Remote Desktop (RDP) is a perennial attacker foothold. Knocknoc keeps RDP closed to the world and only exposes it after an out-of-band IdP/MFA login, so brute-force and zero-days become impossible. Internal lateral movement or brute-force can be stopped completely, hiding the RDP service from internal scans, or external.
A healthcare provider depended on RDP for clinicians and back-office staff. Even surfaced on random high ports, daily brute-force hammered their endpoints; Essential Eight reviews kept flagging it. Everyone knew it wasn’t a good situation.
The provider had to protect RDP without disrupting clinicians on personal or unmanaged devices and without a client software installation.
Knocknoc dynamically populated an IP set on the existing firewall. After IdP/MFA, a user’s IP was granted a time-boxed path to RDP; otherwise, the port was invisible. Later, a browser-based option (via Guacamole) was piloted for contractors which also leveraged Knocknoc as part of the authentication and network access process.
Brute-force attempts fell to zero; staff software didn’t change; MFA closed long-standing audit gaps.
The same approach is being applied to other hosted applications to keep “always-on” risk at zero pre-auth.
RDP shouldn’t be visible to the Internet. With Knocknoc, users log in (SSO/MFA) out-of-bound, their IP address is allowlisted, and RDP appears only for them. No VPN overhead; no client installation, no brute-force surface.