By NHI Mgmt Group Editorial TeamPublished 2026-03-05Domain: Cyber SecuritySource: Zero Networks

TL;DR: 71% of enterprise risk flows through SMB, RDP, WinRM, and RPC, according to Zero Networks’ analysis of 3.4 million threat activities, while CrowdStrike says malware-free attacks account for 82% of cyber incidents. The control problem is no longer visibility alone. It is shrinking the number of trusted internal paths attackers can reuse.


At a glance

What this is: The article argues that four common Windows protocols carry most enterprise risk because attackers abuse legitimate internal pathways, not just malware.

Why it matters: For IAM and security teams, this reframes containment as an identity and access problem as much as a network one, because privileged traffic and valid credentials can quietly expand blast radius.

By the numbers:

👉 Read Zero Networks' analysis of SMB, RDP, WinRM, and RPC risk


Context

Enterprise risk in this article is not about exotic exploits. It is about how ordinary management protocols become attack highways when internal trust is too broad and credentials are too reusable. That matters to identity security because valid access, not just malicious code, is what lets attackers move.

The primary governance gap is over-permissioned east-west access combined with weak protocol-level segmentation. In practice, that means identities, devices, and administrative tools can reach far more internal assets than their operational role requires, which turns compromise into fast lateral movement rather than a contained event.


Key questions

Q: How should security teams reduce lateral movement through admin protocols?

A: Security teams should reduce lateral movement by removing broad internal reach, then binding admin protocols to approved identities, devices, and target systems. The goal is not to block operations but to ensure that valid credentials cannot be reused as an all-access pass across the estate. Containment has to happen before the session starts, not after an alert fires.

Q: Why do RDP, SMB, WinRM, and RPC create so much enterprise risk?

A: They create risk because they are legitimate administrative pathways that already carry trust inside the environment. Attackers do not need to break the protocol to abuse it. They only need valid access, broad exposure, or weak segmentation, which lets them move laterally, stage payloads, or reach higher-value systems with minimal noise.

Q: What breaks when internal network trust is too broad?

A: When internal trust is too broad, a compromise stops being local and becomes systemic. One stolen credential or one exposed host can open paths to many others, which turns segmentation gaps into blast-radius problems. In practice, static firewall rules and broad subnet permissions fail because they cannot distinguish routine admin use from attacker reuse.

Q: Who is accountable for controlling privileged protocol exposure?

A: Accountability should sit with the teams that own identity governance, network segmentation, and privileged access design, not with detection alone. Zero trust, PAM, and network policy all intersect here, so ownership needs to be explicit. If privileged protocol exposure is still broad, the governance model has not assigned clear control responsibility.


Technical breakdown

Why SMB becomes a lateral movement path

SMB is built for file sharing, printer access, and system-to-system communication, so it is trusted by default in many Windows environments. That trust is exactly why attackers like it. When SMB is broadly reachable, credential reuse and remote service creation let an intruder stage payloads, move laterally, and propagate ransomware without needing exotic tooling. The technical issue is not SMB itself. It is that SMB often inherits implicit trust from flat internal network design and broad permissions, so any compromised account with access can become a bridge to deeper compromise.

Practical implication: constrain SMB to specific system relationships instead of broad network segments.

RDP and WinRM as identity-powered admin channels

RDP and WinRM are legitimate administration mechanisms, but they also function as high-value identity paths. RDP exposes interactive remote login, while WinRM enables PowerShell remoting and automation. If an attacker gets a valid credential, brute-forces an exposed service, or steals a service account, these channels can be used to blend into normal admin behaviour. That is why detection alone struggles here. The protocol is not malicious, and the session often looks like authorized work unless access is limited by identity, context, and just-in-time approval.

Practical implication: bind administrative protocol access to explicit identity and context checks before the session starts.

RPC complexity creates hidden exposure

RPC underpins core Microsoft services, including authentication and Active Directory replication, but it uses dynamic port ranges and many callable functions. That flexibility is operationally useful and security-unfriendly. Many organisations respond by allowing broad RPC traffic so systems do not break, yet that creates implicit trust across a large surface area. Once an attacker has stolen credentials or found a vulnerability, any reachable Windows host can become an entry point into RPC-enabled functions. The problem is not only exposure. It is uncontrolled authorization across a protocol that is too broad to govern with coarse firewall rules alone.

Practical implication: reduce RPC exposure with application-aware allowlists and identity-scoped policy rather than open internal trust.


Threat narrative

Attacker objective: The attacker’s objective is to turn legitimate administrative pathways into a fast, low-noise route for lateral movement, privilege expansion, and ransomware or data theft.

  1. Entry begins when attackers use exposed management protocols such as RDP or broad SMB reachability to authenticate with stolen or brute-forced credentials.
  2. Escalation happens when valid access is reused through WinRM, SMB, or RPC to expand privileges and move from one host to many.
  3. Impact follows when the attacker reaches domain controllers, stages payloads, or spreads ransomware through trusted internal paths that were left open for operations.

NHI Mgmt Group analysis

Controlling east-west trust has become an identity problem, not just a network problem. The article is really describing a governance failure in how internal trust is assigned to people, systems, and service accounts. When administrative protocols inherit broad reach, stolen credentials become a routing mechanism for attackers. Practitioners should treat protocol access as a governed identity privilege, not a default network convenience.

Protocol-level containment is the right response to malware-free intrusion paths. Malware-free attacks succeed because the attacker uses legitimate tooling and valid sessions, which makes signature-led detection too late. The control gap is not alerting volume. It is that internal pathways remain open long after the business need for that breadth has passed. Teams should re-evaluate where they still rely on implicit trust inside the perimeter.

Standing administrative reach is the real blast-radius multiplier. SMB, RDP, WinRM, and RPC only become high-risk when access persists beyond the task that justified it. That is where zero standing privilege thinking matters even outside classic PAM use cases. The practitioner conclusion is simple: if a protocol can reach everything, it should reach almost nothing by default.

Granular containment is now a resilience requirement for hybrid enterprise estates. The article’s evidence fits a broader pattern in which static firewall rules and broad subnet permissions cannot keep pace with dynamic identity usage. Identity-aligned containment: this is the model in which access to privileged protocols is tied to approved assets, approved logon types, and approved time windows. Practitioners should align network control with identity governance.

Zero Trust only works when internal management protocols are also verified continuously. The article reinforces a common gap in Zero Trust programmes: authentication is tightened at the edge while internal admin traffic stays permissive. That leaves east-west traffic as the soft centre of the environment. The field should treat admin protocol governance as a core ZTA control rather than an afterthought.

What this signals

Standing internal reach is becoming the next governance blind spot. As organisations modernise identity controls at the edge, east-west management traffic often remains under-governed. That is where attackers quietly reuse valid access, especially when service accounts and admin tools are allowed to move too freely across hybrid environments.

The programme signal for identity teams is clear: protocol governance now belongs alongside privilege governance. If you cannot prove which identities may initiate RDP, WinRM, SMB, or RPC sessions, then the environment still contains hidden pathways that can multiply the impact of a single compromised account.

The operational concept to sharpen here is protocol blast radius. It is the distance a valid credential can travel before policy stops it, and it is a more useful metric than alert counts when measuring containment maturity.


For practitioners

  • Inventory privileged protocol paths Map every SMB, RDP, WinRM, and RPC path that exists between production assets, then remove relationships that are not tied to a documented operational dependency. Prioritise paths that currently span broad subnets or shared admin zones.
  • Restrict administrative traffic by identity and context Require explicit approval rules for who can initiate RDP and WinRM sessions, from which managed devices, and to which approved targets. Use identity-based policy rather than network locality alone to decide whether a session is allowed.
  • Apply just-in-time verification to privileged protocols Treat admin protocol access like elevated privilege and require step-up verification before the session begins. This reduces the value of stolen credentials and limits how far a compromised account can move before access is challenged.
  • Constrain RPC with application-aware allowlists Do not rely on blanket internal RPC allowance. Use rules that permit only the specific RPC operations and host relationships needed for business function, especially around domain controllers and replication services.
  • Measure blast radius, not only detections Test how many internal systems a single compromised host can reach and use that number as a governance metric. If the first hop still exposes most of the estate, the control model is still too permissive.

Key takeaways

  • The core risk is not the protocols themselves but the broad internal trust that lets attackers reuse legitimate management pathways.
  • The article’s own data suggests that four protocols account for most enterprise risk, which makes containment architecture a governance issue, not just a detection issue.
  • Teams that want to shrink blast radius should govern admin protocol access by identity, context, and approved target relationships.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

MITRE ATT&CK address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5, CIS Controls v8 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
MITRE ATT&CKTA0006 , Credential Access; TA0008 , Lateral Movement; TA0040 , ImpactThe article focuses on credential reuse, lateral movement, and blast-radius expansion.
NIST CSF 2.0PR.AC-4Broad internal trust and excessive access are access-control failures.
NIST SP 800-53 Rev 5AC-6Least privilege is the central control issue behind broad protocol exposure.
CIS Controls v8CIS-5 , Account ManagementThe article’s risk path depends on mismanaged credentials and over-broad accounts.
NIST Zero Trust (SP 800-207)The article advocates continuous verification of internal admin access.

Map exposed admin protocols to ATT&CK and prioritise controls that block credential reuse and east-west movement.


Key terms

  • East-West Traffic: Traffic that moves between internal systems rather than into or out of the network. In practice, this is where many attacker movements hide because the connections look like normal administrative or application communication unless policy, identity, and segmentation are tightly enforced.
  • Protocol Blast Radius: The amount of internal environment an attacker can reach by abusing a single protocol pathway or compromised account. It is a useful governance measure because it shows how far valid access can travel before controls stop it, rather than how many alerts a tool generates.
  • Network-Layer MFA: A control that requires additional verification before a privileged protocol session is established, rather than only after an application login. It is used to stop stolen credentials from becoming immediate access to RDP, SSH, or similar administrative channels.
  • Identity-Based Microsegmentation: A segmentation approach that uses identity, asset, and session context to decide which systems may communicate. It is more precise than flat subnet rules because it reduces lateral movement while preserving only the relationships the business actually needs.

What's in the full article

Zero Networks' full article covers the operational detail this post intentionally leaves for the source:

  • Protocol-by-protocol containment patterns for SMB, RDP, WinRM, and RPC in Windows estates
  • Network-layer MFA mechanics for privileged ports and how it differs from application MFA
  • RPC Firewall handling and rule design for reducing domain controller attack surface
  • Identity-based microsegmentation implementation examples for east-west traffic

👉 Zero Networks' full article covers protocol containment, network-layer MFA, and RPC hardening details

Deepen your knowledge

The NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, machine identity security, secrets management, and identity lifecycle control. It gives security practitioners a practical base for governing privileged access and reducing standing exposure across programmes.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-03-05.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org