Nov 18 2019 04:02 PM
We're currently receiving failed RDP logon attempts on our domain controllers from a trusted domain running Azure ATP, our colleagues managing the other domain have suggested this is expected behaviour of Azure ATP.
I've read the documentation and I'm aware that RDP is used by NNR though the policy documenation states "No authentication is performed on any of the ports." but we're seeing active attempts to login using the Administrator account.
Is this expected behaviour? Should we be seeing failed logon attempts?
Nov 18 2019 11:55 PM
@drrnmac , No, this is not expected.
The NNR using RDP is not doing any authentication, it sends a fixed payload to the RDP port which causes the machine to report back meta data about it.
at this point the session is ended from AATP's side before reaching to the authentication phase.
Also, for NNR - no account is used at all. certainly not an administrator account.
Even for AD access or lateral movement, we use (if configured correctly) a low privileged read only account.
If you get RDP auths using Administrator, I suggest to investigate, as I don't believe those are initiated from AATP.
Nov 19 2019 02:37 AM
@EliOfek Thanks for confirming and the quick reply Eli, that's what I expected. Investigations are currently underway.