How to Monitor Remote Desktop Activity?

Monitoring remote desktop activity is key to ensuring security, compliance and productivity in environments that frequently utilize remote access. This guide provides a clear outline of the steps and tools needed to effectively track Remote Desktop Protocol (RDP) sessions and user activities.

Why Monitor Remote Desktop Activity?

Monitoring remote desktop activity is vital for several reasons:

• Enhanced Security:

  • Identifying and stopping unauthorized access attempts, like brute-force attacks.
  • Detecting and addressing suspicious actions, such as unusual login times or extended long idle sessions.

• Compliance:

  • Making sure you meet industry regulations, like HIPAA and PCI DSS, which mandate auditing user access.

• Improved Operational Efficiency:

  • Keeping track of user sessions and pinpointing areas where user behavior and system usage can be optimized.

Methods to Monitor Remote Desktop Activity

1. Turn on Remote Desktop Logging in Windows Event Viewer

Windows keeps track of RDP session activities in the Event Viewer.

Steps to Enable and View Logs:

1. Open Event Viewer:

   • Press Windows + R, type eventvwr, and press Enter.

2. Navigate to Security Log:

   • In the Event Viewer, navigate to Windows Logs > Security.

3. Check Existing Logs (Optional):

   • Before you enable any specific logging, you might want to see if there are any existing RDP-related events:
     
     • Event ID 4624: Successful logon.
       
       • This event logs successful logon attempts, including those made through RDP.
     • Event ID 4625: Failed logon attempt.
       
       • This event captures failed logon attempts, which can include RDP connection issues.
     • Event ID 4634: Logoff.
       
       • This event records logoff actions, including those initiated by RDP users.

View RDP-Related Events:

• In the event list, you can filter the events by Event ID (like 4624, 4625, 4634) to find entries related to RDP.
• Double-click on an event to see its details, including user info, source computer, and logon type.

Important Notes:

• Administrative Privileges: You’ll need admin rights on the target computer to access and tweak Event Viewer settings.
• Logon Types: Event IDs like 4624 may include logons from various sources, not just RDP. You might need to dig into the details of each event to see if it’s related to an RDP session.

2. Enable Audit Policies for Detailed RDP Activity Tracking

To keep a close eye on RDP activities in Windows, you can turn on some specific audit policies.

Here’s how to do it:

1. Open Group Policy Editor:

   • Press Windows + R, type gpedit.msc, and press Enter.

2. Navigate to Audit Policy Configuration:

   • Navigate to "Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration."

3. Configure Audit Policies:

   • Expand "Audit Policies" and then "Account Logon".
     
     • Enable "Audit Account Logon Events".
       
       • This will track both successful and failed logon attempts, including those made through RDP.
   • Expand "Audit Policies" and then "Logon/Logoff".
     
     • Enable "Audit Logon Events".
       
       • This will capture user logon and logoff events, which can include RDP sessions.
     • Enable "Audit Logoff Events".
       
       • This will specifically capture events when users log off, including those initiated by RDP.

4. (Optional) Configure Specific Audit Events:

   • You can get even more detailed by enabling specific audit events in the "Account Logon" and "Logon/Logoff" categories.
   • For instance: 
     
     • "Audit Account Logon Events" may include sub-events like "Account Logon," "Account Logoff," and "Account Lockout."
     • "Audit Logon Events" may include sub-events like "Logon/Logoff" and "Network Logon."

5. Apply and Close:

   • Click Apply and then OK to save the changes.

Important Notes:

• Administrative Privileges: You’ll need admin rights to change Group Policy settings.
• Group Policy Scope: The changes will only apply to the specific scope of that policy (like a single computer or a domain).
• Event Volume: Turning on extensive auditing can create a lot of events in the security log, which might affect performance. It’s a good idea to adjust log settings to manage log size.

3.PowerShell Commands for Monitoring Remote Desktop Activity

PowerShell scripts are a powerful way to extract detailed information about remote desktop sessions.

Example Command:

Get-WinEvent -LogName Security -FilterHashtable @{LogonType=3} | Select-Object TimeCreated, UserName, LogonID

What This Command Does:

• Get-WinEvent: Retrieves events from the Windows event logs.

• LogName Security: Focuses on the "Security" log, which records login events.

• FilterHashtable @{LogonType=3}: Filters the events to show only interactive logons, which typically include Remote Desktop Protocol (RDP) sessions.

• Select-Object TimeCreated, UserName, LogonID: Displays the time of the logon, the username, and the unique logon ID for each event.

Additional Useful Commands:

• To check failed logon attempts: 

  • Get-WinEvent -LogName Security -FilterHashtable @{LogonType=3; Success=0} | Select-Object TimeCreated, UserName, LogonID
  • This command filters for unsuccessful interactive logon attempts.
• To monitor logons for a specific user:
  • Get-WinEvent -LogName Security -FilterHashtable @{LogonType=3; UserName="username"} | Select-Object TimeCreated, UserName, LogonID
  • Replace "username" with the actual username to track their remote desktop activity.

4.Use Remote Desktop Monitoring Tools

To effectively monitor Remote Desktop (RDP) activity, dedicated monitoring tools can provide a significant advantages beyond the basic logging features of Windows.

Here’s what you can expect from these advanced tools:

• Real-time Session Tracking:

  • Get a clear view of both active and idle RDP sessions.
  • Keep tabs on what users are doing in their sessions, including keystrokes (with the right consent and legal considerations), mouse movements, and which applications they're using.
  • Monitor how long each session lasts.

• Detailed User Activity Reporting:

  • Create reports that show user access patterns.
  • Find out who accessed the system, when they logged in and out, and from where (if you're tracking IP addresses).
  • Look at user activity trends to spot potential security risks or areas where user behavior could improve.

• Proactive Alerts and Notifications:

  • Receive immediate alerts for critical events:
    
    • Failed login attempts (like brute-force attacks)
    • Suspicious activities (like unusual login times or high-risk locations)
    • Long idle sessions (which could pose a security risk)
    • Unauthorized access attempts
  • Set up alerts to come through email, SMS, or right in the monitoring tool's interface.

• Compliance and Auditing:

  • Stay compliant with industry standards (like HIPAA or PCI DSS) by documenting and auditing all RDP activity.
  • Create an audit trail that can help during security investigations and incident responses.

• Centralized Management:

  • Oversee and manage RDP activity across multiple devices and users from one central console.
  • Make administration easier and boost your overall security posture.

Best Practices for Monitoring Remote Desktop (RDP) Activity

1. Implement Strong Authentication:

   • Multi-Factor Authentication (MFA): Make it a rule to enforce MFA for every RDP connection. This adds an extra layer of security by asking users to provide two or more forms of identification, like a username and password, a fingerprint, or a security token.
   • Least Privilege: Only give users the permissions they absolutely need. Avoid handing out administrative privileges unless it’s really necessary.

2. Secure Network Access:

   • Restrict Access: Limit RDP access to certain IP addresses or subnets to keep unauthorized connections from untrusted networks at bay.
   • VPN: Use a Virtual Private Network (VPN) to encrypt all RDP traffic, ensuring that your communication channels are secure.

3. Configure Robust Auditing:

   • Enable Detailed Logging: Set up Windows Event Viewer or a Security Information and Event Management (SIEM) solution to capture detailed logs of all RDP activity.
   • Audit Key Events: Keep an eye on successful and failed logon attempts, logoff events, and any changes made to RDP configuration.

4. Proactive Alerting:

   • Configure Alerts for Unusual Activity: Set up alerts for:
     
     • Multiple failed login attempts (which could indicate brute-force attacks)
     • Logins from unexpected locations
     • Unusually long sessions
     • Suspicious activity flagged by security tools (like antivirus or intrusion detection systems) 
   • Alert Delivery: Make sure alerts are sent via email, SMS, or through the monitoring tool's interface.

5. Regular Log Reviews:

   • Scheduled Reviews: Regularly review security logs to spot and investigate any suspicious activity.
   • Security Information and Event Management (SIEM): Implement a SIEM solution to correlate security events from various sources, including RDP logs, giving you a centralized view of security threats.

6. Keep Software Updated:

   • Patch Management: Regularly update your operating system and all relevant software, including RDP clients and servers, with the latest security patches to fix vulnerabilities.

7. User Education:

   • Security Awareness Training: It's crucial to teach users the best practices for using RDP, like spotting phishing attempts and steering clear of suspicious links.

By following these best practices, organizations can greatly boost the security of their RDP environments and reduce the chances of unauthorized access and data breaches.

Related articles

Auditing Remote Desktop Services:

This article dives into auditing within a Remote Desktop Services environment, but many of the principles can be applied to general RDP monitoring.

• https://learn.microsoft.com/en-us/compliance/assurance/assurance-audit-logging

Monitoring Remote Access:

Here, you'll find a discussion on monitoring features for DirectAccess and VPN connections, which can shed light on remote user activity.

• https://learn.microsoft.com/en-us/windows-server/remote/remote-access/ras/monitoring-and-accounting/use-remote-access-monitoring-and-accounting

Remote Desktop Services Overview:

This gives a broad overview of Remote Desktop Services, covering important security and management aspects.

• https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/remote-desktop-services-overview

Others:

1. Microsoft's Audit Policy Recommendations
2. How to Track Group Policy Changes
3. How to Check Active Directory (AD) Event Logs