Subscribe to the Non-Human & AI Identity Journal

Why do RDP, SMB, WinRM, and RPC create so much enterprise risk?

They create risk because they are legitimate administrative pathways that already carry trust inside the environment. Attackers do not need to break the protocol to abuse it. They only need valid access, broad exposure, or weak segmentation, which lets them move laterally, stage payloads, or reach higher-value systems with minimal noise.

Why This Matters for Security Teams

RDP, SMB, WinRM, and RPC are risky because they sit inside the trust fabric of Windows administration. That makes them attractive for legitimate operations and for attackers who already have a foothold. Once exposed too widely, these services can turn a single valid login into lateral movement, remote execution, data access, or privilege escalation without triggering obvious exploit signatures. NIST’s NIST Cybersecurity Framework 2.0 frames this as a governance and exposure problem, not just a protocol problem.

The same pattern shows up in identity-heavy environments where service accounts, secrets, and administrative pathways are treated as routine plumbing. NHIMG research on the Ultimate Guide to NHIs shows how often non-human identities are overprivileged, poorly inventoried, and difficult to revoke. That matters here because remote admin protocols often depend on those identities to function. If segmentation is weak and credentials are long-lived, the protocols become high-trust conduits rather than controlled administration paths. In practice, many security teams discover this only after an attacker has already used one valid account to pivot across multiple systems, rather than through intentional testing of the admin plane.

How It Works in Practice

These protocols are powerful because they are designed to do real work at machine speed. RDP enables interactive remote sessions, SMB supports file and administrative shares, WinRM exposes PowerShell remoting, and RPC underpins many Windows management functions. None of them need to be “broken” for abuse. Attackers typically look for valid credentials, exposed listeners, weak network segmentation, or service accounts that can authenticate broadly. Once inside, the same pathways used by administrators can be used to enumerate hosts, stage payloads, move laterally, or execute commands across a fleet.

Operational risk increases when these services are reachable from user networks, branch offices, VPN pools, or cloud-connected segments that are not tightly controlled. Current guidance suggests treating remote admin traffic as a privileged path that should be explicitly allowed, logged, and constrained. That includes:

  • Restricting RDP, SMB, WinRM, and RPC to management subnets or hardened jump hosts.
  • Requiring strong authentication and device posture checks before admin access is granted.
  • Separating human admin access from service-to-service use where possible.
  • Rotating and scoping the credentials that can use these channels, especially service accounts.
  • Correlating session activity in SIEM with identity and endpoint telemetry.

This is where NHIs become central rather than peripheral. The Top 10 NHI Issues research highlights how excessive privilege and poor visibility amplify blast radius, which maps directly to administrative protocols that trust the caller more than the network path. For protocol-specific abuse patterns, MITRE ATT&CK is especially useful for mapping lateral movement and remote execution behaviors, while OWASP guidance helps teams validate secure defaults and hardening assumptions. These controls tend to break down when legacy Windows estates mix flat networking, shared admin credentials, and exception-heavy firewall rules because the protocols are then reachable from too many trusted zones.

Common Variations and Edge Cases

Tighter remote administration often increases operational overhead, requiring organisations to balance manageability against attack surface reduction. That tradeoff is especially visible in hybrid estates, OT-adjacent environments, and legacy domains where some services still depend on SMB or RPC for business-critical workflows. Best practice is evolving, and there is no universal standard for eliminating these protocols entirely. The practical aim is to reduce where they can be used, who can use them, and what each session can reach.

Some environments need exceptions for patching, monitoring, backup tooling, or break-glass support. Those cases should be treated as controlled exceptions, not as evidence that broad access is acceptable. Where agents or automation use WinRM or SMB, the identity behind the automation should be treated as an NHI with least privilege, short-lived credentials where possible, and clear ownership. That intersection matters because administrative protocols often expose the hidden dependencies of automation faster than they expose human misuse.

For governance and threat modeling, NIST CSF 2.0 supports the control objective, while MITRE-style adversary mapping helps teams distinguish normal admin use from malicious lateral movement. In higher-risk programs, the Ultimate Guide to NHIs is a useful reference for aligning secret hygiene, rotation, and service-account governance with remote access controls. The guidance breaks down when environments rely on broad, shared admin privileges across hundreds of hosts, because then every legitimate maintenance action looks operationally similar to attacker movement.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

MITRE ATT&CK and OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST AI RMF and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
NIST CSF 2.0 PR.AC-4 Remote admin access must be restricted to authorized users and paths.
MITRE ATT&CK T1021 These protocols are common remote services abused for lateral movement.
OWASP Non-Human Identity Top 10 NHI-3 Service accounts and automation identities often power these admin channels.
NIST AI RMF If automation or agents use remote admin paths, governance must bound their authority.
NIST Zero Trust (SP 800-207) AC-4 Zero Trust is directly relevant to segmenting high-trust administrative traffic.

Establish ownership, scope, and oversight for any agentic system using admin protocols.