REMOTE DESKTOP ACTIVITY

Normal security access control may be compromised by external access via any remote desktop access program onto a terminal that has been logged in to the SQL Server. In this case, another computer has taken control of the original desktop, which was logged in and authenticated and thereby has the same level of access and control.

There may be instances where such external control is authorized and proper.
This alert enables the identification of possible cases where approving remote access control was accidental or remained open unintentionally. When remote access is done to an admin user, extra caution needs to be taken since a possible attacker might breach your system via remote access.

AimBetter tracks the incidence of users accessing the server through a remote desktop connection, such as AnyDisk, RemotePC, TeamViewer, or any suspicious program you may want to add to the list.

Impact: 

Programs remaining open unnecessarily might cause slowness since consuming the server’s resources. In addition, possible attackers might breach your system via remote access.

Expected behavior

Every access via a remote desktop should be in accordance with the company’s security policy and awareness, along with the control of the start and end time of the connection session.

Possible causes

1- Remote Desktop Activity.

The incidence of users accessing the server through a remote desktop connection, such as AnyDisk, RemotePC, TeamViewer, and others.

Problem identification:

Identify the running remote desktop program process on the server and verify its approval and awareness.

Recommended action :

Access is a matter of security control, and this alert serves to advise of these instances. Ensure the session is closed once there is no more need for it.

A multi-layered security approach and policy enforcement is recommended.