Share via

Connection to aad.cs.dds.microsoft.com from local port 3389

Stef Collart 0 Reputation points
2024-03-06T12:44:32.27+00:00

Hello,

While looking for inbound RDP connections coming from external devices, I noticed one log entry that has is described in the table below.

I can find a lot of information about a connection made to/from cs.dds.microsoft.com (without aad in front) during the Windows Autopilot Deployment.

Either the Microsoft domain makes a connection to the device on the default RDP port (3389). If so, why?

OR

The device makes a connection to the Microsoft domain with the default RDP port (3389) as local port. The reason why I think this is because the device timeline events seem to indicate that the connection initiation is done by the device and not the remote domain. However, when a device makes a TCP/IP connection, it should use a random high port (Microsoft documentation). Older OS's don't use a high port but this device is W10 so that doesn't apply.

Advanced Hunting table: DeviceNetworkEvents

Column name Value
ActionType ConnectionSuccess
RemoteIP 20.82.217.86
RemotePort 443
RemoteURL aad.cs.dds.microsoft.com
LocalIP 10.x.x.x
LocalPort 3389

Can anybody provide an explanation on why this connection happens? Why is it using port 3389?

Me & my colleagues can not figure it out what exactly causes this.

Best regards,

Stef

Windows Autopilot
Windows Autopilot
A collection of Microsoft technologies used to set up and pre-configure new devices and to reset, repurpose, and recover devices.
422 questions
Remote Desktop
Remote Desktop
A Microsoft app that connects remotely to computers and to virtual apps and desktops.
4,321 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Wesley Li 5,555 Reputation points
    2024-03-08T00:59:56.2433333+00:00

    Hello

    Based on the information you provided, we can see that the local device appears to have initiated a connection from port 3389 to the Azure AD server (via HTTPS port 443). This substandard network behavior may be due to a specific configuration or software behavior.

    To investigate this further, consider the following steps:

    Confirm device status: Check whether the device is running the RDP service and whether a connection should be initiated from this port.

    Check software configuration: See if any software or services on your device are configured to use port 3389 for outbound connections.

    View network traffic: Use network monitoring tools to observe network traffic on the device to see if there are other unusual connections or behaviors.

    Check for security events: Check the security log or event viewer to see if there are any security warnings or errors related to this connection.

    0 comments