What app id is used for remote access to Windows 2012 Server and Windows 2016 Server?

L1 Bithead

What app id is used for remote access to Windows 2012 Server and Windows 2016 Server?

Hi all,


we've noticed our admin accounts have been locked several times today due to consecutive failed login attempts to our VM-s.

Most likely, these would have gone through the PA firewall.

I wonder what would be the way to filter huge log, other than destination address?

Would the app id be ms-rdp? Or something newer for Windows 2012 Server and Windows 2016 Server?




Cyber Elite


There are many ways to connect to a server. MS-RDP is one if they are trying to remote in, if its just MMC connection, then maybe something like ms-ds-smb, ms-netlogon, active-directory, kerberos, etc.


I would say filter your unified logs with the source and destination IP's and see what apps are being used. Usually weird lockouts are caused by phones or tablets, not sure if you allow those accounts via those devices. Other things I have seen cause this are mapped drives after password changes, scheduled tasks, etc.


Good luck!

L1 Bithead

Hi Otakar,

thanks for the advice,

we took it and it did narrow down our results to something we could analyse easier...

Cyber Elite


Here are the apps I use for my RDP policies:




Hope that helps.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!