Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

SMB, RDP, WinRM, and RPC: are your controls keeping up?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 10745
Topic starter  

TL;DR: 71% of enterprise risk flows through SMB, RDP, WinRM, and RPC, according to Zero Networks’ analysis of 3.4 million threat activities, while CrowdStrike says malware-free attacks account for 82% of cyber incidents. The control problem is no longer visibility alone. It is shrinking the number of trusted internal paths attackers can reuse.

NHIMG editorial — based on content published by Zero Networks: The 4 Protocols Driving Enterprise Risk in 2026: Managing SMB, RDP, WinRM, & RPC Traffic

By the numbers:

Questions worth separating out

Q: How should security teams reduce lateral movement through admin protocols?

A: Security teams should reduce lateral movement by removing broad internal reach, then binding admin protocols to approved identities, devices, and target systems.

Q: Why do RDP, SMB, WinRM, and RPC create so much enterprise risk?

A: They create risk because they are legitimate administrative pathways that already carry trust inside the environment.

Q: What breaks when internal network trust is too broad?

A: When internal trust is too broad, a compromise stops being local and becomes systemic.

Practitioner guidance

  • Inventory privileged protocol paths Map every SMB, RDP, WinRM, and RPC path that exists between production assets, then remove relationships that are not tied to a documented operational dependency.
  • Restrict administrative traffic by identity and context Require explicit approval rules for who can initiate RDP and WinRM sessions, from which managed devices, and to which approved targets.
  • Apply just-in-time verification to privileged protocols Treat admin protocol access like elevated privilege and require step-up verification before the session begins.

What's in the full article

Zero Networks' full article covers the operational detail this post intentionally leaves for the source:

  • Protocol-by-protocol containment patterns for SMB, RDP, WinRM, and RPC in Windows estates
  • Network-layer MFA mechanics for privileged ports and how it differs from application MFA
  • RPC Firewall handling and rule design for reducing domain controller attack surface
  • Identity-based microsegmentation implementation examples for east-west traffic

👉 Read Zero Networks' analysis of SMB, RDP, WinRM, and RPC risk →

SMB, RDP, WinRM, and RPC: are your controls keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 10300
 

Controlling east-west trust has become an identity problem, not just a network problem. The article is really describing a governance failure in how internal trust is assigned to people, systems, and service accounts. When administrative protocols inherit broad reach, stolen credentials become a routing mechanism for attackers. Practitioners should treat protocol access as a governed identity privilege, not a default network convenience.

A question worth separating out:

Q: Who is accountable for controlling privileged protocol exposure?

A: Accountability should sit with the teams that own identity governance, network segmentation, and privileged access design, not with detection alone. Zero trust, PAM, and network policy all intersect here, so ownership needs to be explicit. If privileged protocol exposure is still broad, the governance model has not assigned clear control responsibility.

👉 Read our full editorial: Enterprise risk now concentrates in SMB, RDP, WinRM, and RPC



   
ReplyQuote
Share: