I wouldn't use the IPS portion, but rather the firewall. You can easily create a rule to allow or block and log the traffic for TCP/UDP 3389 (RDP).
I'm sure you could do it through the IPS as well, but easier to just create a simple rule rather than write a custom signature..
I agree. The customer, however, posed this question.
They want a way to capture logs or to track using the HIPS signatures. It is not something I have done , or would do, so I reached out to the boards to see if this has popped up elsewhere.
Hmm...the best way would be for an event log correlator for your network, but I imagine this may not be a possibility....although a GPO could fix that right up by telling the eventvwr to forward all 4624 events to someplace via the Subscription service.
Anyhow, besides that, I would put in a permit rule in the firewall for HIPS for port 3389 and log it as an intrusion...it will get caught up in your other Intrusion events, so you will have to create a specific query to grab those HIPS Properties events using Event ID 3702 or Threat name 3702 and IPS Param Name "Local Port" and IPS Param Name "Remote Port".
Let us know if you figure this out...wondering how other RDP tools like Hamachi or the SCCM Remote desktop tool would trigger.....
We ended up convincing the customer we could track (log) Using VSE Access Protection much better as it has a mini-HIPS component built in - Here is how & why to use this:
Why use this?
- Tracking who (Users/Admins/Hackers) are Remote into other hosts is a useful matrix
- While RDP is normal activity for Admins, it is also how attackers pivot between hosts
- Allow Analysts to track Admin use of RDP
- This allows to track User, Computer RDP from and to, and the DTG
- Using VSE is used due to coverage in the network as all host should have VSE installed
Open Policy Catalog
Select "Port Blocking Rule" on the popup
a window will open called "Network Port Access Protection Rule"
Do the steps below within -
the Rule: IE RDP-WS (or whatever you wish to call it)
both In/Out Bound
Ok & Repeat for Servers
Do you want to use it for single machine or multiple machines?
Your right.....smart solution!!
ansarias, we set it up as a policy, so it would affect ALL machines that currently have VSE installed.
Thanks, Agreed on McAfee Access Protection user defined rule is the best option to track on RDP.
Set a report not block so log will be generated in AP logs.