Can RDP traffic be monitored?

book

Article ID: 160205

calendar_today

Updated On:

Products

Data Loss Prevention Endpoint Prevent Data Loss Prevention Network Monitor Data Loss Prevention Network Prevent for Email Data Loss Prevention Network Prevent for Web Data Loss Prevention Network Protect Data Loss Prevention Endpoint Discover

Issue/Introduction

Is monitoring of RDP traffic possible?

Resolution

In short: You can not monitor RDP traffic.

The RDP protocol is a multi-channel protocol that communicates by default via encrypted traffic. This will prevent Symantec DLP from detecting incidents. In addition, communication is not carried out in a traditional way. The actual text communication is sent in such a way that it does not allow Symantec DLP to monitor that traffic.

Background Information
On the server, RDP uses its own video driver to render display output by constructing the rendering information into network packets by using the RDP protocol and sending them over the network to the client. On the client, RDP receives rendering data and interprets the packets into corresponding Microsoft Win32 graphics device interface (GDI) API calls. For the input path, client mouse and keyboard events are redirected from the client to the server. On the server, RDP uses its own on-screen keyboard and mouse driver to receive these keyboard and mouse events.

For further details, see:
http://msdn2.microsoft.com/en-us/library/aa383015.aspx