I wouldn't use the IPS portion, but rather the firewall. You can easily create a rule to allow or block and log the traffic for TCP/UDP 3389 (RDP).
I'm sure you could do it through the IPS as well, but easier to just create a simple rule rather than write a custom signature..
I agree. The customer, however, posed this question.
They want a way to capture logs or to track using the HIPS signatures. It is not something I have done , or would do, so I reached out to the boards to see if this has popped up elsewhere.
Hmm...the best way would be for an event log correlator for your network, but I imagine this may not be a possibility....although a GPO could fix that right up by telling the eventvwr to forward all 4624 events to someplace via the Subscription service.
Anyhow, besides that, I would put in a permit rule in the firewall for HIPS for port 3389 and log it as an intrusion...it will get caught up in your other Intrusion events, so you will have to create a specific query to grab those HIPS Properties events using Event ID 3702 or Threat name 3702 and IPS Param Name "Local Port" and IPS Param Name "Remote Port".
Let us know if you figure this out...wondering how other RDP tools like Hamachi or the SCCM Remote desktop tool would trigger.....
We ended up convincing the customer we could track (log) Using VSE Access Protection much better as it has a mini-HIPS component built in - Here is how & why to use this:
Why use this?
Open Policy Catalog
Select "Port Blocking Rule" on the popup
a window will open called "Network Port Access Protection Rule"
Do the steps below within -
the Rule: IE RDP-WS (or whatever you wish to call it)
both In/Out Bound
Ok & Repeat for Servers
Thanks, Agreed on McAfee Access Protection user defined rule is the best option to track on RDP.
Set a report not block so log will be generated in AP logs.