This detection rule identifies changes made to sensitive settings of the Remote Desktop Protocol (RDP) on Windows systems, notably targeting the tampering of configurations that could allow unauthorized access to a system. It monitors modifications to registry keys associated with terminal services, such as `fAllowUnsolicited`, which permits unsolicited RDP connections, and `fDenyTSConnections`, which controls RDP access. Changes to shadow settings and other security-related keys are also scrutinized within the RDP configuration registry. The rule is crucial for detecting potential security risks posed by unauthorized users gaining access to sensitive systems through RDP. The detection logic employs `TargetObject` checks in registry paths that relate to RDP settings, alerting administrators to potential threats. False positives may occur when legitimate administrative actions change these keys, necessitating further investigation.