the Group Policy Management Console, administrators can configure the policy setting titled "Allow.rdp files from unknown publishers," which is located under the path Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Connection Client.27
Disabling this specific policy prevents users from running not only .rdp files that lack a digital signature but also those signed by publishers that are not explicitly trusted by the system.9 If a user attempts to initiate an RDP session using an unsigned file or a file from an unknown publisher after this policy has been disabled, the system will block the connection and display a message informing the user that the publisher has been blocked.28
For a more granular approach, organizations can utilize the complementary policy setting, "Specify SHA1 Thumbprints of certificates representing trusted.rdp publishers," also found in the same Group Policy path.9 This policy allows administrators to create a whitelist of trusted certificate thumbprints. By specifying the SHA1 thumbprints of certificates issued to trusted publishers, organizations can permit the execution of .rdp files signed only by these specific, vetted entities, providing a higher level of control and security.9 To implement these policies, administrators should open the Group Policy Management Console, locate the relevant Group Policy Object (GPO) that applies to the target computers or users, edit the GPO, navigate to the specified path, configure the policy settings to "Disabled" or by adding trusted certificate thumbprints, and then ensure the GPO is properly linked and enforced across the environment.28
2.5 Insight
Blocking unsigned .RDP files serves as a critical initial layer of defense, significantly reducing the risk of executing potentially harmful remote connection configurations. While sophisticated attackers might employ signed malware, this measure effectively eliminates a common and easily exploited attack vector. The option to combine this with a whitelist of trusted publishers provides a more refined balance between robust security and necessary operational functionality.
2.6 Insight
The fact that advanced threat actors like Midnight Blizzard utilize even signed .RDP files in their campaigns 10 highlights that blocking unsigned files, while essential, is not a comprehensive solution. Organizations must also prioritize educating users about the inherent risks of opening .RDP files from untrusted sources, regardless of their signing status, and consider implementing additional security measures to inspect the content and behavior initiated by these files.
3. Disabling Drive Redirection
3.1 Functionality of drive redirection in RDP
Drive redirection is a feature within the Remote Desktop Protocol (RDP) that enables users connected to a remote system to access their local computer's drives, including hard drives, USB drives, and network shares, directly from within the remote session.3 This functionality allows for seamless interaction between the local and remote file systems, with the local drives typically appearing as network locations within the remote computer's file explorer or "This PC" view, often formatted as <driveletter> on <computername>.35
RDP offers various configuration options for drive redirection, allowing users to redirect all local disk drives, including those connected after the session has started, or to manually select specific drives that they wish to make accessible within the remote session.35 Users can typically configure drive redirection on the client side through the "Local Resources" tab of the Remote Desktop Connection client. Under the "Local devices and resources" section, checking the "Drives" option and clicking the "More" button allows for the selection of specific drives to be redirected.36
3.2 Security implications of enabling drive redirection
While drive redirection offers convenience for legitimate file access and transfer between local and remote systems, it also introduces significant security implications. A primary concern is the risk of data exfiltration, where sensitive or confidential information can be easily copied from the potentially more secure remote system to the user's local machine, which might have weaker security controls or be more susceptible to compromise.9 This ease of transfer can be exploited for malicious purposes, allowing unauthorized individuals to extract valuable data from protected environments.
Another critical risk is the potential for malware transfer in both directions across the RDP connection.40 An infected local machine with drive redirection enabled could inadvertently introduce malware to the remote system by simply accessing files on the mapped drives. Conversely, a compromised remote system could leverage drive redirection to transfer malware to the user's local drives, potentially leading to a wider spread of infection.
Historically, vulnerabilities specifically related to drive redirection have been discovered. For instance, CVE-2016-0190 was an information disclosure vulnerability where a USB disk mounted over RDP was not correctly tied to the session of the mounting user, potentially allowing unauthorized access to the data.45 Furthermore, the concept of an "RDP inception attack" highlights the danger where a compromised client with drive redirection enabled could potentially run arbitrary code on the RDP server by placing and executing malicious executables on the mapped local drive.47
3.3 Security benefits of disabling drive redirection
Disabling drive redirection offers substantial security benefits, primarily by mitigating the risks associated with unauthorized data transfer and malware propagation.40 By preventing the mapping of client drives within the remote session, organizations can significantly reduce the likelihood of sensitive data being intentionally or unintentionally copied from the remote system to local machines, thereby enhancing data loss prevention efforts.40
Disabling this feature also minimizes the potential for malware to spread between the local and remote environments through the shared file system access provided by drive redirection, helping to contain potential security incidents and limit their impact.40 Moreover, restricting drive redirection can aid organizations in complying with data protection regulations and internal security policies that aim to control the flow of sensitive information across different systems and networks. Ultimately, disabling drive redirection reduces the overall attack surface by removing a direct and potentially vulnerable file system link between the local and remote computers.
3.4 Implementation methods (Group Policy, Registry)
The most effective method for disabling drive redirection across an organization is through the use of Group Policy. Administrators can configure the policy setting titled "Do not allow drive redirection," located under the path Computer Configuration -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Session Host -> Device and Resource Redirection.30
Enabling this policy setting prevents the mapping of client drives within Remote Desktop Services sessions, effectively blocking users from accessing their local drives from the remote computer.30 To implement this, administrators should open the Group Policy Management Console, navigate to the appropriate Group Policy Object (GPO), edit it, and enable the "Do not allow drive redirection" policy. The GPO should then be linked to the organizational units (OUs) containing the servers or workstations to which the policy should apply.43
For systems that are not part of a domain or when a local policy needs to be enforced, drive redirection can also be disabled by modifying the Windows Registry. Setting the registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Terminal Server\DisableDriveRedirection to a DWORD value of 1 will disable drive redirection on the local machine.53 This can be done manually using the Registry Editor or through scripting for automation.
Furthermore, organizations using Microsoft Intune for device management can disable drive redirection by creating a Configuration Profile. Within the profile, administrators can search for the "Do not allow drive redirection" setting under the category "Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resources Redirection" and set it to "Enabled".33 This ensures consistent enforcement of the policy across managed devices.
3.5 Insight
Disabling drive redirection is a vital security hardening measure for RDP, particularly in environments where sensitive data is handled. While it might slightly impact user convenience for legitimate file transfers, the significant security benefits in preventing data breaches and limiting the spread of malware often outweigh this consideration. Alternative secure methods for file exchange can be implemented when necessary.
3.6 Insight
Despite the effectiveness of disabling drive redirection through Group Policy, organizations must also emphasize client-side configurations and user education to reinforce this security measure. Users should be informed about why drive redirection is disabled and be provided with guidance on alternative secure methods for file exchange if required, further minimizing the potential for accidental or intentional circumvention of this security control. Additionally, it is important to ensure that systems are regularly patched to address any underlying vulnerabilities related to drive redirection, even if the feature is disabled.
4. Restricting Clipboard Access
4.1 How clipboard access works in RDP sessions
Clipboard redirection in Remote Desktop Protocol (RDP) facilitates the seamless transfer of data between the local client and the remote server during a remote session.2 This feature allows users to copy various types of content, including text, images, and files, from one computer and paste it onto the other as if they were working locally on a single machine. The RDP protocol utilizes dedicated "virtual channels" to carry this clipboard data between the client and the server, ensuring the synchronization of clipboard contents across the remote connection.2
Users can typically manage clipboard redirection settings on the client side through the Remote Desktop Connection client interface. Within the "Local Resources" tab of the connection settings, there is usually an option labeled "Clipboard" that can be checked or unchecked to enable or disable the redirection of the clipboard for that specific RDP connection.56
4.2 Security risks associated with unrestricted clipboard access
While clipboard redirection enhances user convenience, allowing unrestricted access poses several significant security risks. One of the primary concerns is the potential for data leakage, where sensitive or confidential information residing within a secured remote environment can be easily copied to a potentially less secure local machine.9 This could include sensitive documents, passwords, financial data, or proprietary code.
Furthermore, malware can be propagated through the clipboard. Infected files or malicious scripts copied to the clipboard on one system can be pasted and executed on the other, leading to the spread of infections across the RDP connection.44 There is also the risk of clipboard hijacking, where malicious actors might employ tools to monitor and potentially replace the contents of the clipboard, enabling them to steal or manipulate sensitive information being transferred.9 The "Rogue RDP" campaigns have been known to utilize clipboard capture as a technique for stealing user credentials, including passwords.9 In Bring Your Own Device (BYOD) scenarios, unrestricted clipboard access could lead to the unintentional transfer of sensitive company data to personal, unmanaged devices.44 Additionally, the clipboard sharing feature can be exploited for path traversal attacks, where a compromised server could potentially drop malicious files into arbitrary locations on the client's computer if the client's system does not adequately prevent such transfers.61
4.3 Security benefits of restricting clipboard access
Restricting clipboard access in RDP offers crucial security benefits, primarily by mitigating the risks associated with unauthorized data transfer and the propagation of malicious content.48 By preventing or limiting the ability to copy and paste data between the local and remote systems, organizations can significantly reduce the likelihood of sensitive and confidential information being inadvertently or maliciously exfiltrated from the secure remote desktop session to potentially less secure endpoints.48
Restricting clipboard access also limits the potential for malware and other malicious content to be transferred between systems via copy-paste operations, thereby helping to contain the spread of infections and reduce the risk of system compromise.61 Moreover, it can help prevent attackers from leveraging clipboard redirection as a means to capture or manipulate sensitive data, thus mitigating the risk of clipboard hijacking. Implementing restrictions on clipboard access contributes to a stronger overall data loss prevention strategy and enhances the security posture of the organization's RDP environment.
4.4 Implementation methods (Group Policy, Local Resources settings)
Organizations can restrict clipboard access in RDP through several methods, with Group Policy being the most effective for enforcing this restriction across multiple systems. The Group Policy setting titled "Do not allow Clipboard redirection" is located under Computer Configuration -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Session Host -> Device and Resource Redirection.30 Enabling this policy will prevent the sharing of clipboard contents between the remote computer and the client computer during an RDP session.61 To implement this, administrators should use the Group Policy Management Console to locate the appropriate Group Policy Object (GPO), edit it, and set the "Do not allow Clipboard redirection" policy to "Enabled," ensuring the GPO is applied to the relevant remote session hosts.75
In addition to server-side control via Group Policy, users can also manage clipboard redirection on the client side for individual connections. Within the Remote Desktop Connection client, under the "Local Resources" tab, users can uncheck the "Clipboard" option to disable clipboard redirection specifically for that connection.68 This can be useful for specific scenarios or when a user needs to connect to a less trusted system.
Furthermore, administrators can disable clipboard redirection on a client machine by modifying the Windows Registry. Setting the registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Terminal Server Client\DisableClipboardRedirection to a DWORD value of 1 will disable clipboard redirection for all RDP connections initiated from that client.54 Some organizations might also consider implementing more granular restrictions, such as allowing only text-based clipboard redirection while blocking the transfer of files, which can be achieved through more advanced configurations or third-party tools.71
4.5 Insight
Restricting clipboard access is a critical security measure to prevent both accidental and malicious data leaks from secured RDP sessions. It also plays a significant role in limiting the potential for malware to spread and mitigating the risk of clipboard hijacking, particularly in environments that handle sensitive or confidential information.
4.6 Insight
Organizations should carefully evaluate the level of clipboard restriction that aligns with their security policies and user needs. While completely disabling clipboard redirection offers the highest level of security against these risks, it might impact user productivity. Allowing only text transfer while blocking files could be a viable compromise for some use cases, balancing essential functionality with enhanced security.
5. Enabling Network Level Authentication (NLA)
5.1 What is Network Level Authentication (NLA)?
Network Level Authentication (NLA) is a robust security feature integrated into Remote Desktop Services (RDS) that requires the connecting user to authenticate their identity before a remote desktop session is fully established.9 Often referred to as "front authentication," NLA ensures that only verified users can initiate a remote session, thereby significantly reducing the risk of unauthorized access and bolstering the overall security posture. NLA leverages the Credential Security Support Provider (CredSSP) protocol, which securely encrypts and transmits the user's credentials from the client to the server before the session begins.77 This contrasts with traditional RDP connections, where the login screen is loaded before authentication occurs, potentially exposing the server to unauthenticated connections and various pre-authentication attacks.
5.2 How NLA enhances the security of RDP connections
Enabling NLA provides a significant security enhancement to RDP connections by requiring authentication before a full remote desktop session is created. This pre-authentication mechanism effectively reduces the attack surface by preventing unauthorized users from even reaching the login screen.77 By demanding valid credentials upfront, NLA protects against brute-force attacks by ensuring that server resources are not allocated to connection attempts from unauthenticated or potentially malicious users trying to guess passwords.77 Furthermore, NLA helps mitigate Denial-of-Service (DoS) attacks by preventing unauthenticated connection attempts from consuming excessive server resources, as the server will not fully engage unless the user's identity is verified.77 The use of CredSSP to encrypt the user's credentials during transmission provides an additional layer of security by protecting against man-in-the-middle attacks, where attackers might attempt to intercept sensitive login information.77 NLA can also help prevent the exploitation of certain pre-authentication vulnerabilities that might exist in the RDP service by ensuring that the authentication process occurs earlier in the connection sequence.78
5.3 Benefits of using NLA
Implementing Network Level Authentication offers several key benefits that significantly enhance the security and efficiency of remote desktop connections. Firstly, it provides enhanced security by ensuring that only authenticated users can establish remote sessions, thereby reducing the risk of unauthorized access to sensitive data and systems.77 Secondly, NLA leads to reduced system resource consumption as the server does not allocate resources for unauthenticated connections, improving overall server performance and preventing potential resource exhaustion.77 Thirdly, NLA offers compatibility with modern authentication methods, including multi-factor authentication (MFA) and smart card authentication, providing a more robust and secure authentication process.79 Finally, in some environments, NLA can facilitate NT Single Sign-On (SSO), simplifying the authentication process for users by allowing them to authenticate once and access multiple services without re-entering their credentials.79
5.4 Implementation methods (System Properties, Group Policy)
Enabling Network Level Authentication can be achieved through several methods. One common approach is via the System Properties window. On the system that will be receiving remote connections, navigate to the "Remote" tab within System Properties. Here, you will find an option labeled "Allow connections only from computers running Remote Desktop with Network Level Authentication (recommended)." Checking this box will enable NLA for all incoming RDP connections to this system.77
Alternatively, administrators can enforce NLA across multiple systems within a domain by using Group Policy. The relevant policy setting is "Require user authentication for remote connections by using Network Level Authentication," located under Computer Configuration -> Policies -> Windows Components -> Remote Desktop Services -> Remote Desktop Session Host -> Security.24 Enabling this policy setting ensures that all users attempting to connect to the Remote Desktop Session Host server must use NLA. To configure this, open the Group Policy Management Console, locate the appropriate Group Policy Object (GPO), edit it, and enable the specified policy. Ensure the GPO is linked to the organizational units (OUs) containing the target servers.24 It's worth noting that NLA is enabled by default in newer versions of Windows Server and client operating systems as a baseline security measure.24 To verify if a client system supports NLA, users can typically check the "About Remote Desktop Connection" dialog box for a confirmation message.81
5.5 Insight
Enabling NLA is a fundamental security best practice for RDP. By requiring authentication before a session is fully established, it adds a critical layer of defense that effectively mitigates numerous common attack vectors and significantly reduces the risk of unauthorized access to systems.
5.6 Insight
While NLA provides a substantial boost to RDP security, organizations should be aware that it might introduce compatibility issues with very old operating systems or RDP clients that do not support the CredSSP protocol.24 In such instances, organizations might need to consider implementing alternative security measures or plan for upgrades of outdated systems to ensure both security and necessary connectivity.
6. Monitoring for mstsc.exe Activity
6.1 What is mstsc.exe and its role in RDP connections
mstsc.exe, which stands for Microsoft Terminal Service Client, is the executable file that serves as the command interface for initiating the Remote Desktop Connection client in Windows operating systems.1 This essential component allows users to connect to and control remote computers and servers over a network.94 The mstsc.exe file is typically located in the Windows system directory, specifically C:\system32\mstsc.exe for 64-bit systems, with a 32-bit version also residing in C:\Windows\SysWOW64\mstsc.exe on 64-bit systems.94
As a command-line utility, mstsc.exe supports various parameters that can be used to specify connection settings directly when launching the Remote Desktop Connection client. Some common and useful parameters include /v:<server[:port]> to define the remote computer's name or IP address, /f to initiate the connection in full-screen mode, /admin to connect to the console session of a server, and /edit followed by a file path to open an existing .rdp configuration file for editing.95
6.2 Why monitoring mstsc.exe activity is a recommended security practice
Monitoring the execution and associated activity of mstsc.exe is a highly recommended security practice as it provides critical visibility into the initiation of remote desktop connections from systems within the network.1 Tracking this activity can help detect attempts to open remote desktop files (.rdp) from suspicious locations, which might indicate malicious activity such as phishing attacks aimed at establishing unauthorized remote access.1 Furthermore, monitoring mstsc.exe allows organizations to identify unauthorized or unusual remote connections that could be indicative of compromised accounts or attackers attempting to move laterally within the network.105 It can also aid in the detection of potential insider threats or the misuse of remote access privileges by providing insights into who is initiating RDP connections and to which systems.105 In many cases, monitoring user activity, including RDP sessions initiated via mstsc.exe, is a requirement for compliance with various cybersecurity standards and regulations.105 Finally, logs and alerts generated from monitoring mstsc.exe activity can be invaluable for incident response, providing security teams with crucial information about remote connections made before, during, or after a security incident.105
6.3 Key events to monitor and what they indicate
Several key events related to mstsc.exe activity should be monitored to enhance security. Process creation events for mstsc.exe are paramount, especially when the process is launched from unusual directories, by unexpected user accounts, or with suspicious command-line arguments that might point to .rdp files located in temporary folders or the downloads directory.1 Network connection events initiated by processes associated with mstsc.exe, particularly those targeting the standard RDP port (TCP 3389) and originating from internal systems to external or unfamiliar IP addresses, could indicate compromised systems being controlled remotely.13 An unusual increase in the number of mstsc.exe processes being launched from a specific system or by a particular user might also warrant investigation as it could suggest automated attack attempts or anomalous activity patterns. Security teams should also correlate mstsc.exe activity with other security-related events, such as failed login attempts preceding a successful connection or the execution of suspicious scripts or commands on a remote system immediately following an RDP session. Monitoring for the opening of .rdp files from locations known to be associated with malware distribution or phishing attempts, such as the Downloads folder or temporary directories, is also a critical practice.1
6.4 Tools and methods for monitoring (Event Viewer, SIEM)
Organizations can employ various tools and methods to monitor mstsc.exe activity. Security Information and Event Management (SIEM) systems are highly effective for centrally collecting and analyzing process execution logs, network connection logs, and other relevant data sources to identify patterns and anomalies related to mstsc.exe usage.105 SIEM platforms can be configured to generate real-time alerts based on predefined rules that detect suspicious RDP connection attempts or established sessions. Endpoint Detection and Response (EDR) solutions also play a crucial role in monitoring process execution and network activity at the endpoint level, capable of flagging suspicious behavior of mstsc.exe, including connections to known malicious IP addresses or command and control infrastructure.108 While less scalable for large environments, Windows Event Viewer can be utilized to filter for events related to process creation (Event ID 4688 if process auditing is enabled) and network connections associated with mstsc.exe.107 Scripting tools like PowerShell can be used to query event logs for specific mstsc.exe-related events and to automate the analysis of these logs for potential security concerns.111
6.5 Insight
Monitoring mstsc.exe activity is a crucial proactive security measure that provides early indicators of potential unauthorized access, misuse of RDP, or systems that might be compromised and controlled remotely. By tracking the initiation of RDP connections, organizations can significantly enhance their ability to detect and respond to threats in a timely manner.
6.6 Insight
While monitoring the execution of mstsc.exe is a vital step, organizations should also ensure that this activity is correlated with other relevant security logs and events, such as authentication logs and network traffic data. This correlation provides a more comprehensive understanding of potential threats and helps to reduce the occurrence of false positive alerts, allowing security teams to focus on genuine security incidents.
Table 1: Key RDP-Related Event IDs
7. Understanding Common Security Risks and Dangers of RDP
7.1 Overview of prevalent RDP security threats
Remote Desktop Protocol (RDP), while essential for remote connectivity, is associated with a range of security threats that organizations must be acutely aware of. Brute-force attacks are a common method employed by attackers, where automated tools are used to repeatedly guess login credentials until the correct combination is found, granting unauthorized access to RDP sessions.10 Systems with weak passwords or without proper account lockout policies are particularly susceptible to these attacks.12
Credential theft is another significant risk, where attackers attempt to obtain legitimate RDP login credentials through various means, including phishing campaigns designed to trick users into revealing their passwords, man-in-the-middle attacks that intercept login data during the authentication process, and by exploiting databases of leaked or stolen credentials.11 Once attackers possess valid credentials, they can gain full access to the targeted systems.
The RDP protocol and its various implementations have been subject to numerous security vulnerabilities over the years. Notable examples include BlueKeep (CVE-2019-0708) and related vulnerabilities like DejaBlue, as well as more recent flaws such as CVE-2023-24905, CVE-2023-35332, and CVE-2024-21307.12 These vulnerabilities can allow attackers to execute arbitrary code remotely, often without requiring any user interaction or authentication, leading to severe system compromise. Older, unpatched systems are particularly at risk.12
Exposing the default RDP port (TCP 3389) directly to the internet is a major danger, as this port is constantly scanned by attackers and automated attack tools looking for vulnerable systems to exploit.12 This direct exposure significantly increases the attack surface and the likelihood of a successful breach.
Insider threats also pose a risk, where authorized users with malicious intent can abuse their legitimate RDP access to exfiltrate sensitive data, disrupt operations, or install backdoors.15 Additionally, session hijacking is a potential threat if RDP sessions are not properly secured, allowing attackers to intercept and take control of an ongoing remote session.18 Finally, compromised RDP sessions can be a gateway for deploying malicious software, including ransomware, spyware, and other harmful code that can cause significant damage and data loss.17
7.2 Examples of past RDP exploits and their impact
The BlueKeep vulnerability (CVE-2019-0708) stands out as a particularly severe RDP exploit. It allowed for remote code execution on vulnerable Windows systems simply by sending a specially crafted request to the RDP port, and critically, it was wormable, enabling it to spread across networks without any user interaction.12 This posed a significant threat of widespread automated attacks.
Following BlueKeep, other notable RDP vulnerabilities have been discovered, including DejaBlue, which was a collection of related flaws. More recently, vulnerabilities like CVE-2023-24905 involving DLL hijacking, CVE-2023-35332 in the RDP Gateway related to the outdated DTLS 1.0 protocol, and CVE-2024-21307 which is a Remote Code Execution vulnerability in the RDP Client, highlight the ongoing risks associated with the protocol.22
In terms of real-world impact, RDP has been frequently exploited in ransomware attacks. Data from Coalition indicates that businesses with internet-exposed RDP are the most likely to experience a ransomware event.14 Attackers often use compromised RDP credentials or exploit RDP vulnerabilities to gain initial access to a network, move laterally to critical systems, and then deploy ransomware, causing significant disruption and financial losses. The attack on the Keystone pipeline, for example, is believed to have originated from a compromised remote access connection.44
7.3 General best practices to mitigate RDP risks
To mitigate the common security risks associated with RDP, organizations should implement a comprehensive set of best practices. Enforcing strong password policies that require complex and unique passwords for all accounts with RDP access, along with implementing account lockout policies to limit the number of failed login attempts, is crucial in preventing brute-force attacks.12 Multi-factor authentication (MFA) should be implemented for all RDP connections to add an extra layer of security beyond just a password.10 It is essential to keep all operating systems, RDP clients, and servers updated and patched with the latest security updates from vendors to address known vulnerabilities promptly.12
Access to RDP should be restricted to only those users and systems that absolutely require it for their work, following the principle of least privilege.10 It is highly recommended to use a Virtual Private Network (VPN) to establish a secure and encrypted connection before initiating an RDP session, rather than directly exposing RDP to the public internet.14 Organizations should also consider using an RDP Gateway to act as a secure proxy for RDP connections, providing an additional layer of security and control.14 Changing the default RDP port from TCP 3389 to a non-standard, high-numbered port can also help to reduce the number of automated attacks targeting the service.12 Implementing Network Level Authentication (NLA), as discussed previously, is another critical step.10 Additionally, disabling unnecessary RDP features like drive and clipboard redirection, as discussed earlier in this report, can significantly reduce the attack surface. Finally, regularly auditing RDP connections, as will be detailed in the next section, is essential for detecting and responding to suspicious activity.17
7.4 Insight
Securing RDP requires a comprehensive, multi-layered approach that addresses various aspects of the protocol and its usage. Implementing a combination of strong authentication mechanisms, robust access controls, technical safeguards, and effective user education is essential to significantly reduce the risk of successful RDP-related attacks.
7.5 Insight
The continuous discovery of new vulnerabilities in the RDP protocol and its implementations underscores the critical importance of maintaining ongoing vigilance and proactive security practices. Organizations must remain informed about the latest threats and ensure that their systems are promptly patched to minimize their exposure to these evolving risks.
8. Auditing All RDP Connections
8.1 Importance of auditing RDP connections for security
Auditing all Remote Desktop Protocol (RDP) connections is a critical security practice that provides organizations with essential visibility into how their systems are being accessed remotely.17 This process involves systematically tracking and reviewing records of who connected, when they connected, the source from which they connected, and potentially the duration of their session.17
Comprehensive auditing helps in the early detection of unauthorized access attempts and successful logins by suspicious accounts or from unexpected locations.17 By analyzing audit logs, organizations can identify patterns of suspicious activity or unusual connection patterns that might indicate an ongoing attack or a compromised user account.17 The detailed information captured in RDP audit logs is invaluable for security incident investigations and forensic analysis, allowing security teams to reconstruct events, identify the scope of a breach, and understand the actions taken by an attacker.105 Furthermore, maintaining thorough RDP audit logs can be a mandatory requirement for compliance with various cybersecurity standards, laws, and regulations.105
8.2 Best practices for auditing RDP connections
To effectively audit RDP connections, organizations should implement several key best practices. Firstly, enable the 'Audit Logon' policy within the operating system's security policy settings to ensure that both successful and failed logon attempts, including those made via RDP, are recorded in the security logs.17 Specifically, configure auditing for success to track successful RDP connections. Secondly, regularly review the Security event logs in Windows Event Viewer, filtering for relevant Event IDs such as 4624 (successful logon with Logon Type 10 for RDP) and 4625 (failed logon attempts).107 Additionally, monitor the Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational log for events related to RDP connection establishment (Event ID 1149 for successful authentication, Event ID 1024 for connection initiation, Event ID 1025 for connection success) and termination (Event ID 1026).107
For larger environments, utilizing a Security Information and Event Management (SIEM) system is highly recommended for centralizing the collection, analysis, and correlation of RDP logs from various systems, which enables better detection of suspicious patterns and automated alerting.105 Organizations should also set up alerts within their SIEM or log monitoring tools to be notified of specific RDP-related events that might indicate a security concern, such as multiple failed login attempts originating from the same source IP address, successful logins occurring outside of normal business hours, or connections originating from geographic locations that are not typically associated with legitimate access.105 It is crucial to establish a policy for retaining RDP audit logs for an appropriate period, based on both compliance requirements and the organization's internal security policies, to facilitate historical analysis and incident investigation.123 Regularly review the configured audit policies to ensure they are capturing all relevant RDP activity. Finally, consider implementing dedicated RDP monitoring and reporting tools, which can offer more advanced features for tracking and analyzing remote desktop activity, such as session recording and detailed user activity monitoring.109
8.3 Information that should be included in RDP audit logs
Comprehensive RDP audit logs should capture a range of information to be effective for security monitoring and incident response. This includes the timestamp of the connection attempt, indicating when the connection was initiated and whether it was successful or failed.111 The source IP address or hostname of the client machine initiating the RDP connection is vital for identifying the origin of the remote access.13 The username used for authentication should be recorded to identify the specific user account involved in the connection attempt.111 The destination server name or IP address of the system being accessed via RDP is essential for knowing which resource was targeted.112 If possible, the duration of the RDP session should be logged, capturing both the connection and disconnection timestamps to understand how long a remote session lasted.123 The logon type should be included to specifically identify RDP connections (typically a Logon Type of 10) and differentiate them from other types of logons.113 A session ID, if available, can be useful for tracking all activities associated with a particular remote session.123 Finally, any error codes or status codes associated with failed login attempts can provide valuable insights into the reasons for the failure and potentially indicate brute-force attacks.125
8.4 Methods to check RDP connection logs (Event Viewer, PowerShell)
RDP connection logs can be checked using built-in Windows tools like Event Viewer and PowerShell. In Event Viewer, navigate to the Security log and filter for Event IDs 4624 (successful RDP logons with Logon Type 10) and 4625 (failed RDP logon attempts). Additionally, the Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational log provides specific events related to RDP connections, such as Event ID 1149 for successful authentication.107
PowerShell offers a more flexible way to query and extract RDP log information. For example, the command Get-EventLog -LogName Security |?{$_.eventid -eq 4624 -and $_.Message -match 'logon type:\s+(10)\s'} can be used to retrieve all successful RDP logon events from the Security log.113 Similarly, you can use Get-EventLog -LogName Security -after (Get-date -hour 0 -minute 0 -second 0) |?{(4624,4778) -contains $_.EventID -and $_.Message -match 'logon type:\s+(10)\s'} to get RDP connection logs for the current day.111 These commands can be adapted to filter by specific timeframes, usernames, or source IPs as needed. While the Windows Registry stores some recent RDP connection history under HKEY_CURRENT_USER\SOFTWARE\Microsoft\Terminal Server Client, this is primarily for user convenience and does not provide the comprehensive auditing information necessary for security analysis.112
8.5 Insight
Comprehensive auditing of RDP connections is an indispensable practice for maintaining a strong security posture. It provides the necessary visibility to detect and respond to unauthorized access attempts and potential security breaches, while also serving as a critical historical record for analysis and forensic investigations.
8.6 Insight
Organizations should establish clear and well-defined policies regarding the retention period for RDP audit logs and the frequency with which these logs are reviewed. Implementing automated log analysis and alerting mechanisms, especially within a SIEM platform, is crucial for the timely detection of suspicious activity in large-scale environments, enabling security teams to proactively address potential threats before they can cause significant harm.
Table 2: Information to Include in RDP Audit Logs
9. Conclusion
Implementing these seven must-do defenses is paramount for establishing a robust and multi-layered security posture for Remote Desktop Protocol. Given that RDP remains a significant and frequently targeted attack vector, continuous vigilance and proactive security measures are essential for protecting organizational systems and data. The ever-evolving threat landscape and the ongoing discovery of new vulnerabilities necessitate a regular review and adaptation of security measures. By diligently implementing these defenses, organizations can significantly reduce their risk of successful RDP-related security breaches and fortify their overall IT environment against unauthorized access and malicious activities.
Works cited
Remote Desktop File Opened from Suspicious Path | Elastic Security ..., accessed April 8, 2025, https://www.elastic.co/guide/en/security/current/remote-desktop-file-opened-from-suspicious-path.html
cloud.google.com, accessed April 8, 2025, https://cloud.google.com/blog/topics/threat-intelligence/windows-rogue-remote-desktop-protocol#:~:text=into%20RDP%20Techniques-,Remote%20Desktop%20Protocol,serial%20device%20information%2C%20and%20more.
RDP File Configuration. What Is an RDP file? - Parallels, accessed April 8, 2025, https://www.parallels.com/blogs/ras/rdp-file-configuration/
What is an RDP File and How to Create and Configure It - AirDroid, accessed April 8, 2025, https://www.airdroid.com/remote-support/what-is-an-rdp-file/
RDP File Format - Remote Desktop Configuration File, accessed April 8, 2025, https://docs.fileformat.com/settings/rdp/
What Is a RDP File and How to Open it?[Answered] - AnyViewer, accessed April 8, 2025, https://www.anyviewer.com/how-to/what-is-rdp-file-0007.html
Understanding Remote Desktop Protocol (RDP) - Windows Server | Microsoft Learn, accessed April 8, 2025, https://learn.microsoft.com/en-us/troubleshoot/windows-server/remote/understanding-remote-desktop-protocol
Hidden RDP file on Documents. What does it do? - Microsoft Community, accessed April 8, 2025, https://answers.microsoft.com/en-us/windows/forum/all/hidden-rdp-file-on-documents-what-does-it-do/b630a11c-5849-4707-9c1f-f21302af79bf
Windows Remote Desktop Protocol: Remote to Rogue | Google ..., accessed April 8, 2025, https://cloud.google.com/blog/topics/threat-intelligence/windows-rogue-remote-desktop-protocol
Understanding and Mitigating Midnight Blizzard's RDP-Based Spear Phishing Campaign, accessed April 8, 2025, https://www.picussecurity.com/resource/blog/understanding-and-mitigating-midnight-blizzards-rdp-based-spearphishing-campaign
Guarding Against Midnight Blizzard's New RDP Tactics - Cyber Centaurs, accessed April 8, 2025, https://cybercentaurs.com/blog/guarding-against-midnight-blizzards-new-rdp-tactics/
What are the security risks of RDP? | RDP vulnerabilities - Cloudflare, accessed April 8, 2025, https://www.cloudflare.com/learning/access-management/rdp-security-risks/
RDP (Remote Desktop Protocol) from the Internet | Elastic Security Solution [8.17], accessed April 8, 2025, https://www.elastic.co/guide/en/security/current/rdp-remote-desktop-protocol-from-the-internet.html
How to Mitigate the Risks of Internet-Exposed RDP - Coalition, accessed April 8, 2025, https://www.coalitioninc.com/blog/remote-desktop-protocol-risks
What are the vulnerabilities in RDP security? | Fastly, accessed April 8, 2025, https://www.fastly.com/learning/what-are-rdp-vulnerabilities
Is RDP Secure? Exploring Remote Desktop Protocol Risks - Splashtop, accessed April 8, 2025, https://www.splashtop.com/blog/is-rdp-secure-exploring-remote-desktop-protocol-vulnerabilities
Keeping Your RDP Secure: Common Issues and Best Practices ..., accessed April 8, 2025, https://www.kamatera.com/blog/keep-your-rdp-secure/
How Secure Is Remote Desktop Protocol (RDP)? - Apporto, accessed April 8, 2025, https://www.apporto.com/how-secure-is-remote-desktop-protocol-rdp
RDP Security: How to secure Remote Desktop Protocol - Delinea, accessed April 8, 2025, https://delinea.com/blog/rdp-security
Exposing RDP to the internet - how risky is it? : r/homelab - Reddit, accessed April 8, 2025, https://www.reddit.com/r/homelab/comments/1dzt2oj/exposing_rdp_to_the_internet_how_risky_is_it/
What are the risks of remoting in (RDP) to a compromised system? [duplicate], accessed April 8, 2025, https://security.stackexchange.com/questions/191055/what-are-the-risks-of-remoting-in-rdp-to-a-compromised-system
Remote Desktop Protocol (RDP) Vulnerability - CalCom Software, accessed April 8, 2025, https://calcomsoftware.com/remote-desktop-protocol-rdp-vulnerability/
A Few More Reasons Why RDP is Insecure (Surprise!) - The Hacker News, accessed April 8, 2025, https://thehackernews.com/2023/07/a-few-more-reasons-why-rdp-is-insecure.html
Securing Remote Desktop (RDP) for System Administrators, accessed April 8, 2025, https://security.berkeley.edu/education-awareness/securing-remote-desktop-rdp-system-administrators
What Is RDP & How Do You Secure (or Replace) It? - BeyondTrust, accessed April 8, 2025, https://www.beyondtrust.com/blog/entry/what-is-rdp-how-do-you-secure-or-replace-it
RDP Connection warning - rdp file not digitally signed | DELL Technologies, accessed April 8, 2025, https://www.dell.com/community/en/conversations/wyse-management-suite/rdp-connection-warning-rdp-file-not-digitally-signed/647fa252f4ccf8a8de7cc1f4
cloud.google.com, accessed April 8, 2025, https://cloud.google.com/blog/topics/threat-intelligence/windows-rogue-remote-desktop-protocol#:~:text=Additionally%2C%20an%20organization%20could%20also,rdp%20files%20from%20unknown%20publishers%20.
ADMX_TerminalServer Policy CSP | Microsoft Learn, accessed April 8, 2025, https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-terminalserver
GPS: Allow .rdp files from unknown publishers - Group Policy Search, accessed April 8, 2025, https://gpsearch.azurewebsites.net/default.aspx?policyid=8101&lang=en-US
Allow .rdp files from unknown publishers - ADMX.help., accessed April 8, 2025, https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.TerminalServer::TS_CLIENT_ALLOW_UNSIGNED_FILES_1
Auto-Opening RDP files for each Client OS - Kasm Workspaces, accessed April 8, 2025, https://kasmweb.com/docs/develop/guide/windows/auto_open_rdp_file.html
How to Support RDP file signing by using the Windows PSM RDP Proxy feature - CyberArk, accessed April 8, 2025, https://community.cyberark.com/s/article/How-to-Support-RDP-file-signing-by-using-the-Windows-PSM-RDP-Proxy-feature
Manage device RDP redirections for Cloud PCs. | Microsoft Learn, accessed April 8, 2025, https://learn.microsoft.com/en-us/windows-365/enterprise/manage-rdp-device-redirections
Peripheral and resource redirection over the Remote Desktop Protocol | Azure Docs, accessed April 8, 2025, https://docs.azure.cn/en-us/virtual-desktop/redirection-remote-desktop-protocol
Configure fixed, removable, and network drive redirection over the Remote Desktop Protocol, accessed April 8, 2025, https://learn.microsoft.com/en-us/azure/virtual-desktop/redirection-configure-drives-storage
Step 1: Verify that the RDP Client Allows Drive Redirection - About Axis, accessed April 8, 2025, https://docs.axissecurity.com/docs/verifying-that-the-rdp-client-allows-drive-redirection
How to Enable Drive Redirection on Your Windows? - Apps4Rent.com, accessed April 8, 2025, https://www.apps4rent.com/support/kb/article/drive-redirection-cloud-hosting
Step 3: Verify that RDP Group Server Security Policy Allows Drive Redirection Transfers, accessed April 8, 2025, https://docs.axissecurity.com/docs/step-2-verify-that-the-axis-security-rdp-policy-allows-file-transfers
How to configure device redirection using the RDP protocol in Windows for Kaspersky Thin Client, accessed April 8, 2025, https://support.kaspersky.com/15833
Do not allow drive redirection on RDP : r/cybersecurity - Reddit, accessed April 8, 2025, https://www.reddit.com/r/cybersecurity/comments/1exnmnl/do_not_allow_drive_redirection_on_rdp/
Fixed: Local Drive Redirection Not Working in RDP Session 2016 - AnyViewer, accessed April 8, 2025, https://www.anyviewer.com/how-to/local-drive-redirection-not-working-in-rdp-session-2016-2578.html
RDP File and disable drive redirection : r/sysadmin - Reddit, accessed April 8, 2025, https://www.reddit.com/r/sysadmin/comments/147v0w7/rdp_file_and_disable_drive_redirection/
RDS: Do Not Allow Drive Redirection | CalCom Software, accessed April 8, 2025, https://www.calcomsoftware.com/rds-do-not-allow-drive-redirection/
RDP Security : r/ComputerSecurity - Reddit, accessed April 8, 2025, https://www.reddit.com/r/ComputerSecurity/comments/nvyiio/rdp_security/
Microsoft Security Bulletin MS16-067 - Important, accessed April 8, 2025, https://learn.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-067
Attacking RDP from Inside: How we abused named pipes for smart-card hijacking, unauthorized file system access to client machines and more - CyberArk, accessed April 8, 2025, https://www.cyberark.com/resources/threat-research-blog/attacking-rdp-from-inside
Security of mapping Local Resources over RDP, accessed April 8, 2025, https://security.stackexchange.com/questions/168833/security-of-mapping-local-resources-over-rdp
How to prevent copying files from remote desktop session - Microsoft Learn, accessed April 8, 2025, https://learn.microsoft.com/en-us/answers/questions/2184995/how-to-prevent-copying-files-from-remote-desktop-s?forum=windowserver-all&referrer=answers
How To Easily Disable Local Drive Redirection With Intune HTMD Blog - Anoop Nair, accessed April 8, 2025, https://www.anoopcnair.com/easily-disable-local-drive-redirection-intune/
How to block Filetransfer through RDP (Port 3389)? - Server Fault, accessed April 8, 2025, https://serverfault.com/questions/1038954/how-to-block-filetransfer-through-rdp-port-3389
Use Group Policy to Deactivate Client Drive Redirection - Omnissa Product Documentation, accessed April 8, 2025, https://docs.omnissa.com/bundle/Horizon-Remote-Desktop-FeaturesV2312/page/UseGroupPolicytoDeactivateClientDriveRedirection.html
Disable Clipboard Mapping and Remote Drive Mapping for RDP - Server Fault, accessed April 8, 2025, https://serverfault.com/questions/1068289/disable-clipboard-mapping-and-remote-drive-mapping-for-rdp
RDP Disable Drive Mapping : r/sysadmin - Reddit, accessed April 8, 2025, https://www.reddit.com/r/sysadmin/comments/14r7oxd/rdp_disable_drive_mapping/
Configure clipboard redirection over the Remote Desktop Protocol ..., accessed April 8, 2025, https://docs.azure.cn/en-us/virtual-desktop/redirection-configure-clipboard
Configure clipboard redirection over the Remote Desktop Protocol - Learn Microsoft, accessed April 8, 2025, https://learn.microsoft.com/en-us/azure/virtual-desktop/redirection-configure-clipboard
Remote Desktop Share Clipboard- How to Enable it? - AnyViewer, accessed April 8, 2025, https://www.anyviewer.com/how-to/remote-desktop-share-clipboard-0427.html
How to enable Copy and Paste (Clipboard) in Remote Desktop Session - Hyonix, accessed April 8, 2025, https://howto.hyonix.com/article/how-to-enable-remote-desktop-copy-paste/
2.5.2.2 Redirect Clipboard Data from a Remote Application--RDP Client - Learn Microsoft, accessed April 8, 2025, https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rdsod/e4c9d4d6-c025-497d-9981-ece9848fa91e
How can I restore copy/paste functionality for my remote desktop connection? - Super User, accessed April 8, 2025, https://superuser.com/questions/399917/how-can-i-restore-copy-paste-functionality-for-my-remote-desktop-connection
Accessing Remote Desktop Clipboard - Stack Overflow, accessed April 8, 2025, https://stackoverflow.com/questions/8277655/accessing-remote-desktop-clipboard
RDS: Do not allow clipboard redirection- The Policy Expert, accessed April 8, 2025, https://www.calcomsoftware.com/the-policy-expert-rds-do-not-allow-clipboard-redirection/
RDP clipboard vulnerability Secure Network Communication - CalCom Software, accessed April 8, 2025, https://calcomsoftware.com/rdp-clip-board-vulnerability/
Remote Desktop Copy and Paste - Downloads Folder - Security Issue - Learn Microsoft, accessed April 8, 2025, https://learn.microsoft.com/en-us/answers/questions/114653/remote-desktop-copy-and-paste-downloads-folder-sec
Is clipboard sharing over RDP a security risk? - Server Fault, accessed April 8, 2025, https://serverfault.com/questions/297479/is-clipboard-sharing-over-rdp-a-security-risk
windows - Remote Desktop Clipboard Sharing - Security Risk? - Server Fault, accessed April 8, 2025, https://serverfault.com/questions/551621/remote-desktop-clipboard-sharing-security-risk
Security concerns with Windows Clipboard History & remote access : r/sysadmin - Reddit, accessed April 8, 2025, https://www.reddit.com/r/sysadmin/comments/ffq3jn/security_concerns_with_windows_clipboard_history/
What is the threat of having the clipboard enabled on Citrix and other rdp?, accessed April 8, 2025, https://security.stackexchange.com/questions/13389/what-is-the-threat-of-having-the-clipboard-enabled-on-citrix-and-other-rdp
Blocking the ability to copy in MS Remote Desktop - Microsoft Learn, accessed April 8, 2025, https://learn.microsoft.com/en-us/answers/questions/2194946/blocking-the-ability-to-copy-in-ms-remote-desktop?forum=windowserver-all&referrer=answers
How to make RDP not use the same clipboard as my local PC? : r/microsoft - Reddit, accessed April 8, 2025, https://www.reddit.com/r/microsoft/comments/1e5sfnf/how_to_make_rdp_not_use_the_same_clipboard_as_my/
How to Disable Copy and Paste Remote Desktop Windows 10 - AnyViewer, accessed April 8, 2025, https://www.anyviewer.com/how-to/disable-copy-and-paste-remote-desktop-win10-0007.html
Limiting file copy+paste through RDP session. : r/sysadmin - Reddit, accessed April 8, 2025, https://www.reddit.com/r/sysadmin/comments/w7lkkj/limiting_file_copypaste_through_rdp_session/
Solved: Restrict RDP clipboard access with Harmony Endpoin... - Check Point CheckMates, accessed April 8, 2025, https://community.checkpoint.com/t5/Endpoint/Restrict-RDP-clipboard-access-with-Harmony-Endpoint-when-using/td-p/150798
RDP session: Win to Win: How to disable clipboard sharing in running RDP session? - Super User, accessed April 8, 2025, https://superuser.com/questions/1142136/rdp-session-win-to-win-how-to-disable-clipboard-sharing-in-running-rdp-session
RDP | limit clipboard to Text Only | by Idan Less - Medium, accessed April 8, 2025, https://medium.com/@idanless/rdp-allow-only-text-over-rdp-b61b12d62e58
Copy/Paste not Working in RDP? Here's How You Can Fix It ..., accessed April 8, 2025, https://cloudzy.com/blog/copy-paste-not-working-in-rdp/
Troubleshoot copy and paste errors with Remote Desktop - Rackspace, accessed April 8, 2025, https://docs.rackspace.com/docs/troubleshoot-copy-and-paste-errors-with-remote-desktop
What Is Network Level Authentication (NLA)? (How It Works), accessed April 8, 2025, https://www.strongdm.com/blog/network-level-authentication-nla
What is Network Level Authentication? - Portnox, accessed April 8, 2025, https://www.portnox.com/cybersecurity-101/network-level-authentication-nla/
RDP Network Level Authentification - TSplus, accessed April 8, 2025, https://tsplus.net/remote-access/blog/rdp-network-level-authentification/
Enable Remote Desktop on your PC | Microsoft Learn, accessed April 8, 2025, https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/remotepc/remote-desktop-allow-access
What is network level authentication? | Atera's Blog, accessed April 8, 2025, https://www.atera.com/blog/what-is-network-level-authentication/
What is NLA | Network Level Authentication | SuperOps.ai, accessed April 8, 2025, https://superops.com/rmm/what-is-network-level-authentication
Network Level Authentication - Datto, accessed April 8, 2025, https://rmm.datto.com/help/de/Content/5AGENT/NetworkLevelAuthentication.htm
What is Network Level Authentication (NLA)? - Paubox, accessed April 8, 2025, https://www.paubox.com/blog/what-is-network-level-authentication-nla
Network Level Authentication: A Guide to Protected Access - Splashtop, accessed April 8, 2025, https://www.splashtop.com/blog/network-level-authentication
Secure Remote Access with Network Level Authentication RDP - CyberPanel, accessed April 8, 2025, https://cyberpanel.net/blog/network-level-authentication-rdp
RDP Security: The Impact of Secure Defaults & Legacy Protocols - runZero, accessed April 8, 2025, https://www.runzero.com/blog/rdp-security/
Navigating the RDP security consequences of TLS vs. NLA from a threat exposure perspective - GoSecure, accessed April 8, 2025, https://gosecure.ai/blog/2024/06/17/navigating-the-rdp-security-consequences-of-tls-vs-nla-from-a-threat-exposure-perspective/
Please advise on the RDP issue - Microsoft Q&A, accessed April 8, 2025, https://learn.microsoft.com/en-us/answers/questions/1665556/please-advise-on-the-rdp-issue
Safety of RDP without network level authentication - Server Fault, accessed April 8, 2025, https://serverfault.com/questions/933322/safety-of-rdp-without-network-level-authentication
CredSSP/NLA for RDP: what are the advantages? : r/sysadmin - Reddit, accessed April 8, 2025, https://www.reddit.com/r/sysadmin/comments/8cwvp1/credsspnla_for_rdp_what_are_the_advantages/
[MS-RDPBCGR]: Enhanced RDP Security | Microsoft Learn, accessed April 8, 2025, https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/592a0337-dc91-4de3-a901-e1829665291d
Turning Off Network Level Authentication (NLA) - Parallels Knowledge Base, accessed April 8, 2025, https://kb.parallels.com/en/123661
www.anyviewer.com, accessed April 8, 2025, https://www.anyviewer.com/how-to/what-is-mstsc-exe.html#:~:text=mstsc%2C%20the%20abbreviation%20of%20Microsoft,Remote%20Desktop%20Connection)%20in%20Windows.
What Is mstsc exe and How to Use mstsc? - AnyViewer, accessed April 8, 2025, https://www.anyviewer.com/how-to/what-is-mstsc-exe.html
What Is mstsc.exe and How to Use it - AirDroid, accessed April 8, 2025, https://www.airdroid.com/remote-support/what-is-mstsc-exe/
What's mstsc.exe (Remote Desktop Connection)? Is it safe or a virus? - SpyShelter, accessed April 8, 2025, https://www.spyshelter.com/exe/microsoft-windows-mstsc-exe/
The Windows Process Journey — “mstsc.exe” (Remote Desktop ..., accessed April 8, 2025, https://medium.com/@boutnaru/the-windows-process-journey-mstsc-exe-remote-desktop-connection-981bae774bac
What Is MSTSC Command and How to Use It to Run Remote Desktop - MiniTool, accessed April 8, 2025, https://www.minitool.com/lib/mstsc.html
Easy Guide to MSTSC Command Lines - Parallels, accessed April 8, 2025, https://www.parallels.com/blogs/ras/mstsc-commands-alternatives/
mstsc | Microsoft Learn, accessed April 8, 2025, https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/mstsc
Is this MSTSC legit..? It installed itself when I installed Cloud Storage software. It is a hidden app and i can't uninstall it. : r/windows - Reddit, accessed April 8, 2025, https://www.reddit.com/r/windows/comments/163uyd3/is_this_mstsc_legit_it_installed_itself_when_i/
Mstsc | Microsoft Learn, accessed April 8, 2025, https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc753907(v=ws.11)
Narrowing down what's running mstsc.exe : r/techsupport - Reddit, accessed April 8, 2025, https://www.reddit.com/r/techsupport/comments/tcreiw/narrowing_down_whats_running_mstscexe/
RDP Session Recording & Monitoring with Syteca | Syteca, accessed April 8, 2025, https://www.syteca.com/en/blog/monitoring-rdp-sessions
A Guide to Optimal Security with Remote Desktop Monitoring - Insightful, accessed April 8, 2025, https://www.insightful.io/blog/optimizing-security-remote-desktop-monitoring
How to monitor remote desktop activity | ManageEngine ADAudit Plus, accessed April 8, 2025, https://www.manageengine.com/products/active-directory-audit/how-to/how-to-monitor-remote-desktop-activity.html
Identifying malicious Remote Desktop Protocol (RDP) connections with Elastic Security, accessed April 8, 2025, https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security
Remote Desktop Monitoring – Advice For Improving RDSH Security - Syskit Point, accessed April 8, 2025, https://www.syskit.com/blog/remote-desktop-monitoring-security-advice/
Remote Access Security Best Practices - Netwrix, accessed April 8, 2025, https://www.netwrix.com/remote-access-security-best-practices.html
Are there any RDP activity logs? - Windows Server 2008 R2, accessed April 8, 2025, https://serverfault.com/questions/206085/are-there-any-rdp-activity-logs-windows-server-2008-r2
Tutorial: How to Check RDP Windows Server Connection Logs, accessed April 8, 2025, https://www.anyviewer.com/how-to/windows-server-connection-logs-2578.html
How to collect RDP access logs for my windows machine? - Learn Microsoft, accessed April 8, 2025, https://learn.microsoft.com/en-us/answers/questions/486771/how-to-collect-rdp-access-logs-for-my-windows-mach
Auditing RDP connections - Michael Firsov - WordPress.com, accessed April 8, 2025, https://michaelfirsov.wordpress.com/auditing-rdp-connections/
What is RDP in Cyber Security? - RDS Tools, accessed April 8, 2025, https://rds-tools.com/what-is-rdp-in-cyber-security/
MS15-082: Vulnerabilities in RDP could allow remote code execution: August 11, 2015, accessed April 8, 2025, https://support.microsoft.com/en-us/topic/ms15-082-vulnerabilities-in-rdp-could-allow-remote-code-execution-august-11-2015-1ffe98f4-6797-7e57-3321-7a039b4f1731
vulnerability - CVE - Search Results, accessed April 8, 2025, https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=rdp+windows
Remote Desktop Protocol vulnerabilities exploitation - IstroSec, accessed April 8, 2025, https://istrosec.com/blog/rdp/
10 Best Practices for Enhancing Remote Desktop Security - Splashtop, accessed April 8, 2025, https://www.splashtop.com/blog/top-10-best-practices-for-enhancing-remote-desktop-security
How To Secure RDP: Best Practices for Protecting Your Remote Desktop - Cloudzy, accessed April 8, 2025, https://cloudzy.com/blog/secure-rdp/
Secure Remote Access: Risks, Auditing, and Best Practices - Perception Point, accessed April 8, 2025, https://perception-point.io/guides/byod/secure-remote-access-risks-auditing-and-best-practices/
Best practices for securing Remote Desktop connections? : r/AskNetsec - Reddit, accessed April 8, 2025, https://www.reddit.com/r/AskNetsec/comments/1dkj5xd/best_practices_for_securing_remote_desktop/
Remote Desktop Event Log Analysis: Variations in Logging for Event ..., accessed April 8, 2025, https://www.aon.com/cyber-solutions/aon_cyber_labs/remote-desktop-event-log-analysis_variations-in-logging-for-event-id-1029/
Audit Policy Recommendations | Microsoft Learn, accessed April 8, 2025, https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/audit-policy-recommendations
Windows RDP-Related Event Logs: Identification, Tracking, and Investigation, accessed April 8, 2025, https://ponderthebits.com/2018/02/windows-rdp-related-event-logs-identification-tracking-and-investigation/
How to see security logs (4625) of RDP DNS connection on windows server 2022, accessed April 8, 2025, https://learn.microsoft.com/en-us/answers/questions/2199258/how-to-see-security-logs-(4625)-of-rdp-dns-connect?forum=windowserver-all&referrer=answers
Most basic Windows audit log monitoring solution (login/rdp alerts) : r/sysadmin - Reddit, accessed April 8, 2025, https://www.reddit.com/r/sysadmin/comments/1cx4745/most_basic_windows_audit_log_monitoring_solution/
No comments:
Post a Comment