UCF STIG Viewer Logo

Systems must be monitored for remote desktop logons.


Overview

Finding ID Version Rule ID IA Controls Severity
V-43714 AD.AU.0003 SV-56535r2_rule ECAT-1 Medium
Description
Remote Desktop activity for administration should be limited to specific administrators, and from limited management workstations. Monitoring for any Remote Desktop logins outside of expected activity can alert on suspicious behavior and anomalous account usage that could be indicative of potential malicious credential reuse.
STIG Date
Active Directory Domain Security Technical Implementation Guide (STIG) 2014-12-18

Details

Check Text ( C-49404r4_chk )
Verify Remote Desktop logins are being monitored. Event monitoring may be implemented through various methods including log aggregation and the use of monitoring tools.

Monitor for the events listed below. If these events are not monitored, this is a finding.

More advanced filtering is necessary to obtain the pertinent information than just looking for event IDs.
Search for the event IDs listed with the following additional attributes:
Logon Type = 10 (RemoteInteractive)
Authentication Package Name = Negotiate

Windows Vista and later:
Successful User Account Login (Subcategory: Logon)
4624 - An account was successfully logged on.

Windows 2003:
Successful Login (Logon Events)
528 - A user successfully logged on to a computer.
Fix Text (F-49315r4_fix)
More advanced filtering is necessary to obtain the pertinent information than just looking for event IDs.
Search for the event IDs listed with the following additional attributes:
Logon Type = 10 (RemoteInteractive)
Authentication Package Name = Negotiate

Windows Vista and later:
Successful User Account Login (Subcategory: Logon)
4624 - An account was successfully logged on.

Windows 2003:
Successful Login (Logon Events)
528 - A user successfully logged on to a computer.

The "Remote Desktop Logon Detection" section of NSA's "Spotting the Adversary with Windows Event Log Monitoring" provides a sample query for filtering.
http://www.nsa.gov/ia/_files/app/Spotting_the_Adversary_with_Windows_Event_Log_Monitoring.pdf.