Exposed RDP (Port 3389)
detect, fix, and prevent regression
Internet-facing Remote Desktop Protocol on TCP 3389 is one of the most consistently exploited initial access vectors in CISA KEV and ransomware incident reports. Learn how to detect it, close it, and keep it closed.
No credit card required. Free plan available forever.
What is exposed RDP?
Exposed RDP refers to a Microsoft Remote Desktop Protocol service that is reachable directly from the public internet, typically by leaving TCP port 3389 open on a workstation, jump host, or Windows Server without a VPN, bastion, identity-aware proxy, or other network boundary in front of it. Once the listener is reachable, attackers can authenticate, brute-force, exploit known protocol weaknesses, or chain the access with stolen credentials sold on initial-access broker marketplaces.
Internet-facing RDP is one of the most consistently weaponised exposure classes in the CISA Known Exploited Vulnerabilities catalog and one of the most common initial access vectors recorded in ransomware incident reports. Several years of joint advisories from CISA, the FBI, the UK NCSC, and ENISA name exposed RDP, alongside exposed remote management services more broadly, as a leading enabler of ransomware deployment. Operators routinely sweep IPv4 looking for open 3389 listeners, fingerprint the host, and run automated credential attacks against the discovered services.
The impact tracks the operating context of the exposed host. A jump server reaching the production VPN is a different blast radius from a developer's personal workstation. Even where the host itself is unimportant, RDP exposure typically leads to credential harvesting through default credentials or guessed passwords, followed by privilege escalation on the foothold and lateral movement to higher-value systems.
Exposed RDP is also a recurring audit and insurance finding. PCI DSS, NIST 800-53, ISO 27001, and most cyber insurance questionnaires either prohibit or restrict direct internet exposure of remote administration services. Closing the exposure is usually inexpensive compared to the operational and compliance cost of leaving it open, which is why this class of finding tends to move quickly through remediation tracking once it is surfaced on a controlled record. The same posture review on the Linux, UNIX, cloud, network appliance, and OT side of the estate reads SSH misconfiguration as the sister exposure on TCP 22.
How attackers exploit it
Discover open 3389
Attackers continuously scan IPv4 (Shodan, Censys, Masscan, custom scanners) for hosts answering on TCP 3389. Banner and certificate details identify the Windows version and host.
Brute-force or stuff credentials
Automated tooling (Hydra, NLBrute, Crowbar) attempts common usernames (Administrator, admin, user) with weak or leaked passwords. Credential stuffing replays passwords from public breach corpora.
Exploit protocol weaknesses
Where the host is unpatched, attackers exploit known RDP and Terminal Services CVEs (BlueKeep CVE-2019-0708, DejaBlue CVE-2019-1181 to 1182, the 2022 RDP relay class, recent kernel and graphics CVEs).
Establish foothold and pivot
Once authenticated, attackers deploy tooling, dump credentials, disable security agents, enumerate Active Directory, move laterally, and stage ransomware or data exfiltration.
Common causes
Temporary remote access that became permanent
A firewall rule opened during a maintenance window, a remote-work emergency, or a vendor support session is never closed. Months later, port 3389 is still open to the internet with no record of why.
No identity-aware gateway in front of RDP
No VPN, bastion host, Azure Bastion, AWS Systems Manager Session Manager, or zero-trust access broker is enforced. RDP is reached directly with username and password authentication only.
Missing network-level authentication and MFA
Network Level Authentication is disabled or downgraded. Multi-factor authentication is not required, leaving the listener exposed to credential stuffing and brute force at the protocol layer.
Patch and account hygiene gaps on the host
Unpatched Windows hosts with known RDP CVEs, local administrator accounts with weak or reused passwords, and disabled account lockout policies make an exposed listener trivially exploitable.
How to detect it
Automated detection
- SecPortal's external scanner port-scan module probes TCP 3389 across every verified domain and host in scope, captures the banner and Windows version where available, and raises a high-severity finding with the recommendation to block at the perimeter.
- Continuous monitoring re-runs the external scan on a schedule, so a firewall change that re-exposes 3389 reopens the finding rather than leaving the regression invisible until the next manual review.
- Bulk import accepts Nessus, Burp, and CSV output from network-tier scanners that report exposed-RDP findings, so the catalogue stays centralised even when a third-party scanner is the discovery source.
Manual verification
- Use nmap -p 3389 with service detection (-sV) against the external IP range to confirm the listener, the Windows build, and whether Network Level Authentication is enforced.
- Cross-reference the listener with the CISA KEV catalog and Microsoft security advisories to identify whether the host is exposed to BlueKeep, DejaBlue, or any RDP-class CVE without a patch.
- Check Shodan and Censys for the organisation's netblocks and known hostnames to see whether external observatories already list the exposure publicly.
How to fix it
Remove direct internet exposure
Block TCP 3389 at the perimeter firewall, security group, or cloud load balancer. RDP should only be reachable from inside the trusted administrative network, an enterprise VPN, an identity-aware proxy, or a managed bastion service.
Front RDP with an authenticated gateway
Use a Remote Desktop Gateway, Azure Bastion, AWS Systems Manager Session Manager, Google Cloud Identity-Aware Proxy, or a zero-trust network access broker so the RDP session is brokered, logged, and bound to an authenticated identity rather than reached directly.
Enforce MFA and account lockout
Require multi-factor authentication at the gateway and on the local Windows account. Configure account lockout thresholds and use Microsoft Entra Conditional Access or equivalent so credential stuffing fails before it succeeds.
Enable Network Level Authentication
Keep Network Level Authentication on so authentication completes before a full session establishes. NLA blocks several pre-auth RDP exploit classes and reduces the effectiveness of unauthenticated brute force.
Patch Windows and rotate local admin credentials
Apply Windows updates promptly, particularly any advisory affecting Remote Desktop Services or the RDP stack. Rotate local administrator credentials with LAPS or an equivalent, and remove unused local accounts.
Restrict source IP and add monitoring
Where a gateway is not yet feasible, restrict inbound 3389 to a small allowlist of corporate egress IPs and instrument the host with logging that forwards authentication events to the SIEM or detection pipeline for the security operations team to review.
Operationalising the fix on the workspace
Closing exposed RDP is rarely the technical hard part. The operational hard part is keeping it closed across changes of ownership, firewall edits, vendor support windows, and cloud account drift. The workspace pattern below is what AppSec, vulnerability management, and security engineering teams use to keep an exposed-RDP finding from coming back six months later under a new asset name.
Surface every listener on one finding record
External scanning and bulk import land every exposed-RDP detection on the findings management record with CVSS, the discovered host, the scan timestamp, and the named owner so the catalogue is a single source of truth rather than a Shodan tab and a spreadsheet.
Run remediation as a tracked workflow
Each finding flows through the remediation tracking workflow with severity, target close date, named owner, and the agreed compensating control if the host cannot be removed from the internet immediately.
Verify the fix with retest
Once the firewall rule, gateway, or migration completes, the retesting workflow re-runs the external scan, confirms the listener is gone, and stamps the closure with timestamped evidence rather than a verbal sign-off.
Catch regressions through continuous monitoring
Scheduled continuous monitoring re-scans of verified domains reopen the finding if 3389 returns to the public internet, so a maintenance window or a new account does not silently undo the remediation.
Pair with the broader exposure catalogue
Exposed RDP rarely shows up alone. The same host frequently exposes exposed SMB, missing rate limiting, weak password policy, or broken authentication. Treating RDP exposure as one finding inside a host-level posture review keeps the queue ordered against real residual risk.
Carry the audit trail through closure
The activity log records who opened, scoped, remediated, and verified each exposed-RDP finding, so the next ISO 27001, SOC 2, or PCI DSS audit reads the operating evidence from the record rather than from reconstructed memory or ticket exports.
Compliance impact
Related features
Vulnerability scanning tools that map your attack surface
Monitor continuously catch regressions early
Vulnerability management software that tracks every finding
Verify fixes and track reopens on the same finding record
Bulk finding import bring your scanner data with you
Compliance tracking without a full GRC platform
Every action recorded across the workspace
Find every exposed RDP listener across your estate
SecPortal's external scanner probes TCP 3389 across verified domains, raises a high-severity finding with banner evidence, tracks remediation, verifies the fix through retest, and re-runs continuously so a firewall change does not silently undo the closure. Start free.
No credit card required. Free plan available forever.