This report template was designed to detail RDP, Remote Desktop Protocol, server and connection detection. An RDP server is also referred as a server providing Terminal Services or Remote Desktop Services. The sample table above was generated by one of four chapters in the template. To see a full report use the download example link.
- April 13th 2012, version 1, SecurityCenter 4.4
- Required Tools: Nessus, PVS and LCE
- Download Example - RDP Detection
- Download Template - RDP Detection
The report chapters require various Tenable USM products as explained below. You may wish to modify the report and remove chapters not currently relevant to your deployed USM product set.
The "PVS RDP Realtime Session Detection using LCE – Last hour" chapter uses the PVS realtime plugins 5954 and 5935 which send alerts to the Log Correlation to report on session activity in the last hour. The component provides visibility to the actual use of an RDP server across the network provided by PVS’s passive monitoring, sniffing, of the network. You may wish to alter the area chart report component to increase the report duration, perhaps to the last 48 hours or last 7 days.
The "PVS RDP Realtime Session Detection Details using LCE – Last hour" chapter also uses the PVS realtime plugin alerts sent to the Log Correlation to report on session activity in the last hour but provides the detail of each detected session so the network IP sources and destinations can be reviewed and checked. You may wish to alter the table report component to increase the report duration, perhaps to the last 48 hours or last 7 days.
The "Nessus RDP Detection" chapter uses the Nessus plugin 10940, Windows Terminal Services Enabled, to report on any hosts detected with an RDP server installed and running. The NetBIOS name and FQDN are returned by Nessus plugins 10150 and 12053 when Nessus scans if they are enabled.
The "PVS RDP Detection" chapter uses the passive plugin 1153 to indicate installations of RDP servers found through passively monitoring, sniffing, a network. This does not require the Log Correlation Engine because it uses SecurityCenter’s cumulative database.