Remote Desktop (RDP) Access on Windows Systems

Network Access Control (NAC) manages and regulates devices accessing a organization's network(s), including personal devices under a Bring Your Own Device (BYOD) policy. NAC systems ensure that only authorized and compliant devices can connect to the network, reducing security risks.
 

NAC performs the following functions:

• Device Authentication and Authorization: Checks whether the device meets the organization’s security policies before granting access.
• Compliance Checks: Verifies that devices have up-to-date security patches and configurations. Non-compliant devices may be denied access or placed in a quarantined network zone.
• Segmentation and Isolation: Restricts devices' access to sensitive areas, limiting potential impact from compromised devices.
• Continuous Monitoring: Tracks connected devices for ongoing compliance and can automatically quarantine or disconnect those that fall out of compliance.
• Policy Enforcement: Applies security policies to ensure devices can only access appropriate resources based on their security status.

NAC functionality can be provided by dedicated NAC appliances, next-generation firewalls, unified threat management devices, and some network switches and routers.

Network Intrusion Prevention Systems (NIPs) can alert on abnormal, suspicious, or malicious patterns of network behavior, and take autonomous actions to stop the behavior, such as resetting a network connection.

Next-generation firewall (NGFW) network appliances and services provide the ability to control network traffic based on rules. These firewalls provide basic firewall functionality, such as simple packet filtering based on static rules and track the state of network connections. They can also provide the ability to control network traffic based on Application Layer rules, among other advanced features to control network traffic.

A example of simple functionality would be blocking network traffic to or from a specific IP address, or all network traffic to a specific port number. An example of more advanced functionality would be blocking all network traffic that appears to be SSH or FTP traffic to any port on any IP address.

Only allow necessary protocols to communicate over the network. Implement strict access controls to prevent unauthorized protocols from being used. Typically these controls would be implemented on next-generation firewalls with Deep Packet Inspection (DPI) and other network security appliances.

The Principle of Least Privilege should be enforced, and period reviews of permissions conducted to ensure that accounts have the minimum level of access required to complete duties as per their role.

Windows Group Policy can be used to prevent specific accounts from accessing Registry Editor. This can prevent them from reading the registry or making modifications, if their permissions allow, using this utility.

An agent capable of Endpoint Detection and Response (EDR) is a software agent installed on organization endpoints (such as laptops and servers) that (at a minimum) records the Operating System, application, and network activity on an endpoint.

Typically EDR operates in an agent/server model, where agents automatically send logs to a server, where the server correlates those logs based on a rule set. This rule set is then used to surface potential security-related events, that can then be analyzed.

An EDR agent typically also has some form of remote shell capability, where a user of the EDR platform can gain a remote shell session on a target endpoint, for incident response purposes. An EDR agent will typically have the ability to remotely isolate an endpoint, where all network activity is blocked on the target endpoint (other than the network activity required for the EDR platform to operate).

An agent capable of User Activity Monitoring (UAM) is a software agent installed on organization endpoints (such as laptops); typically, User Activity Monitoring agents are only deployed on endpoints where a human user Is expected to conduct the activity.

The User Activity Monitoring agent will typically record Operating System, application, and network activity occurring on an endpoint, with a focus on activity that is or can be conducted by a human user. The purpose of this monitoring is to identify undesirable and/or malicious activity being conducted by a human user (in this context, an Insider Threat).

Typical User Activity Monitoring platforms operate in an agent/server model where activity logs are sent to a server for automatic correlation against a rule set. This rule set is used to surface activity that may represent Insider Threat related activity such as capturing screenshots, copying data, compressing files or installing risky software.

Other platforms providing related functionality are frequently referred to as User Behaviour Analytics (UBA) platforms.

An agent capable of User Behaviour Analytics (UBA) is a software agent installed on organizational endpoints (such as laptops). Typically, User Activity Monitoring agents are only deployed on endpoints where a human user is expected to conduct the activity.

The User Behaviour Analytics agent will typically record Operating System, application, and network activity occurring on an endpoint, focusing on activity that is or can be conducted by a human user. Typically, User Behaviour Analytics platforms operate in an agent/server model where activity logs are sent to a server for automatic analysis. In the case of User Behaviour Analytics, this analysis will typically be conducted against a baseline that has previously been established.

A User Behaviour Analytic platform will typically conduct a period of ‘baselining’ when the platform is first installed. This baselining period establishes the normal behavior parameters for an organization’s users, which are used to train a Machine Learning (ML) model. This ML model can then be later used to automatically identify activity that is predicted to be an anomaly, which is hoped to surface user behavior that is undesirable, risky, or malicious.

Other platforms providing related functionality are frequently referred to as User Activity Monitoring (UAM) platforms.

Monitor for changes to critical Windows Registry keys responsible for controlling Remote Desktop Protocol (RDP) functionality. Unauthorized changes may indicate an insider preparing systems for unauthorized remote access.

Detection Methods

• Enable auditing of registry key changes through Windows Advanced Audit Policy (Event ID 4657).
• Monitor the specific key HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\fDenyTSConnections.
• Alert when the value is changed from 1 (RDP disabled) to 0 (RDP enabled).
• Track changes to firewall configurations permitting inbound TCP traffic on port 3389.

Indicators

• Registry modifications enabling RDP on systems without associated change requests.
• Modifications made by users without administrative responsibilities.
• Creation of new firewall rules allowing inbound RDP connections on unauthorized systems.

Monitor and alert when users are added to the local Remote Desktop Users group on Windows systems. Unauthorized additions to this group provide remote logon privileges and may indicate preparatory insider activity.

Detection Methods

• Audit group membership changes using Windows Security Event ID 4732.
• Track additions to the Remote Desktop Users group (SID: S-1-5-32-555).
• Correlate membership changes with user identity, prior privilege levels, and change management records.

Indicators

• Unauthorized or unexpected users added to the Remote Desktop Users group.
• Membership changes performed outside approved IT operations or helpdesk interventions.
• Additions correlated with accounts flagged for prior policy violations or behavioral risk indicators.

Monitor and alert when the SystemPropertiesRemote.exe binary is executed, particularly by non-administrative users or accounts without prior history of remote access configuration. This executable launches the Remote tab within System Properties, a primary interface for enabling Remote Desktop or Remote Assistance.

Detection Methods

• Enable process creation auditing (Windows Event ID 4688) to capture execution events.
  Deploy EDR or SIEM rules to specifically alert on SystemPropertiesRemote.exe launches.
  Flag executions by users outside of IT, system administration, or authorized privileged groups.
  Correlate execution events with time-of-day, user role, and subsequent system configuration changes.

Indicators

• Execution of SystemPropertiesRemote.exe by non-privileged users.
  Executions occurring outside standard business hours or approved change windows.
  Execution activity associated with further remote access configuration changes or registry modifications.