The 4 Protocols Driving Enterprise Risk in 2026: Managing SMB, RDP, WinRM, & RPC Traffic

Malware-free attacks make up 82% of cyber incidents, according to CrowdStrike’s latest Global Threat Report. Threat actors aren’t relying on sophisticated tactics or novel techniques – they’re exploiting the normal, legitimate pathways that already exist in modern networks.  

In fact, Zero Networks’ analysis of 3.4 million threat activities uncovered that 71% of enterprise risk flows through just four enterprise protocols: SMB, RDP, WinRM, and RPC.

After investing heavily in detection and response, security teams that over-rely on reactive strategies are facing undeniable protection gaps and blind spots. To minimize risk exposure in 2026, enterprises need fewer attack paths – not more alerts. Find out how security leaders can lock down the admin protocols quietly expanding blast radius without disrupting IT operations, driving cyber resilience with containment-first architecture.  

Why Most Cyber Threats Rely on SMB, RDP, WinRM, and RPC 

Most networks rely on a small, predictable set of 20-30 ports to keep the business running. Within that set, roughly 10 privileged management protocols function as high-trust highways for IT operations. Four of those same highways – SMB, RDP, WinRM, and RPC – are also lateral movement thoroughfares, exploited across more than 70% of threat activities.  

These protocols are essential for a wide range of operations, and attackers know it. In fact, their importance to business continuity is what makes these protocols such attractive targets. 

SMB (Server Message Block) 

SMB enables file sharing, printer access, and inter-system communication across Windows environments. Cyber adversaries love SMB because it offers broad internal access, credential reuse works seamlessly, and it enables remote service creation.  

SMB is often exploited for payload staging and ransomware propagation due to broad internal exposure. If the protocol allows any internal host to access any other internal host, ransomware only has to ride default permissions to escalate impact.   

RDP (Remote Desktop Protocol) 

RDP allows interactive remote logins to Windows machines, making it a widely used tool for admins and hybrid workforces.  

Adversaries often buy compromised credentials on the dark web or simply brute-force weak RDP passwords. In fact, brute-force attacks against RDP ports remain one of the top techniques for initial access, spotlighting this protocol as a weak spot for both north-south and east-west control.  

Attackers exploit RDP connections to disable security software, exfiltrate data, or deploy ransomware manually; in other cases, they use RDP to hop from one host to another while masquerading as legitimate admins and evading detection tools. 

WinRM (Windows Remote Management) 

WinRM underpins PowerShell remoting and administrative automation. Because it’s so often embedded into legitimate workflows, WinRM is commonly enabled but rarely audited at scale, making it a common vector for living-off-the-land attacks.  

A compromised service account with WinRM access can script lateral expansion rapidly, without dropping a single suspicious binary.  

RPC (Remote Procedure Call) 

RPC is foundational to Microsoft ecosystems. Active Directory replication, authentication services, and countless background services rely on it.  

Unlike SMB or RDP, RPC is not confined to a single static port; it uses dynamic port ranges negotiated at runtime. Because of that complexity, organizations often default to enabling any RPC traffic, effectively exposing all RPC services.  

While this avoids operational breakage, it creates expansive implicit trust. An attacker armed with stolen credentials or a vulnerability can use any Windows host that is accessible over the network to exploit hundreds of RPC functions. 

Exposing 4 Common Network Vulnerabilities 

While SMB, RDP, WinRM, and RPC serve distinct operational purposes, they share key characteristics that make them uniquely risky – these commonalities also shine a spotlight on persistent security weaknesses.  

1. Lateral Movement Evades Detection Tools  

Organizations have invested heavily in EDR in recent years – these solutions were built to monitor endpoints for malicious activity, trigger alerts, and help minimize the impact of a security breach. But all of that hinges on the tool detecting anomalous activity in the first place.  

The protocols that cause the bulk of breach spread today are legitimate by design – by exploiting these pathways, attackers can blend in with normal activity and move laterally without triggering alerts.  

2. Static Rules Don’t Deliver Granular Control  

Traditional firewall policies were built for simpler, more predictable environments. Today’s hybrid, interconnected networks are constantly evolving, yet many organizations still rely on broad, static rules to govern privileged protocols.  

Rules that allow RDP within the server network or permit internal SMB traffic create expansive trust zones, allowing users and devices to inherit access far beyond the scope of business need. In fact, 99% of cloud users, roles and services hold excessive permissions, often unused for 60 days or more.  

Static coarse controls build exposure into the network architecture – they don’t account for identity or context and can’t distinguish between a legitimate admin and an adversary.  

3. Operational Convenience Broadens Risk Exposure  

Organizations tolerate risk to avoid breaking services, automation, or IT workflows. Because protocols like SMB, RDP, WinRM, and RPC are essential for operational continuity, locking them down entirely is a non-starter and security teams hesitate to implement restriction for fear of disruption.  

This forced trade-off has drastically expanded blast radius. After gaining initial access, attackers can typically compromise over 60% of the environment in less than one hour, with a single compromised host exposing 85% of internal systems in the first hop.  

4. Implicit Trust Still Leaves Environments Exposed  

Although nine out of ten organizations recognize Zero Trust as key to enhancing their overall security posture, many networks still operate with the lingering assumption that internal traffic is safe.  

Administrative protocols are routinely left open inside the network because operations depend on them; over time, this operational permissiveness becomes structural trust. Attackers don’t need AI-enabled campaigns or unpatched vulnerabilities when they inherit widespread access from an initial foothold, allowing them to pivot via RDP, move payloads over SMB, execute remotely with WinRM, or interact with domain controllers through RPC. 

What This Means for Security Leaders in Practice  

Today’s risk realities require security leaders to focus on a new set of questions:  

How can companies protect against attackers abusing legitimate admin tools like RDP and PowerShell? 

Protecting legitimate tools against abuse requires eliminating broad internal exposure to cut off risky access paths. For example, granular segmentation and identity-based controls restrict which users and systems can initiate RDP or WinRM sessions, ensuring that even valid credentials cannot be used freely across the environment. 

What’s the best way to secure SMB protocols and other high-risk internal services? 

The most effective approach is to move from broad, subnet-level permissions to explicit, granular controls based on real operational need. SMB access should be limited to defined system relationships, not entire network segments. Closed-by-default architectures dramatically reduce lateral movement pathways while preserving required business functionality. 

What solutions help apply MFA to RDP, SSH, and other administrative protocols? 

Traditional MFA operates at layer 7 of the OSI model, protecting applications and VPN access but often leaving internal administrative ports exposed. Network-layer MFA operates at layer 3 and enforces verification directly at the protocol level, requiring authentication before RDP, SSH, or other privileged connections are established. This prevents the risk of stolen credentials turning into vectors for privilege escalation.  

Each of these questions points back to the same set of security gaps, reinforcing the need operationalize least privilege at the architectural level.  

Cyber Resilient Architecture: From Detection to Deterministic Containment 

Armed with the knowledge that the bulk of threat activity flows through a narrow set of enterprise protocols – and a deeper understanding about what that signals for network security vulnerabilities – organizations can prioritize limiting exposure where it really counts.  

To address today’s top cyber risks, security leaders must move beyond detect-and-respond strategies to prioritize closed-by-default architectures by:  

• Explicitly defining which systems are allowed to communicate  
• Restricting East-West communication by default to remove implicit internal trust  
• Aligning access controls to identity so users, devices, and applications are restricted to pre-approved assets and logon types  
• Applying just-in-time verification for elevated privileges, including admin protocol access  

Importantly, observed network behavior should serve as the blueprint for a containment-first architecture, solving the tug-of-war between security and continuity. When granular, identity-based controls built around real account behavior and business need govern network access, attackers can no longer move freely along internal pathways – and security teams no longer run the risk of disrupting operations. 

Proactive Containment Strategies: Securing SMB, RDP, WinRM and RPC Traffic 

Building containment into the network architecture means attackers won’t inherit persistent lateral movement pathways just because they gained an initial foothold. Security teams can enhance cyber resilience and close urgent security gaps by prioritizing a handful of best practices.  

Granularly Segment Assets and Identities  

Comprehensive microsegmentation automatically blocks unauthorized lateral movement to contain threats before they spread. By applying this same granular approach to identities, security teams can protect every axis of network traffic and ensure compromised credentials aren’t an all-access pass for adversaries.  

Enforce Network-Layer MFA for Admin Access 

Applying MFA to privileged ports, protocols, and accounts adds a much-needed layer of friction to the most common attack pathways. With network-layer MFA, organizations can secure the privileged protocols that so often facilitate threat activity, requiring just-in-time verification for access and otherwise closing them by default. Because authenticated connections can still proceed normally, this approach is a non-disruptive solution for closing key attack paths.  

Safeguard Domain Controllers and RPC Operations   

Locking down RPC operations entirely isn’t viable, but granular control is still possible – it just requires a new approach. RPC Firewall functions at the application layer, allowing security teams to examine the full context of RPC calls and establish rules on which operations to allow or block, mitigating ~95% of the Domain Controller attack surface out of the box.   

Dynamically Adapt Policies for a Resilient Security Posture 

Static rules can’t protect dynamic networks – as new services, integrations, and devices constantly reshape communication patterns, potential security gaps emerge but relying on manual tuning isn’t scalable.  

Deterministic, human-on-the-loop automation allows enterprises to adapt and enforce policies aligned to network realities without adding headcount or complexity.  

Automate Threat Containment and Reduce Risk Exposure with Zero Networks  

Addressing today’s top cyber risks requires a dual focus on security and operational continuity, making cyber resilience the true objective. Zero Networks enables organizations to proactively build containment into network architecture, delivering identity-based microsegmentation to prevent lateral movement and eliminate persistent access paths.  

Zero automatically enforces adaptive, identity-aligned policies based on real network behavior. By tightly coupling network and identity enforcement and adding just-in-time MFA verification to privileged access, Zero protects protocols like SMB, RDP, WinRM, and RPC without disrupting operations.  

Find out how Zero Networks can help your organization build a resilient architecture to automate containment while prioritizing continuity – request a demo.