No matching documentation found
Remote Desktop (RDP) Monitoring
A comprehensive guide to configuring, managing, and understanding Remote Desktop Protocol (RDP) session alerts in Login AlertX to secure your Windows servers and remote workstations.
Overview
Remote Desktop Protocol (RDP) is a staple for IT administrators, remote workers, and managed service providers (MSPs). However, exposed RDP ports (typically Port 3389) are among the most targeted entry points for brute-force attacks, credential stuffing, and unauthorized access.
Login AlertX monitors Windows Event Logs specifically for Logon Type 10 (Remote Interactive) events. Unlike basic scripts that merely check if RDP is enabled, Login AlertX provides real-time, contextual alerts the moment an RDP session is established, ensuring you have immediate visibility into who is accessing your machine and from where.
How RDP Monitoring Works
Login AlertX operates as a background Windows Service, subscribing to system event channels rather than continuously polling, which ensures zero CPU overhead. When an RDP session occurs, Windows generates specific security audit events.
Monitored Windows Event IDs
| Event ID | Source | Description | Alert Trigger |
|---|---|---|---|
| 4624 | Security | An account was successfully logged on. | Yes (Logon Type 10) |
| 4625 | Security | An account failed to log on. | Yes (If RDP failure detected) |
| 24 | Microsoft-Windows-TerminalServices-LocalSessionManager/Operational | Session has been disconnected. | No |
| 21 | Microsoft-Windows-TerminalServices-LocalSessionManager/Operational | Session logon succeeded. | Yes |
Note: For Event ID 4624 and 4625 to be generated, Windows Group Policy must have “Audit Logon” enabled under Security Settings -> Local Policies -> Audit Policy. Login AlertX will warn you if this is disabled.
Anatomy of an RDP Alert
When an RDP connection is detected, Login AlertX compiles a comprehensive alert payload and routes it to your configured channels (Email, Slack, Teams, etc.). Below is the data context included in a standard RDP alert:
-
Target Account
The specific local or Active Directory Windows account that was targeted during the remote session request.
-
Source Network Address
The public IPv4 or IPv6 address of the device initiating the RDP connection.
-
Geolocation Data
Approximate country, region, and city derived from the source IP address to identify anomalous locations.
-
Timestamp (UTC & Local)
The exact date and time the session was authenticated, displayed in both the PC’s local time and UTC.
-
Target Hostname
The NetBIOS or DNS name of the machine being accessed, crucial for environments monitoring multiple servers.
-
Logon Type
Explicitly states
Logon Type 10to confirm the access was remote interactive, differentiating it from local logins (Type 2) or network logins (Type 3).
Configuration Guide
By default, RDP monitoring is active alongside local login monitoring. However, for specific enterprise scenarios, you may want to customize this behavior.
Step 1: Access Monitoring Settings
Open the Login AlertX system tray icon, navigate to Notification Preferences > Notify Me For.
Step 2: Select RDP Events
If you only want to receive alerts for Remote Desktop sessions and ignore physical local logins, select all “RDP” events from the list.
Step 3: Configure Alert Routing
Navigate to Notification Preferences> Notification Channels. While Email is default, RDP alerts are most effective when routed to team communication tools. Configure your Slack or Microsoft Teams webhook to ensure your IT team sees the alert instantly in a shared channel.
Step 4: Enable AI Risk Scoring (Premium)
Enable AI Risk Detection
In environments where servers are rarely accessed physically, any RDP login is a significant event. Isolating RDP alerts ensures administrators are only notified for actual remote interventions, reducing alert fatigue from automated service accounts. While Login AlertX alerts on successful logins, monitoring failed RDP login attempts (Event ID 4625) in conjunction with success alerts provides immediate context. A sudden success alert following a pattern of failures is a strong indicator of a compromised credential. Managed Service Providers can deploy Login AlertX across client endpoints. Routing RDP alerts to a centralized Slack workspace or MSP-specific Teams channel creates an auditable log of remote access for compliance and security reviews.Enterprise & Advanced Use Cases
Headless Server Farms
Brute Force Detection
MSP Client Auditing
Troubleshooting RDP Alerts
