FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
aneshcheret
Staff
Staff

Description


This article describes how to ignore logons created by RDP sessions.
This is a useful feature for cases when Active Directory Administrators (or other users) require access to various computers across the network with their accounts.

Without RDP override the action of connecting to the remote desktop would overwrite the original user logon removing that logon from the FSSO list.

That would result in blocked internet access due to no policy match.

Scope


Windows Server 2003.
Windows Server 2008.
Windows Server 2012.
Windows Server 2016.

Solution


There are two supported ways how to overcome this issue:

1) Use Ignore list that is available in Collector Agent GUI:

Select the particular user(s) whose logons will be ignored.

Note: This is not suitable for AD accounts that require internet access through identity-based policies as their logons will be completely ignored therefore no authenticated session will be created in FortiGate.

2) User RDP override feature in Collector Agent GUI:

Go to: Show Monitored DCs.
Select' DC to Monitor'.
In the left bottom corner, select 'Disable RDP override'.


For this second option to work, the following prerequisites 1a and 1b or 2 must be met:

1a). In Advanced settings in Collector Agent, the Event IDs to poll value must be: 1 or 2.
1b) Working mode is: Check Windows Security Event Logs or Check Windows Security Event Logs using WMI.
2) DC Agent sends logins to any Collector Agent.

 

While it is possible to use DC Agent mode it should be noted that users will be limited to using RDP via IP address. The reason for this is when the user uses RDP via FQDN, the 'Disable RDP Override' option will not work as expected since the DC Agent will be triggered with a logon event that indicates it is Kerberos authentication.

When this happens the DC Agent can not tell if it is a normal user login or if it is an RDP logon and the event cannot be dropped.

This would overwrite the original user logon.

When the user uses RDP via IP address the DC Agent will be triggered with a logon event that indicates it is a NTLM authentication instead, and if 'Disable RDP Override' is checked, the DC Agent will discard this event.

For this reason, Polling Mode may be better suited for your environment.

 

 

RDP override can be done via a collector, that is by polling and via the dcagent separately. The DCAgent has an option for this as well:
DCAgent RDP override looks as:

HKEY_LOCAL_MACHINE\SOFTWARE\Fortinet\FSAE\DCAgent - create a registry value called disable_rdp_override, set it to 1.