I thought my home network was secure. Last week, I turned on my Surface and its lock screen had a "remote session active" screen. Before I could do anything, it turned itself off. When I turned it back on, it showed "low battery" and turned off. I have no idea if this was a bug or somebody remotely accessed it. I had everything updated to the latest software/firmware. Remote desktop itself was disabled on the surface (though it had "allow remote assistance" enabled"). I didn't have router web administration enabled. Router admin password as well as wifi password were unique, 15-20 chars long and I never used them anywhere else. Same thing for my Microsoft account that I use for Windows login. Wifi also had MAC address filtering enabled. There was only one more person using my network, and its unlikely they would do this because I don't think they know my password. And I don't think they are that technically knowledgeable other than to use a PC for browsing. I also had a Synology NAS with OpenVPN. Router was configured to forward the VPN port, but Synology's firewall was configured to allow connections only from 2 IP ranges that my phone gets when on mobile network. Strangely, after this incident, I turned off the VPN and now my NAS goes to sleep properly. It never used to sleep before. I sit right next to the NAS and I could hear the HDDs reading/writing all the time, although slowly. I always used to think may be someone was slowly copying files from my NAS.
I had earlier setup a pfsense box purely for ad blocking and to keep out Google/Microsoft creepware. But I had stopped using it because of the learning curve. Now, I am learning how to properly configure it.
Its kind of amusing if you think about it. In olden days, people had to worry about physical attack of their house. Nowadays, I am more worried about these virtual attacks.
The Surface was factory reset only a few days back. I don't use it that much except for occasional ebooks. The only software I had in it were Firefox, Chrome, Office and Drawboard if you don't consider all that Candy crush/Soda crush/Animal kingdom bloat that MS likes to push on us (which I promptly uninstalled).
I have to admit that I downloaded the pdf ebooks from piracy sites. So don't know if they had some malware in them. I did scan them with MBAM, Avira, MS Defender before use though. Note that i didn't download them from Surface. I downloaded them using a Ubuntu VirtulaBox VM running on another laptop. I restore the VM to a previous snapshot each time after use.
It could very well be the original Microsoft software doing this. Check if your Microsoft account and other cloud accounts you are using on that machine have been compromised.
And securing houses is easy, with locks, metal parts, and alarms. You know what you're doing network-security-wise but you still don't know if the baddies got in or not...
Of course, securing your home is only easy because of geographic separation between yourself and the types of places where thieves will break through a non-reinforced wall while you're out of town.
The typical aphorism is "Locks only keep honest people honest."
Really, even securing your house is tricky. My place in Florida was built with the hinges to the front door on the /outside/ because of local building codes. Unfortunately, I only realized that after it was built. The locks are nice, but any enterprising thief would simply pop the hinges and remove the door if I hadn't taken steps to prevent it.
Bypassing locks is easy, and security systems are only useful when law enforcement is at the ready (rare in many places).
I had a girlfriend who would leave her sliding glass door ajar with a 2x4 to prevent it from being opened enough to let a person through. This was until I demonstrated that, unlatched, the door could just be lifted out of its frame and set aside.
I think their point was that the person has to be at your house. E.g. they can't systematically and remotely try the door handle of homes halfway around the world.
I am not sure if the entries at 8:49 pm is what I saw as the "remote session active". Also, I am not sure if this LocalSessionManager is the right place to look.
Your post prompted me to check my own Even Viewer. After some frenzied searching for the meaning of "Remote Desktop Services" entries in my own logs I figured that alarm seems to stem only from unfortunate naming of events that LocalSessionManager drops. As this document describes[0] and after confirming with another account the events are generated when one account wishes to run a processes under another account ("Run as administrator/different user" functionality). It might be that Windows Update triggered this on your computer, consider also that Windows Update sometimes updates third party drivers and one wouldn't expect they follow all best practices.
Regarding pfsense, I want to add some more info just so that people may not getting any wrong idea about it.
I stopped using pfSense because I had enabled many block lists in pfBlockerNg and it was blocking sites like Github. Now, I am learning how to properly configure it. I also setup an ELK dashboard yesterday night. This is a heatmap of the scans in last 30 minutes.
I had earlier setup a pfsense box purely for ad blocking and to keep out Google/Microsoft creepware. But I had stopped using it because of the learning curve. Now, I am learning how to properly configure it.
Its kind of amusing if you think about it. In olden days, people had to worry about physical attack of their house. Nowadays, I am more worried about these virtual attacks.