Defender for Identity and RDP connections to external IPs

Copper Contributor

I am worried that Defender for Identity may be communicating with external IP addresses. Is there any way to disable this feature? It seems suspicious to me when I notice traffic from DC RDP to external IP addresses. Additionally, we suspect that such activity could possibly lead to blacklisting.


P.S. Any best practice how to configure Defender for Identity?

1 Reply

Hi @Adalfarus ,

Understanding your concern and as you point out with the MS Docs this is expected behavior as DFI will work to resolve IP addresses found within the raw activity events. I suggest you investigate a bit more as to the source of these events because it definitely seems something worth looking into. If you can trace an IP you're seeing DFI reach out back to it's activity event source on the "offending" DC you might find something that needs patching.(maybe)


Nevertheless, for the immediate question at hand can you block this traffic at the firewall?

Source = zone/subnet of the DC's; source port = 3389; destination = untrust/wan; destination port = any