Port 3389 is the default port for Microsoft's Remote Desktop Protocol (RDP). When you connect to a Windows machine remotely and see its desktop rendered on your screen, that visual data flows through port 3389. Every mouse movement, every keystroke, every pixel update travels across this connection.
RDP is simultaneously one of the most useful protocols ever created and one of the most dangerous doors you can leave open on the Internet.
How RDP Works
RDP operates on a simple but powerful principle: render the desktop on the server, compress the visual output, and send it across the network to the client.1
The protocol is built on a layered stack inherited from ITU T.120, a suite of protocols originally designed for videoconferencing and multipoint collaboration.2 This architecture allows RDP to multiplex up to 64,000 separate virtual channels over a single connection, carrying everything from screen updates to printer redirection to audio streaming.3
On the server side, a specialized video driver captures graphics operations and converts them into protocol packets. On the client side, those packets are decoded and translated into Windows GDI (Graphics Device Interface) calls that paint the remote desktop on your local screen.1
The protocol handles both directions: your keystrokes and mouse movements are encrypted and sent back to the server, where they're injected into the input queue as if you were physically present.
Modern RDP (version 10.0 and later) includes H.264/AVC video compression, making it efficient enough to stream video content and handle high-DPI displays.4
The History of Port 3389
The T.120 Foundation
RDP's story begins not with remote desktops but with videoconferencing. In the mid-1990s, the ITU (International Telecommunication Union) developed T.120, a family of protocols for multipoint data conferencing.5 Microsoft implemented T.120 in NetMeeting, released in May 1996 alongside Internet Explorer 3.6
The T.120 protocols solved a hard problem: how to synchronize data streams across multiple participants in real time. Microsoft would repurpose this infrastructure for something entirely different.
The Citrix Partnership
In 1994, Microsoft wasn't interested in making Windows a multi-user operating system. That capability existed only in UNIX. So they licensed their Windows NT source code to a company called Citrix, who built WinFrame, a multi-user version of Windows NT 3.51.7
WinFrame's secret was Citrix's MultiWin technology, which modified the Windows kernel to support multiple simultaneous user sessions. When Microsoft decided they wanted this capability back, they struck a deal in May 1997: Citrix would license MultiWin to Microsoft in exchange for $75 million plus royalties estimated at $100 million.7
Terminal Server Edition
On June 16, 1998, Microsoft released Windows NT 4.0 Server, Terminal Server Edition, codenamed "Hydra."8 This was the first Windows version with built-in multi-user support and the first implementation of what we now call RDP.
The first version was called RDP 4.0 (matching the Windows NT version number), and it combined the T.120 protocol infrastructure with Citrix's kernel modifications.2 The client software was originally called "Terminal Services Client" before Microsoft renamed it to "Remote Desktop Connection."4
Port 3389 was registered with IANA as the official port for the Microsoft WBT (Windows-Based Terminal) Server service.
Security: The Double-Edged Sword
Port 3389 has become the most targeted port in enterprise security. The convenience that makes RDP essential for IT operations also makes it irresistible to attackers.
The BlueKeep Crisis
On May 14, 2019, Microsoft released an emergency patch for CVE-2019-0708, a vulnerability that would become known as BlueKeep.9 The flaw was "wormable," meaning it could spread from machine to machine without user interaction, like the infamous WannaCry attack.
BlueKeep was a use-after-free vulnerability in how RDP handled a virtual channel called MS_T120.10 An unauthenticated attacker could connect to port 3389 and send specially crafted requests to execute arbitrary code with system privileges.9
The vulnerability was serious enough that Microsoft took the unusual step of releasing patches for Windows XP and Windows Server 2003, operating systems that had been out of support for years.9 Both the UK's National Cyber Security Centre and the US National Security Agency issued warnings.9
By November 2019, the first mass exploitation attempts were detected, though the initial attacks were flawed and mostly just crashed systems rather than successfully installing malware.9
The Ransomware Gateway
BlueKeep was dramatic, but the everyday reality is worse. According to Sophos's 2024 Active Adversary Report, RDP was abused in 90% of ransomware attacks they investigated, the highest incidence since they began tracking in 2021.11
External remote services like RDP were the initial access method in 65% of incident response cases in 2023.11 Attackers don't need sophisticated exploits when credentials are often weak, stolen, or sold on darknet markets for as little as $20.12
Shodan, the search engine for Internet-connected devices, indexes over 3.5 million RDP ports directly exposed to the public Internet.13 During the COVID-19 pandemic, that number spiked 41% as organizations rushed to enable remote work.13
The Pandemic Surge
The shift to remote work transformed RDP from an IT convenience into critical infrastructure. The remote desktop software market grew from $3.33 billion in 2024 to a projected $11.98 billion by 2032.14
During March 2020, traffic to remote desktop software categories increased 281%.15 Enterprise buyers evaluating remote desktop solutions surged 110% between February and March 2020.15
This explosion of remote access created what researchers call the "Ransomware Deployment Protocol" problem: every exposed RDP port is a potential entry point.11
How to Protect Port 3389
The fundamental advice is simple: never expose port 3389 directly to the Internet.
Use a VPN: Place RDP behind a VPN, so users must authenticate to the VPN before they can even reach port 3389.16
Enable Network Level Authentication (NLA): NLA requires authentication before the RDP session is established, which mitigates pre-authentication vulnerabilities like BlueKeep.9
Use strong, unique credentials: Compromised credentials were the root cause of over 50% of incident response cases in 2023.11
Enable multi-factor authentication: Without MFA, stolen credentials provide immediate access.17
Monitor for brute force attempts: Attackers will systematically try common passwords against any exposed RDP port.
Keep systems patched: RDP vulnerabilities continue to be discovered. CVE-2024-43533 is just one recent example.13
Related Ports
| Port | Protocol | Relationship |
|---|---|---|
| 3389 | RDP | Primary Remote Desktop Protocol port |
| 443 | HTTPS | Often used for RDP Gateway connections |
| 3390-3392 | RDP | Additional ports for multiple RDP instances |
| 5900 | VNC | Alternative remote desktop protocol |
| 22 | SSH | Secure Shell (Linux/Unix remote access) |
Frequently Asked Questions
Was this page helpful?