Forum Discussion
How to check RDP access to the server
Yes, both are possible to some extent, but the level of detail depends on your audit configuration.
For RDP connections, Windows logs successful and failed logons in the Security event log. You can review events such as:
- 4624 – Successful logon (Logon Type 10 indicates Remote Desktop).
- 4625 – Failed logon attempts.
- 4634 – Logoff.
- 4778 and 4779 – RDP session reconnect and disconnect.
These events include the username, timestamp, and, in most cases, the source IP address, allowing you to determine how many times a user connected and from where.
Regarding copying files to a local PC via RDP copy/paste, Windows does not log clipboard activity or file transfers by default. If clipboard or drive redirection was enabled and no auditing or endpoint monitoring solution (such as Microsoft Defender for Endpoint, Sysmon, or a third-party EDR) was in place before the incident, it is generally not possible to prove that files were copied.
If preventing data exfiltration is a concern, consider disabling clipboard, drive, and device redirection through Group Policy for RDP sessions, and enable advanced auditing or endpoint monitoring for future investigations.