In 2023, the FBI's Internet Crime Complaint Center flagged Remote Desktop Protocol (RDP) as one of the top three initial access vectors for ransomware incidents. That wasn't a surprise to anyone who monitors Shodan — the search engine that indexes internet-facing devices. On any given day, you can find over four million RDP endpoints exposed to the open internet. Attackers don't need to be sophisticated. They just need to look.
If your organization uses remote desktop services — and odds are high that it does — you need to understand the remote desktop security risks you're actually carrying. Not the theoretical ones. The ones that lead to six-figure ransomware demands, lateral movement across your entire domain, and regulatory investigations that drag on for years.
This post breaks down what threat actors target, how real breaches unfold through RDP, and the specific steps that actually reduce your exposure.
Why Remote Desktop Is a Magnet for Threat Actors
RDP was designed for convenience, not security. Microsoft built it so administrators could manage servers without physically sitting in front of them. Then COVID happened, and suddenly every organization on earth was using it to connect remote workers to internal systems.
Here's the problem: RDP listens on TCP port 3389 by default. Every scanner on the planet knows this. Automated botnets sweep the entire IPv4 address space in hours, cataloging every open RDP port they find. Once they find yours, the brute-force attacks begin immediately.
I've reviewed firewall logs for small businesses that showed thousands of RDP login attempts per day — from IP addresses across dozens of countries. The business owner had no idea. Their IT provider had set up RDP for "temporary" access two years earlier and never closed the port.
The Credential Theft Pipeline
Brute force isn't the only path in. Credential theft through phishing gives attackers valid usernames and passwords that bypass lockout policies entirely. An employee clicks a convincing Microsoft 365 phishing email, enters their credentials on a spoofed login page, and the attacker now has a working username and password.
If that same employee reuses passwords — and studies consistently show most people do — the attacker tries those credentials against every RDP endpoint associated with the organization's IP range. No lockout triggers. No alerts fire. They walk right in.
This is why phishing awareness training for organizations isn't optional anymore. It directly reduces the credential supply chain that feeds RDP compromise.
What Does an RDP Breach Actually Look Like?
Let me walk you through a pattern I've seen repeatedly in incident response reports.
Day 1: Attacker gains RDP access using purchased credentials from an initial access broker on a dark web marketplace. They log in at 2:00 AM local time. No one notices.
Day 2-5: The attacker runs network reconnaissance tools. They map Active Directory, identify domain admin accounts, and locate backup servers. They move laterally using legitimate Windows tools like PsExec and PowerShell — nothing that triggers antivirus.
Day 6: They disable Volume Shadow Copies, delete backup catalogs, and deploy ransomware across every reachable system simultaneously. The ransom note demands $250,000 in cryptocurrency.
Verizon's 2024 Data Breach Investigations Report found that stolen credentials were involved in roughly 77% of attacks against web applications and remote access services. RDP is the poster child for this pattern. You can review the findings yourself in the Verizon DBIR.
The $4.88M Lesson Most Organizations Learn Too Late
IBM's 2024 Cost of a Data Breach Report pegged the global average cost of a data breach at $4.88 million. Breaches involving stolen credentials took an average of 292 days to identify and contain — the longest lifecycle of any attack vector.
RDP-initiated breaches often fall into this category because attackers using valid credentials look like legitimate users. Your SIEM sees a successful login. Your endpoint tool sees normal administrative activity. Everything looks routine until the ransomware detonates.
The organizations that catch these intrusions early share one thing in common: layered security controls that don't rely on a single point of detection.
Remote Desktop Security Risks: A Quick Reference
If you're searching for a clear summary of remote desktop security risks, here it is:
- Exposed attack surface: RDP on port 3389 is trivially discoverable by automated scanners.
- Brute-force vulnerability: Without account lockout and rate limiting, attackers can try millions of password combinations.
- Credential reuse exploitation: Stolen passwords from phishing or previous breaches grant direct access.
- Lateral movement enablement: Once inside via RDP, attackers can pivot to any system the compromised account can reach.
- Lack of logging: Many organizations don't monitor RDP session activity, giving attackers days or weeks of undetected access.
- Missing multi-factor authentication: RDP without MFA is essentially a password-only barrier — and passwords alone fail constantly.
- Ransomware delivery: CISA has repeatedly identified RDP as a primary ransomware delivery vector.
How CISA and FBI Have Responded
This isn't just a private-sector concern. CISA has published multiple advisories specifically warning about exposed RDP services. Their #StopRansomware guide explicitly calls out RDP as a top initial access vector and recommends disabling it entirely if it's not business-critical.
The FBI's IC3 has included RDP exploitation in ransomware-related alerts going back several years. Their guidance is consistent: if you must use RDP, it should never be directly exposed to the internet, and it must be protected by multi-factor authentication and network-level access controls.
7 Steps to Actually Reduce Your RDP Exposure
I'm not going to give you a generic checklist. These are the specific controls that make the biggest difference, ordered by impact.
1. Remove RDP From the Public Internet — Today
If port 3389 is reachable from the internet, close it. Full stop. Use a VPN or a zero trust network access (ZTNA) solution to broker connections instead. The RDP service itself should only be accessible from internal network segments or through an authenticated tunnel.
2. Enforce Multi-Factor Authentication on Every Remote Session
MFA is the single most effective control against credential-based attacks. Even if an attacker has a valid username and password, MFA blocks the login. Implement it at the VPN or ZTNA layer, and ideally at the RDP gateway level as well.
3. Implement Network Level Authentication (NLA)
NLA requires users to authenticate before the RDP session is established. Without NLA, the server presents a login screen to anyone who connects — giving attackers a target for brute force and exploit attempts. NLA is a Group Policy setting. Enable it everywhere.
4. Restrict RDP Access by User and IP
Not every employee needs remote desktop access. Limit RDP permissions to specific user accounts that require it, and restrict source IP addresses at the firewall level. The principle of least privilege applies directly here.
5. Monitor and Alert on RDP Activity
Forward Windows Event ID 4624 (successful logon) and 4625 (failed logon) with logon type 10 (RemoteInteractive) to your SIEM or log management platform. Set alerts for logins outside business hours, logins from unusual geolocations, and bursts of failed attempts.
6. Patch Relentlessly
BlueKeep (CVE-2019-0708) proved that RDP vulnerabilities can be wormable — capable of spreading without user interaction. Microsoft has patched multiple critical RDP vulnerabilities since then. If your patching cadence is measured in months, you're leaving doors open.
7. Train Your People on Social Engineering
Every credential stolen through phishing is a potential RDP compromise. Security awareness training that includes realistic phishing simulations directly reduces the volume of valid credentials circulating in attacker marketplaces. If your organization hasn't implemented structured cybersecurity awareness training, you're missing the human layer entirely.
Zero Trust and the Future of Remote Access
The traditional model — VPN into the network, then RDP to a workstation — is dying. Zero trust architecture replaces implicit network trust with continuous verification. Every session is authenticated, authorized, and encrypted independently.
In a zero trust model, there's no "inside the network." An attacker who compromises one endpoint can't freely pivot to others because every connection requires its own authentication and authorization check. This directly addresses the lateral movement problem that makes RDP breaches so devastating.
NIST Special Publication 800-207 provides the framework for zero trust architecture. You can review it at NIST.gov. If your organization is still relying on perimeter-based security for remote access, start planning the transition now.
What About Small Businesses?
I hear this constantly: "We're too small to be a target." The data says otherwise. The FBI's IC3 reports consistently show small and mid-sized businesses suffering disproportionate losses from ransomware. Attackers don't target by company size — they target by vulnerability. An exposed RDP port on a 15-person company's server is just as exploitable as one on an enterprise network.
Small businesses often have it worse because they lack dedicated security staff. The IT consultant who set up RDP three years ago moved on, and no one reviews the firewall rules. Meanwhile, automated scanners find the open port within hours of it going live.
If you're running a small business, the steps above still apply. Start with step one: check whether port 3389 is exposed. You can use Shodan or simply ask your IT provider to audit your external attack surface. If they can't answer that question confidently, you have a bigger problem.
RDP Isn't Going Away — But Your Risks Can Shrink
Remote desktop services remain critical for IT administration, help desk support, and remote work. The goal isn't to eliminate RDP. It's to eliminate the conditions that let attackers exploit it.
That means closing unnecessary exposure, layering authentication controls, monitoring sessions actively, and training your people to resist the phishing attacks that feed credential theft. Every one of these controls is achievable. None of them require exotic technology.
The organizations that get breached through RDP in 2026 won't be the ones facing novel zero-day exploits. They'll be the ones that left port 3389 open to the internet with a five-character password and no MFA. Don't be that organization.
Start by auditing your remote desktop security risks this week. Lock down what's exposed, enable MFA, and invest in phishing awareness training to cut off the credential supply that makes RDP attacks possible in the first place.