RDP Security Audit Checklist: 12 Things to Fix Before Your Next Pentest

May 17, 2026 · 7 min read

Security Engineering

RDP (Remote Desktop Protocol) appears in the initial access phase of nearly every major ransomware incident. Exposed port 3389, weak credentials, no MFA — attackers know the playbook. Your next penetration test will find these issues if you have not already addressed them. This checklist tells you exactly what to fix and how.

The 12-Item Checklist

Work through these in order. Items 1–3 are critical; address them before anything else.

1. Exposed RDP port (3389) directly on the internet

Problem: Your Windows servers accept RDP connections on port 3389 from the public internet.

Risk: Attackers continuously scan for open port 3389. Within hours of a new server coming online, it is receiving brute-force and credential-stuffing attacks. This is the most common ransomware initial access vector in enterprise environments.

Fix: Remove the firewall rule that allows inbound 3389 from the internet. Access Windows servers only through a PAM solution (like VaultPAM) that brokers the session — the RDP port stays closed on the server, and the connection is established outbound through the connector.

2. Shared admin credentials across servers

Problem: Your team uses a shared Administrator account (or admin, or a single named account) across multiple servers, and multiple people know the password.

Risk: When one person leaves, you face the impossible choice of rotating the password and disrupting everyone else, or leaving the ex-employee's access intact. When you have an incident, you cannot determine who performed which action because all activity is attributed to a shared account.

Fix: Move to individual named accounts for all privileged access. Use a credential vault to store and rotate server credentials automatically. Use session brokering so users connect without receiving the actual password — the vault holds it.

3. No MFA on privileged accounts

Problem: Administrators authenticate to production systems with username and password only.

Risk: A single phishing email, credential dump, or reused password gives an attacker full administrative access. MFA is the single highest-impact control for stopping credential-based attacks.

Fix: Require TOTP (Google Authenticator, Authy) or hardware tokens (YubiKey, Touch ID, Windows Hello) for every privileged account. Verify enforcement — policy documents do not count; demonstrate that a login attempt without MFA is rejected.

4. No session recording

Problem: When privileged sessions occur, there is no record of what happened inside the session.

Risk: Post-incident forensics are impossible. Auditors cannot verify what actions were taken. Insider threats leave no evidence trail. Ransomware attackers who abuse admin credentials cannot be traced past the login event.

Fix: Route all privileged sessions through a PAM solution that records full session video and activity logs (commands executed, files transferred, clipboard contents). Store recordings with tamper-proof integrity (hash chains) for at least 12 months.

5. Standing admin privileges (no JIT access)

Problem: Administrators have 24/7/365 privileged access to production systems, even when they are not performing an administrative task.

Risk: An attacker who compromises an administrator's workstation or credentials has immediate and persistent access to production. The attack surface is always maximum.

Fix: Implement Just-in-Time (JIT) access. Privileges are granted for a specific task and time window, then automatically revoked. Between tasks, the account has no privileged access — or no active account at all.

6. No audit log forwarding

Problem: Server event logs (Windows Event Log, Linux auth log) sit on the server where they can be cleared by an attacker who achieves administrative access.

Risk: An attacker with admin access can clear logs and erase evidence of their presence. During incident response, critical forensic data may be missing.

Fix: Forward all privileged access events to a centralized SIEM or immutable log store immediately upon generation. Ensure the log forwarder runs as a service that cannot be stopped without triggering an alert.

7. Unrotated credentials in shared vaults or spreadsheets

Problem: Production passwords are stored in a shared spreadsheet, a shared password manager with multiple users, or an IT documentation tool — and have not been rotated in months or years.

Risk: Every person who has ever had access to that spreadsheet or password manager is a potential threat. Credentials shared in plaintext are credentials that will eventually leak.

Fix: Move all production credentials to a vault with automatic rotation. Set rotation schedules appropriate to sensitivity (daily for critical production accounts, weekly for others). Configure the vault to rotate credentials after each checkout.

8. No approval workflow for sensitive targets

Problem: Any administrator can access any server at any time without a second person knowing or approving.

Risk: Lateral movement by an insider threat or compromised admin account is unchecked. Accidental changes to critical systems have no second-pair-of-eyes control.

Fix: Implement approval workflows for your five most sensitive production targets. Access requests require documented approval from a second authorized person before the session begins. VaultPAM records the request, the approval, and every action taken during the approved session.

9. Default admin account names (Administrator, admin, root)

Problem: Your servers use the default built-in administrator account names.

Risk: Credential-stuffing attacks target default account names because they are predictable. Every Windows server has an Administrator account; attackers know to try it first.

Fix: Rename the built-in Windows Administrator account on all servers. On Linux, disable direct root SSH login (PermitRootLogin no in sshd_config). Create named administrative accounts for legitimate use. Store credentials in a vault.

10. No timeout on idle sessions

Problem: RDP sessions remain active indefinitely when the user steps away from their desk without locking or disconnecting.

Risk: An unattended active session is an open door. Physical tailgating or remote access to the admin's workstation gives full access to every system the admin is connected to.

Fix: Configure session timeout policies — disconnect idle sessions after 15 minutes, log off disconnected sessions after 30 minutes. Enforce at both the client (GPO) and server level. VaultPAM enforces session timeouts at the PAM layer regardless of client configuration.

11. VPN-only access control (no PAM layer)

Problem: Your access control model is: "if you are on the VPN, you can RDP to any server you have credentials for."

Risk: VPN is network-layer access control. It does not restrict which servers a user can reach, does not enforce least privilege, does not record sessions, and does not require MFA per session. A compromised VPN credential gives an attacker access to your entire internal network.

Fix: Add a PAM layer on top of the VPN (or replace VPN-based access entirely). Users authenticate to the PAM solution, which enforces policy-based access to specific targets, requires MFA, and records every session. The target servers are not reachable from the VPN — only from the PAM connector.

12. No access review process

Problem: Privileged access rights are granted but never reviewed. Users accumulate access over time; leavers may retain access for months after departure.

Risk: Privilege creep is a top audit finding and a real security risk. Dormant accounts with privileged access are high-value targets — attackers look for accounts that have not logged in recently (no one is watching).

Fix: Implement a quarterly access review process. Export the complete list of privileged accounts and their access rights. Have a designated reviewer confirm that each access is still required and appropriately scoped. Revoke access that cannot be justified. Document the review with date, reviewer name, and outcome.

Where to Start

If you are preparing for a pentest, prioritize items 1, 2, and 3 first — they are the most likely initial-access findings and the highest risk. Items 4, 5, and 6 are the most likely post-exploitation findings. Items 7–12 are the most common compliance audit findings.

All 12 items are addressed by deploying a PAM solution. The pentest findings list does not get shorter over time without one — it gets longer as your environment grows.

VaultPAM addresses all 12 of these findings in a single afternoon deployment. No agents to install. No firewall changes needed. Sessions are brokered through outbound-only connectors; port 3389 stays closed.

Start Free Trial — see how VaultPAM eliminates the top RDP pentest findings from your environment.

The 12-Item Checklist​

1. Exposed RDP port (3389) directly on the internet​

2. Shared admin credentials across servers​

3. No MFA on privileged accounts​

4. No session recording​

5. Standing admin privileges (no JIT access)​

6. No audit log forwarding​

7. Unrotated credentials in shared vaults or spreadsheets​

8. No approval workflow for sensitive targets​

9. Default admin account names (Administrator, admin, root)​

10. No timeout on idle sessions​

11. VPN-only access control (no PAM layer)​

12. No access review process​

Where to Start​