If you're trying to stop lateral movement by putting MFA in front of RDP, you're locking one door while leaving the windows wide open.
I've spent more than 1,000 hours pentesting in 2025 alone, across 150+ orgs over the last five years. And one thing I have noticed is there’s a misconception that MFA on RDP alone is enough. But attackers don't need RDP when WinRM, SMB, WMI, PSRemoting, scheduled tasks, services, and admin shares still give them paths to move laterally.
So today, I’m going to put my pentester hat on and talk through the lateral movement protocols that matter, how they get abused, and the practical restrictions that actually mitigate lateral movement.
Ethical Threat Insight: MFA on Servers is Security Theatre
The missing piece to securing access to servers is the various other windows protocols. Such as: WinRM and SMB, among others.
The reason I said RDP is security theatre is because these other protocols don’t have nor support MFA out of the box on windows.
You can put MFA around these but it requires 3rd party tools. Silverfort is one that comes to mind. (I’m not sponsored by them, I just think they have a cool product.)
So, how are these other protocols used for remote access?
If you have a valid account you can access resources on a remote host, even without RDP.
One example is accessing the C drive of a remote host over SMB. You can do this by navigating to it with explorer using this syntax:
\\host\C$side note: am I the only one who calls the double back slash “wack-wack?” Haha!
Now, this does require local admin on the remote host. But that’s not a very high bar.
There’s ZERO MFA out of the box here.
For WinRM, the most popular use case is PSRemoting. You can access a remote host using PowerShell and PSRemoting like this.
New-PSSession hostThe above creates a session, then you connect to it like this.
Enter-PSSession 11 is the session number, it may be different for you if you try this.
There’s also ZERO MFA here out of the box.
With both of the above examples you now have remote access to the resources on the remote host. And all you needed was credentials and local admin on the remote host.
This is a remote access and lateral movement technique that I use often during internal pentests. Guess what…threat actors use this too.
So the point I’m making here is that MFA on RDP alone is good, but it doesn’t cover the entire attack surface.
Lastly, a good rule of thumb to remember is, if you don’t need it, disable it.
PSRemoting is enabled by default on servers, so if you don’t need it, turn it off. If you do need it, restrict it with firewall rules. Unsure how to do that? Try this…
Hey ChatGPT, make me a windows firewall rule to restrict PSRemoting/WinRM. I want to be able to use PSRemoting to access my servers on 192.168.5.0/24 from my admin subnet 192.168.8.0/24 only.Bonus points if you create GPOs to manage these firewall rules across your environment.
Fortunately PSRemoting is disabled by default on Workstations. But it would be a good idea to check to make sure it’s disabled.
One of the best ways to protect your environment is to have a hands on keyboard threat actor try to tear it apart. This is what I do week in and week out, ethically of course.
If you’re curious how I can help you harden your environment, to prevent cyber attacks, fill out the form on this page (or reply to this email) and I’ll get in touch with you.
All the best
Spencer Alessi
PS - I’m giving a talk (mini workshop) at ContinuumCon in June! The title for my session is: Killing Active Directory Attack Paths Once and For All
Mark your calendars!