One of the most powerful (and most underrated) items to monitor and action off of is the RDP status and port of an endpoint. While I will not get into the politics of why, we fully believe it should be disabled by default on endpoints. This helps reduce your number of attack surfaces and vulnerabilities to exploits like BlueKeep (and many others).

For this script, we are going to do a few things:

• Get the currently configured RDP port and status (enabled/disabled)

• Write that status and port to an Asset Field (Asset Custom Field)

• Create an alert if the service is enabled..

Helpful Information:

• Information on Asset Fields: https://community.syncromsp.com/t/asset-fields-asset-custom-fields/5322

• Syncro Scripting Basics: https://community.syncromsp.com/t/scripting-basics/579

Procedure

1. Login to your Syncro instance

2. Navigate to Scripts > +New Script
   

   

   
   

   1. Name: This is a descriptive name (we use S - Get RDP Port and Status [Win])

   2. Description: A description that makes sense to you (for example: Gathers the RDP Port and status and writes to an agent custom field)

   3. File Type: PowerShell, Run as: SystemFill out the following fields:
      

      

   4. Script:

      Import-Module $env:SyncroModule -WarningAction SilentlyContinue

      $PortReg = (Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" -Name PortNumber).PortNumber

      $RDPReg = (Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server" -Name "fDenyTSConnections").fDenyTSConnections

      $status = switch ($RDPReg) {

      "1" { "Disabled" }

      "0" { "Enabled" }

      default { "Unknown" }

      }

      [string]$String = "Status: $status; Port: $PortReg"

      Write-Output "Status: $status; Port: $PortReg"

      if($status -eq $Enabled){

      Rmm-Alert -Category 'Security' -Body "RDP Is currently enabled. $status"

      }

      Set-Asset-Field -Name 'rdp_status' -Value "Status: $status; Port: $PortReg"