Monitoring remote desktop protocol (RDP) connections to your infrastructure is essential for maintaining a secure IT environment and managing insider risks. Additionally, recording remote user activity on your organization’s servers and other critical endpoints is often a requirement of cybersecurity laws and regulations.
This article will guide you on how to monitor RDP connections to your infrastructure server, Jump server, Citrix server, or any other endpoint with Ekran System Client installed. You will learn how to:
- Receive notifications on RDP connections
- Monitor and record RDP sessions
- View and block RDP sessions in real time
- View and audit recorded RDP sessions
- Export user sessions for investigation purposes
- Generate reports on RDP connections to your endpoints
This post will be equally useful for those who already use Ekran System and for those who want to familiarize themselves with its capabilities.
Why monitor RDP sessions?
It’s necessary to monitor remote user sessions and connections to your critical endpoints for several reasons:
Increase visibility. Monitoring RDP sessions provides visibility by allowing your organization to track remote user behavior on critical endpoints. It helps identify who is accessing the system and when, as well as what actions they are performing. Recording user sessions can also help you collect evidence for investigating security incidents.
Mitigate cybersecurity risks. Increased visibility can help you detect any suspicious or unauthorized remote user activities that may pose a security risk. You will also be able to proactively identify potential cybersecurity risks such as insider threats and take appropriate measures to mitigate them.
Maintain cybersecurity compliance. Monitoring user activity is often a requirement of cybersecurity standards, laws, and regulations such as HIPAA, ISO 27001, SOX, and PCI DSS. By monitoring remote desktop activity, your organization can meet these requirements, secure sensitive data, and avoid potential penalties or legal consequences.
Respond to incidents. Monitoring remote user activity enables you to promptly detect and respond to cyber threats. With real-time RDP session monitoring, you can immediately act to mitigate the impact of security incidents, investigate their root cause, and prevent further damage or data breaches.
Read our articles on how to manage insider risks in hybrid and remote work environments to discover the risks associated with remote users and learn best practices to mitigate them.
Using Ekran System to monitor RDP sessions
Ekran System is a universal insider risk management platform for deterring, detecting, and disrupting insider threats.
Among other features, Ekran System offers a comprehensive user session recording tool to let you monitor and record local and RDP user sessions on all of your organization’s endpoints. Ekran System is a flexible solution with a range of deployment options.
Without further ado, let’s see how to monitor remote desktop sessions in your IT infrastructure with Ekran System. You can also watch a YouTube video on how to record RDP sessions:
Note: Further instructions only work for organizations that have deployed Ekran System in their IT infrastructure.
User Activity Monitoring (UAM) with Ekran System
Receive notifications on RDP connections
When dealing with a highly critical endpoint, you may want not only to record user sessions but also to receive real-time notifications whenever an RDP connection is established.
To do so, open the Alert Management page.
Ekran System has a list of default alerts that cover some of the most popular use cases and cybersecurity threats.
The alert we need is the Session start alert. To quickly find it, type in the alert’s name in the search box.
Click the Edit Alert icon to configure this alert.
In the Assigned Clients section, click Add to add the server or other computers on which incoming remote connections must be detected.
Down the page, you can configure the alert notifications and additional actions to be performed when an alert is triggered.
Select the Send emails to option and enter the email address notifications will be sent to.
Then click Finish. Now you will receive an email each time a remote connection to the selected server is established.
You can also set up other alerts to be notified about suspicious behavior of your local and remote users. For example, you can receive notifications when a remote user tries to upload a file to the cloud, enters a specific keyword, or installs an application.
In addition to notifications, you can set the system to automatically respond to certain actions by blocking a user, showing them a warning message, or killing the process.
Monitor and record RDP sessions
How to monitor RDP sessions? By default, Ekran System monitors sessions of both local and remote users working on endpoints with the Ekran System Client application installed.
When you only need to monitor remote employees, third-party vendors, and other external users, you may like to record only corresponding sessions. In this case, you need to set up the IP filtering feature on the target endpoint.
To exclude recording of internal user sessions on the selected endpoint, open the Client Management page.
You can easily search for the required endpoint by keyword. Then click on the endpoint’s name in the Client Name column.
Open the Remote Host IP Filtering tab.
In the Filter State drop-down menu, select Monitor activity from all remote public IP addresses except.
In the field below, define the IP addresses of internal users’ computers, sessions from which must be skipped.
Click Finish to save the settings. Ekran System will now monitor only remote user connections to your endpoints.
Third-Party Vendor Security Monitoring with Ekran System
View and block RDP sessions in real time
Let’s suppose that you got an email notification about a remote third-party user connection to your server. You can open the session via the direct link provided in the email.
In the Session Player, you can view the screen recording and metadata for the session.
If a remote user is still connected to your server via an RDP session, you can view what the user is doing in real time by clicking the Live button. This can help you implement the four-eyes principle, meaning that any external user activity carrying potential risks is reviewed by a second person.
If a user is performing potentially harmful or forbidden actions, you can block them by clicking the Block User button.
Click the Live button again to stop playing the Live session.
View and audit recorded RDP sessions
Now let’s check RDP connection logs of previously recorded user sessions on the monitored server.
On the Monitoring Results page, you can filter sessions by server name.
In the session grid, you can view information about remote connections, such as the name and IP address of the remote computer from which the connection to the server is established.
Double-click the session to view screen recordings and more details in the Session Player.
Export user sessions for investigation purposes
You can export the session in encrypted form to view session data on on any computer even without access to the management tool.
Open the session you want to export. In the Session Player, click the Tool icon and select Forensic Export in the drop-down menu.
In the pop-up window, define the necessary settings and click Export. You can protect the exported session with a password.
As soon as the export finishes, you can download the resulting file on the Forensic History page.
Note: You will need to download the Ekran Forensic Player to view the exported session.
By the way: You can verify the integrity of an exported session using the SHA-256 file hash displayed on the Forensic Export History page.
Generate reports on RDP connections to your endpoints
You can regularly receive all necessary information about remote connections to the server in a summary report generated ad-hoc or sent to your email on schedule.
To do this, open the Reports page and select the Session Grid Report in the Report Type drop-down menu.
You can view the description and a sample of the selected report on the right.
Click Add in the Clients section and select the endpoints for which the report will be generated. You can search for endpoints in the search box.
Define other options and click the Generate Report button to get the report.
To schedule the report, open the Scheduled Report tab and click Add.
On the opened Add Rule page, select the Enable scheduled report generation option, enter a name for the rule, and click Next.
Then set the report parameters and enter the email address to which the report will be sent. Click Finish.
The report will be automatically created and sent to your email address with the defined frequency.
Enhanced Auditing and User Activity Reporting with Ekran System
Conclusion
Monitoring RDP sessions increases visibility into user activities, helps mitigate cybersecurity risks, ensures your organization’s compliance with cybersecurity requirements, and enables you to respond effectively to security incidents.
Ekran System can monitor and record remote user connections to your organization’s critical endpoints. The following Ekran System capabilities can help you manage insider threats and enhance overall organizational cybersecurity:
- Privileged access management (PAM) to granularly control users’ access permissions
- User activity monitoring (UAM) to see what is going on in your system
- Alerting and incident response to promptly detect and respond to security threats
Request a free trial of Ekran System to start protecting your organization today!
Share:
