Remote Desktop (RDP) Monitoring

A comprehensive guide to configuring, managing, and understanding Remote Desktop Protocol (RDP) session alerts in Login AlertX to secure your Windows servers and remote workstations.

Overview

Remote Desktop Protocol (RDP) is a staple for IT administrators, remote workers, and managed service providers (MSPs). However, exposed RDP ports (typically Port 3389) are among the most targeted entry points for brute-force attacks, credential stuffing, and unauthorized access.

Login AlertX monitors Windows Event Logs specifically for Logon Type 10 (Remote Interactive) events. Unlike basic scripts that merely check if RDP is enabled, Login AlertX provides real-time, contextual alerts the moment an RDP session is established, ensuring you have immediate visibility into who is accessing your machine and from where.

How RDP Monitoring Works

Login AlertX operates as a background Windows Service, subscribing to system event channels rather than continuously polling, which ensures zero CPU overhead. When an RDP session occurs, Windows generates specific security audit events.

Monitored Windows Event IDs
Event ID Source Description Alert Trigger
4624 Security An account was successfully logged on. Yes (Logon Type 10)
4625 Security An account failed to log on. Yes (If RDP failure detected)
24 Microsoft-Windows-TerminalServices-LocalSessionManager/Operational Session has been disconnected. No
21 Microsoft-Windows-TerminalServices-LocalSessionManager/Operational Session logon succeeded. Yes

Note: For Event ID 4624 and 4625 to be generated, Windows Group Policy must have “Audit Logon” enabled under Security Settings -> Local Policies -> Audit Policy. Login AlertX will warn you if this is disabled.

Anatomy of an RDP Alert

When an RDP connection is detected, Login AlertX compiles a comprehensive alert payload and routes it to your configured channels (Email, Slack, Teams, etc.). Below is the data context included in a standard RDP alert:

  • Target Account

    The specific local or Active Directory Windows account that was targeted during the remote session request.

  • Source Network Address

    The public IPv4 or IPv6 address of the device initiating the RDP connection.

  • Geolocation Data

    Approximate country, region, and city derived from the source IP address to identify anomalous locations.

  • Timestamp (UTC & Local)

    The exact date and time the session was authenticated, displayed in both the PC’s local time and UTC.

  • Target Hostname

    The NetBIOS or DNS name of the machine being accessed, crucial for environments monitoring multiple servers.

  • Logon Type

    Explicitly states Logon Type 10 to confirm the access was remote interactive, differentiating it from local logins (Type 2) or network logins (Type 3).

Configuration Guide

By default, RDP monitoring is active alongside local login monitoring. However, for specific enterprise scenarios, you may want to customize this behavior.

Step 1: Access Monitoring Settings

Open the Login AlertX system tray icon, navigate to Notification Preferences > Notify Me For.

Step 2: Select RDP Events

If you only want to receive alerts for Remote Desktop sessions and ignore physical local logins, select all “RDP” events from the list.

Step 3: Configure Alert Routing

Navigate to Notification Preferences> Notification Channels. While Email is default, RDP alerts are most effective when routed to team communication tools. Configure your Slack or Microsoft Teams webhook to ensure your IT team sees the alert instantly in a shared channel.

Step 4: Enable AI Risk Scoring (Premium)

Enable AI Risk Detection

Enterprise & Advanced Use Cases

Headless Server Farms

In environments where servers are rarely accessed physically, any RDP login is a significant event. Isolating RDP alerts ensures administrators are only notified for actual remote interventions, reducing alert fatigue from automated service accounts.

Brute Force Detection

While Login AlertX alerts on successful logins, monitoring failed RDP login attempts (Event ID 4625) in conjunction with success alerts provides immediate context. A sudden success alert following a pattern of failures is a strong indicator of a compromised credential.

MSP Client Auditing

Managed Service Providers can deploy Login AlertX across client endpoints. Routing RDP alerts to a centralized Slack workspace or MSP-specific Teams channel creates an auditable log of remote access for compliance and security reviews.

Troubleshooting RDP Alerts

  1. Verify Windows Audit Logon is enabled in Group Policy (gpedit.msc).
  2. Check if you have selected all RDP monitoring.
  3. Review the Login History in the app to confirm the event was captured locally. If it is there but no alert was sent, check your Alert Channel configuration and SMTP/Webhook logs.

Geolocation is based entirely on the public IP address of the connecting user. If the user is behind a corporate VPN, the location will reflect the VPN’s exit node (e.g., showing a connection from New York when the user is in London). This is expected behavior.

Yes. Login AlertX monitors the target endpoint machine. Regardless of whether the RDP connection comes directly over Port 3389, through an RD Gateway, or via a tunnel (like SSH port forwarding), Windows registers the final authentication as a local Logon Type 10 event, which Login AlertX captures.
Scroll to Top