Port 3389: RDP (Remote Desktop Protocol)

Port 3389 is where Windows machines listen for Remote Desktop Protocol connections. RDP lets you control a Windows computer over the network as if you were sitting at its keyboard. For system administrators, it's indispensable. For attackers, it's a dream come true.

RDP is the keys to the kingdom. Attackers who get in don't have a foothold—they have the whole house. Full administrative access. Every file. Every application. The ability to disable security software, delete logs, and burrow deeper into the network.

Millions of organizations expose this service directly to the Internet.

What RDP Actually Does

Remote Desktop Protocol creates a graphical connection between two computers. Your keyboard and mouse inputs travel to the remote machine; screen updates travel back. Microsoft introduced it with Windows NT 4.0 in 1996, and it's been built into every Windows version since XP.

The protocol does more than relay keystrokes. It handles clipboard sharing, printer redirection, audio streaming, and file transfers. When you copy text on your local machine and paste it into a remote session, RDP makes that work. When you print from a remote server to your local printer, RDP handles that too.

By default, RDP listens on TCP port 3389.

Why Attackers Love Port 3389

Complete control. Compromising a web application might give you access to one database. Compromising RDP gives you everything that account can touch. Install malware. Exfiltrate data. Deploy ransomware. Use the machine to attack other systems.

Massive scale. Millions of Windows servers and workstations run RDP. Many expose it directly to the Internet because VPNs are inconvenient. The attack surface is enormous.

Weak credentials. Username and password authentication remains the norm. Automated tools try thousands of combinations against the Administrator account. Common passwords work more often than they should.

Critical vulnerabilities. BlueKeep (CVE-2019-0708) allowed attackers to execute code on Windows machines without any authentication at all. It was wormable—one compromised machine could automatically attack others. Microsoft released patches. A million systems remained vulnerable months later.

A vulnerability allowing unauthenticated remote code execution. Patches available. A million systems still exposed. This is RDP security in practice.

How Attacks Work

Brute force is the simplest approach. Automated tools try common passwords against administrator accounts: "password," "admin123," "Welcome1," company names, seasonal variations. They try thousands of combinations per hour. Eventually, someone's weak password gives way.

Credential stuffing uses passwords leaked from other breaches. People reuse passwords. Credentials from a compromised website often work against RDP services. Attackers don't need to guess—they already have your password from somewhere else.

Vulnerability exploitation targets unpatched systems. BlueKeep wasn't unique. DejaBlue (CVE-2019-1181 and CVE-2019-1182) followed the same pattern. RDP vulnerabilities keep appearing because the protocol is complex and the codebase is old.

Man-in-the-middle attacks intercept traffic when encryption is misconfigured or when users click through certificate warnings. Modern RDP supports strong encryption. Users ignoring warnings undermine it.

What Happens After Compromise

Ransomware operators particularly favor RDP. Administrative access plus file system control equals the ability to encrypt everything. Organizations have paid millions in ransom after attacks that started with one compromised RDP credential.

But ransomware is just one outcome. Attackers can:

• Browse file systems and steal sensitive data
• Access databases and exfiltrate records
• Disable security software to avoid detection
• Delete logs to cover their tracks
• Install persistent backdoors that survive reboots
• Move laterally to other systems on the network
• Use the compromised machine to attack partners and customers

How to Secure RDP

Never expose RDP directly to the Internet. This single practice prevents most RDP attacks. Require users to connect through a VPN first. The VPN adds authentication and narrows the attack surface to people already on your network.

Enable Network Level Authentication (NLA). NLA requires authentication before establishing a full RDP session. Unauthenticated attackers can't even reach the Windows login screen. This stops pre-authentication exploits like BlueKeep.

Require multi-factor authentication. Even if attackers steal credentials through phishing, they can't authenticate without the second factor. Modern solutions integrate MFA directly into RDP.

Implement account lockout policies. Lock accounts after a few failed attempts. This stops brute force attacks cold.

Change the default port. Moving from 3389 to a non-standard port stops automated attacks targeting specifically port 3389. Attackers can still find you by scanning all ports, so this is modest protection—but it reduces noise.

Keep systems patched. Microsoft releases RDP security updates regularly. Apply them. The organizations still vulnerable to BlueKeep months after patches existed made a choice.

Segment your network. Compromising one system shouldn't provide access to everything. Use firewalls to restrict RDP traffic to only the systems and networks that need it.

Monitor access logs. Failed login attempts from unusual locations. Successful logins at 3 AM. Access patterns that don't match normal usage. These should trigger alerts.

Better Alternatives

Remote Desktop Gateway proxies RDP over HTTPS. Clients connect to the gateway on port 443; the gateway brokers connections to internal RDP servers. You get TLS encryption and centralized access control without exposing 3389.

Azure Virtual Desktop and similar cloud solutions eliminate exposed ports entirely. The connection initiates outbound from the virtual desktop, not inbound to a listening service.

Zero Trust Network Access (ZTNA) verifies identity, device posture, and context before granting access, replacing the implicit trust of traditional VPNs with continuous verification.

Bastion hosts serve as hardened jump servers—the only entry point for RDP access, allowing focused security monitoring.

The Core Principle

Defense in depth. Never rely on one control.

Combine VPN access, NLA, MFA, monitoring, patching, and network segmentation. Create multiple barriers. Assume each one might fail. Design so that failure of one control doesn't mean compromise.

But if you remember nothing else: never expose RDP directly to the Internet.

The organizations that suffer RDP breaches often exposed it for convenience. They traded a few minutes of VPN friction for the risk of ransomware, data theft, and the kind of breach that ends careers. That trade was never worth it.