Share via

Connection to aad.cs.dds.microsoft.com from local port 3389

Stef Collart 0 Reputation points
2024-03-06T12:44:32.27+00:00

Hello,

While looking for inbound RDP connections coming from external devices, I noticed one log entry that has is described in the table below.

I can find a lot of information about a connection made to/from cs.dds.microsoft.com (without aad in front) during the Windows Autopilot Deployment.

Either the Microsoft domain makes a connection to the device on the default RDP port (3389). If so, why?

OR

The device makes a connection to the Microsoft domain with the default RDP port (3389) as local port. The reason why I think this is because the device timeline events seem to indicate that the connection initiation is done by the device and not the remote domain. However, when a device makes a TCP/IP connection, it should use a random high port (Microsoft documentation). Older OS's don't use a high port but this device is W10 so that doesn't apply.

Advanced Hunting table: DeviceNetworkEvents

Column name Value
ActionType ConnectionSuccess
RemoteIP 20.82.217.86
RemotePort 443
RemoteURL aad.cs.dds.microsoft.com
LocalIP 10.x.x.x
LocalPort 3389

Can anybody provide an explanation on why this connection happens? Why is it using port 3389?

Me & my colleagues can not figure it out what exactly causes this.

Best regards,

Stef

Microsoft Security | Windows Autopilot
Windows for business | Windows Client for IT Pros | User experience | Remote desktop services and terminal services
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Wesley Li 11,290 Reputation points
    2024-03-08T00:59:56.2433333+00:00

    Hello

    Based on the information you provided, we can see that the local device appears to have initiated a connection from port 3389 to the Azure AD server (via HTTPS port 443). This substandard network behavior may be due to a specific configuration or software behavior.

    To investigate this further, consider the following steps:

    Confirm device status: Check whether the device is running the RDP service and whether a connection should be initiated from this port.

    Check software configuration: See if any software or services on your device are configured to use port 3389 for outbound connections.

    View network traffic: Use network monitoring tools to observe network traffic on the device to see if there are other unusual connections or behaviors.

    Check for security events: Check the security log or event viewer to see if there are any security warnings or errors related to this connection.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.