TL;DR: 71% of enterprise risk flows through SMB, RDP, WinRM, and RPC, according to Zero Networks’ analysis of 3.4 million threat activities, while CrowdStrike says malware-free attacks account for 82% of cyber incidents. The control problem is no longer visibility alone. It is shrinking the number of trusted internal paths attackers can reuse.
NHIMG editorial — based on content published by Zero Networks: The 4 Protocols Driving Enterprise Risk in 2026: Managing SMB, RDP, WinRM, & RPC Traffic
By the numbers:
- 71% of enterprise risk flows through just four enterprise protocols: SMB, RDP, WinRM, and RPC.
- 82% of cyber incidents are malware-free attacks.
- 99% of cloud users, roles and services hold excessive permissions, often unused for 60 days or more.
Questions worth separating out
Q: How should security teams reduce lateral movement through admin protocols?
A: Security teams should reduce lateral movement by removing broad internal reach, then binding admin protocols to approved identities, devices, and target systems.
Q: Why do RDP, SMB, WinRM, and RPC create so much enterprise risk?
A: They create risk because they are legitimate administrative pathways that already carry trust inside the environment.
Q: What breaks when internal network trust is too broad?
A: When internal trust is too broad, a compromise stops being local and becomes systemic.
Practitioner guidance
- Inventory privileged protocol paths Map every SMB, RDP, WinRM, and RPC path that exists between production assets, then remove relationships that are not tied to a documented operational dependency.
- Restrict administrative traffic by identity and context Require explicit approval rules for who can initiate RDP and WinRM sessions, from which managed devices, and to which approved targets.
- Apply just-in-time verification to privileged protocols Treat admin protocol access like elevated privilege and require step-up verification before the session begins.
What's in the full article
Zero Networks' full article covers the operational detail this post intentionally leaves for the source:
- Protocol-by-protocol containment patterns for SMB, RDP, WinRM, and RPC in Windows estates
- Network-layer MFA mechanics for privileged ports and how it differs from application MFA
- RPC Firewall handling and rule design for reducing domain controller attack surface
- Identity-based microsegmentation implementation examples for east-west traffic
👉 Read Zero Networks' analysis of SMB, RDP, WinRM, and RPC risk →
SMB, RDP, WinRM, and RPC: are your controls keeping up?
Explore further
Controlling east-west trust has become an identity problem, not just a network problem. The article is really describing a governance failure in how internal trust is assigned to people, systems, and service accounts. When administrative protocols inherit broad reach, stolen credentials become a routing mechanism for attackers. Practitioners should treat protocol access as a governed identity privilege, not a default network convenience.
A question worth separating out:
Q: Who is accountable for controlling privileged protocol exposure?
A: Accountability should sit with the teams that own identity governance, network segmentation, and privileged access design, not with detection alone. Zero trust, PAM, and network policy all intersect here, so ownership needs to be explicit. If privileged protocol exposure is still broad, the governance model has not assigned clear control responsibility.
👉 Read our full editorial: Enterprise risk now concentrates in SMB, RDP, WinRM, and RPC