Close the Door Behind You: Why Properly Logging off RDP Matters

#beginners #cybersecurity #microsoft #tutorial

I was poking around on a routine scan—purely for educational reasons 😇—when one IT staffer’s workstation practically invited me in.
A quick credential dump landed me local-admin, and there they were: six RDP sessions quietly ticking away because he never hits Sign out.
This “pivot” user had connections to half the company’s servers, so one tscon dropped me straight onto the Domain Controller.
All that risk, born from a single habit: closing the window instead of logging off.

Before we dive into the technical walkthrough, let’s recap why a dangling RDP session is even a thing

1. Background

Remote Desktop Protocol (RDP) spawns a user session on the target server.

If you log off, that session is destroyed.

If you merely close the RDP client, the session flips to Disconnected (Disc) and sits in RAM—programs keep running, credentials stay cached.

On Windows Server 2016 and earlier, tscon.exe allows a process running as NT AUTHORITY\SYSTEM to attach to any live session without knowing its password.

2. Lab Walk‑through: Hijacking a Disconnected Session

2.1 – Enumerate & understand your current role

2.2 – Elevate to SYSTEM

# run an elevated cmd *as Administrator*
C:\tools\PsExec64.exe -s cmd.exe

-s ▸ launches the new cmd.exe as SYSTEM.

2.3 – List RDP sessions

C:\> query user
 USERNAME              SESSIONNAME        ID  STATE   IDLE TIME  LOGON TIME
>administrator         rdp-tcp#6           2  Active          .  04/01/2022 04:09
 DC                                        3  Disc            .  04/06/2022 06:51

administrator (you) is Active on session 2.
Session 3 is in Disc state—perfect target.

2.4 – Steal X’s Session into the DC

tscon 3 /dest:rdp-tcp#6

3 ▸ the ID of X’s session.

/dest:rdp-tcp#41 ▸ your transport channel (see SESSIONNAME).

The RDP window instantly flips to Domain Controller’s desktop, programs and all—no password prompt.

But on the bright side - they had a virtually uncrackable DC password.

3. Why This Is Dangerous

Risk	Impact
Privilege escalation	Hijacker inherits the victim’s rights—often Domain Admin.
Silent lateral movement	No new logon events; looks like the legit user is still logged in.
Data exposure	Open Outlook, KeePass, RDP files—all ready for the taking.
Operational disruption	Hijacker can run ransomware as the victim, masking attribution.

4. Mitigations & Best Practices

Always *Log off—teach admins to hit **Start → Sign out*.
Idle Session Limits GPO: Computer Config → Policies → Admin Templates → Windows Components → Remote Desktop Services → Session Time Limits. Set “End a disconnected session” to e.g. 15 minutes.
Deny tscon Hijack Server 2019+ prompts for the user’s password when attaching to another session.
Restrict SYSTEM Escalation Block or alert on PsExec/WMI with Defender ASR rule 56. Deploy AppLocker / WDAC to deny unsigned admin tools.
Monitor Event 7045 & 4778 Detect rogue service installs (psexesvc) and unexpected session re‑connections.
MFA for Admin RDP Even if a token is hijacked, MFA blocks fresh privileged logons.

5. Server 2019 and Later

Server 2019/2022 changed tscon behaviour—SYSTEM can no longer attach to another user’s session without supplying that user’s credentials.

Still enforce log‑off discipline: the session keeps consuming RAM/CPU and may be exposed by future privilege‑escalation exploits.

6. Key Take‑aways

Disconnect ≠ Log off—your session remains a loaded gun on the server.
Attackers with SYSTEM can pull the trigger in one line of PowerShell or tscon.
Good hygiene (log off), sensible timeouts, and modern hardening (ASR, WDAC) shut this door.

Stay safe, and make “Sign out” your new muscle memory! 🛡️

References