Improving Security Auditing on RDS By Deploying Sysmon (Part 1)

March 29, 2020 - Remote Desktop Security

Hello everyone! My new book on Remote Desktop Security has now been released, and I’m posting some excerpts/topics from the book here on my blog.  Please click here if you’d like to purchase the Amazon Kindle edition.

Out of all of the amazing free tools available at Microsoft’s Sysinternals website, Sysmon is simply indispensable as a supplemental event logging engine. It is incredible in terms of being able to detect malware, and/or other unauthorized use of programs. Therefore, it’s critical that you both deploy this tool to your RDS systems and that you collect and monitor the events it generates. If you do this correctly, you may be able to shut down an attempted compromise of your Remote Desktop Services deployment, before it really gets going. You should make this utility standard on any of your production servers, even the ones not public facing, so you can audit administrator activities and watch for internal threats.

Where to Download Sysmon

So, first things first – you will need to download Sysmon from the Sysinternals website here:

The Activities on Your Remote Desktop Servers That Sysmon Can Detect And Log

When installed from the command line, it generates a service and a companion device driver that intercepts and logs all sorts of system events to a special Windows event log. Here’s a list of some examples:

• Detailed information on process creation/program startup
• Network connections that processes make
• When device drivers are loaded
• When one process creates a thread in another process, which is a common code injection technique used by malware
• File and registry key creations

The entire list of what it can monitor is tremendous. That being said, with those logging capabilities, it is extremely important to tailor the sorts of events it monitors. This will increase the “signal to noise” ratio in such a way that only suspicious events get recorded, and normal software operations do not flood the Sysmon log.

How To Tailor What Activity Sysmon Logs With Configuration Files

Fortunately, several individuals have taken it upon themselves to author and publish Sysmon configuration files that have already been tuned to screen for malware – which you can then further tweak to suit your monitoring requirements.

Moti Bani, a Microsoft employee who blogs frequently about security, is one such individual. First, read his blog post entitled “Sysinternal Sysmon Suspicious Activity Guide” located here:

You may then download his well-tailored Sysmon configuration file from his GitHub repository here:

Continue on to Part 2 of this blog series…

Andy Milford is the CEO and Founder of RDPSoft, and is a Microsoft MVP in the Enterprise Mobility / Remote Desktop Services area. Prior to starting RDPSoft, Andy was the CEO and Founder of Dorian Software, a log management company acquired by Ipswitch in late 2009. He loves creating easy-to-use yet powerful software solutions for SMBs and emerging enterprise companies.

Leave a Reply

Your email address will not be published. Required fields are marked *