A Single Exposed RDP Port Cost One Hospital Everything

In 2023, a regional hospital in Illinois discovered that attackers had been inside their network for over three weeks. The entry point? A single Remote Desktop Protocol (RDP) port left open to the internet. The threat actors used brute-forced credentials to log in, moved laterally across the network, exfiltrated patient records, and deployed ransomware that shut down clinical operations for eleven days. That incident wasn't unusual — it was predictable.

Remote desktop security risks rank among the most exploited attack vectors in enterprise environments. According to the FBI's Internet Crime Complaint Center (IC3), RDP remains a top initial access method for ransomware groups. If your organization has remote desktop services exposed to the internet — even behind a VPN — this post is the practical guide you need.

I've spent years watching organizations make the same RDP mistakes. Here's what actually goes wrong, what the data says, and what you can do about it today.

Why RDP Is a Favorite Target for Threat Actors

Remote Desktop Protocol was designed for convenience, not security. It gives full graphical access to a Windows machine from anywhere. That's exactly why attackers love it — a compromised RDP session gives them the same access as sitting at the keyboard.

Shodan, the search engine for internet-connected devices, consistently indexes millions of systems with port 3389 (RDP's default port) exposed directly to the internet. Each one is a target. Attackers don't even need sophisticated exploits. They use credential stuffing tools that try thousands of username-password combinations per minute.

The Verizon 2024 Data Breach Investigations Report found that stolen credentials were involved in roughly 50% of breaches, and remote access services like RDP are one of the primary places those credentials get used. It's not a hypothetical risk — it's a documented, recurring pattern. You can review the full report at Verizon's DBIR page.

The Specific Remote Desktop Security Risks You're Facing

Brute Force and Credential Stuffing Attacks

This is the most common RDP attack. Automated tools hammer exposed RDP endpoints with stolen credential pairs from previous data breach dumps. If any of your employees reused passwords — and statistically, many have — attackers get in. No exploit needed. No malware needed. Just a valid login.

I've seen organizations that had no account lockout policy on their RDP-facing systems. One client had over 400,000 failed login attempts in a single month before anyone noticed. By the time they looked, the attackers had already found a working combination.

BlueKeep and Unpatched Vulnerabilities

CVE-2019-0708, known as BlueKeep, was a wormable vulnerability in Microsoft's RDP implementation. It allowed remote code execution without authentication. Microsoft issued a patch, but CISA reported that hundreds of thousands of systems remained unpatched months later. Variants and new RDP vulnerabilities continue to surface. If you're not patching RDP services aggressively, you're running on borrowed time.

CISA maintains active advisories on RDP-related vulnerabilities at their Known Exploited Vulnerabilities Catalog.

Man-in-the-Middle Attacks

When RDP sessions aren't properly secured with Network Level Authentication (NLA) and valid TLS certificates, attackers on the same network can intercept the session. They capture credentials in transit or hijack the session entirely. This is especially dangerous in environments where employees connect from public Wi-Fi or poorly segmented networks.

Session Hijacking and Lateral Movement

Once inside via RDP, attackers don't stay put. They use tools like Mimikatz to dump cached credentials, then move laterally to domain controllers, file servers, and backup systems. RDP makes lateral movement easy because it's a legitimate admin tool — it blends right into normal traffic.

Ransomware Deployment

The connection between RDP and ransomware is well documented. Groups like Conti, LockBit, and Dharma have all used exposed RDP as their primary entry vector. Once inside, they disable antivirus, delete shadow copies, and encrypt everything. The ransom demands I've seen in RDP-originated incidents range from $50,000 to several million dollars.

What Is the Biggest Remote Desktop Security Risk?

The single biggest remote desktop security risk is exposing RDP directly to the internet without multi-factor authentication. This combination — open port plus single-factor credentials — is the exact scenario that leads to the majority of RDP-related breaches. If you fix nothing else, fix this. Require MFA on every remote access session and never expose port 3389 directly to the public internet.

The $4.88M Lesson Most Organizations Learn Too Late

IBM's 2024 Cost of a Data Breach Report put the global average cost of a data breach at $4.88 million. Breaches involving stolen credentials — the exact type RDP attacks produce — took an average of 292 days to identify and contain. That's nearly ten months of an attacker living inside your network.

What makes this worse is that many of these breaches are entirely preventable. The controls aren't exotic. They're well-known. But organizations skip them because RDP is "just for the IT team" or "only temporary." In my experience, temporary RDP access has a way of becoming permanent.

How to Lock Down Remote Desktop: Practical Steps

1. Never Expose RDP Directly to the Internet

This is non-negotiable. If you have port 3389 open on a public-facing firewall, close it today. Use a VPN, a remote desktop gateway, or a zero trust network access (ZTNA) solution instead. Every session should pass through an authenticated, encrypted tunnel before reaching the RDP endpoint.

2. Enforce Multi-Factor Authentication on Every Session

Passwords alone are not sufficient for remote desktop access. Period. Implement MFA using an authenticator app, hardware token, or FIDO2 key. Microsoft's Remote Desktop Gateway supports MFA integration, and third-party solutions exist for environments that can't use the gateway directly.

3. Implement Network Level Authentication (NLA)

NLA requires users to authenticate before the RDP session is fully established. This stops attackers from reaching the Windows login screen, which itself has been the target of exploits. Enable NLA on every system accepting RDP connections.

4. Use Account Lockout Policies

Set account lockout thresholds to block brute force attempts. I recommend locking accounts after five failed attempts with a 30-minute lockout duration. Yes, this can cause inconvenience for legitimate users. That inconvenience is a fraction of the cost of a ransomware incident.

5. Restrict RDP Access by IP and User

Use firewall rules to allow RDP connections only from known, trusted IP addresses. Limit which user accounts have RDP permissions — most employees don't need it. Use Active Directory group policies to restrict Remote Desktop Users group membership tightly.

6. Patch Aggressively

Subscribe to Microsoft's security update notifications and patch RDP-related vulnerabilities within 48 hours of release. If you can't patch that fast, you need a compensating control — like disabling the service until you can. NIST's National Vulnerability Database at nvd.nist.gov is your reference for tracking CVEs related to Remote Desktop Services.

7. Monitor RDP Logs Relentlessly

Windows Event Logs capture every RDP login attempt. Forward these logs to a SIEM or central logging platform. Set alerts for failed login spikes, logins at unusual hours, logins from unexpected geolocations, and any use of default or service accounts. If you're not monitoring RDP logs, you won't know you've been compromised until it's far too late.

8. Deploy a Zero Trust Architecture

Zero trust means no implicit trust for any user or device, regardless of network location. Every RDP session should be verified, authorized, and continuously validated. This approach eliminates the "castle and moat" problem where an attacker who breaches the perimeter has unrestricted internal access.

Your Employees Are Part of the Attack Surface

Technical controls matter, but they don't cover everything. Social engineering attacks frequently target RDP credentials. Phishing emails that impersonate IT helpdesks, fake VPN login pages, and vishing calls asking for remote access credentials — I've seen all of these work against organizations that had solid technical defenses but undertrained employees.

An employee who clicks a phishing link and enters their VPN credentials on a fake page hands attackers the keys to your RDP infrastructure. No amount of firewalling fixes that.

This is why security awareness training is critical. Your team needs to recognize phishing attempts, understand why credential reuse is dangerous, and know what social engineering tactics look like in practice. Our cybersecurity awareness training program covers these exact scenarios with practical, real-world examples.

For organizations specifically concerned about credential theft through phishing — which is directly tied to RDP compromise — our phishing awareness training for organizations includes simulated phishing campaigns and targeted education that reduces click-through rates measurably.

The RDP Audit Checklist You Should Run This Week

Here's what I'd check immediately if I took over your network security tomorrow:

  • Scan your external IP range for open port 3389. Use Nmap or your vulnerability scanner. If it's open, close it now.
  • Verify MFA is enforced on all remote access paths. Not just recommended — enforced.
  • Review the Remote Desktop Users group on every server and workstation. Remove anyone who doesn't need access.
  • Check that NLA is enabled on all RDP-accepting systems.
  • Confirm account lockout policies are active and set to a reasonable threshold.
  • Pull RDP login logs for the past 90 days. Look for anomalies — failed login bursts, off-hours access, unknown source IPs.
  • Verify all RDP-related patches are current. Cross-reference with CISA's Known Exploited Vulnerabilities Catalog.
  • Test your phishing simulation results. If more than 10% of employees are clicking, you have a credential theft problem waiting to happen.

RDP Isn't Going Away — But the Risks Are Manageable

Remote desktop services serve a legitimate purpose. System administrators need remote access. Help desks need to support users. The technology isn't the problem — the configuration and human behavior around it are.

Every major ransomware incident report I've read in the past three years mentions RDP as either the initial access vector or a key enabler of lateral movement. The controls to prevent this aren't expensive or complicated. They require discipline, monitoring, and continuous education.

Start with the audit checklist above. Close exposed ports. Enforce MFA. Train your people. The threat actors scanning your network right now aren't waiting for you to get around to it.