Remote Desktop Security Risks: What Attackers See

An Open Door You Didn't Know You Left Unlocked

In August 2021, the FBI and CISA issued a joint advisory warning that threat actors exploiting Remote Desktop Protocol (RDP) was the single most common initial access vector in ransomware attacks. Not phishing emails. Not zero-day exploits. RDP. The remote desktop security risks your organization faces right now are likely more severe than anything in your inbox.

I've spent years responding to breaches where the root cause traced back to an exposed RDP port. In almost every case, the victim had no idea the port was even open to the internet. The attack wasn't sophisticated. It didn't need to be. An open RDP port on TCP 3389 is like leaving your front door wide open with a neon sign that reads "come on in."

This post breaks down exactly how attackers exploit RDP, what the real-world consequences look like, and the specific steps you need to take to shut them down — starting today.

Why Remote Desktop Protocol Is an Attacker's Favorite Target

RDP was designed for convenience. System administrators use it to manage servers. Employees use it to access their work desktops from home. When the pandemic forced millions into remote work in 2020, RDP usage exploded — and so did the attack surface.

Shodan, the search engine for internet-connected devices, consistently indexes millions of systems with port 3389 exposed to the public internet. In early 2021, researchers at ESET reported a 768% increase in RDP brute-force attacks compared to the first quarter of 2020. That's not a typo.

Here's why threat actors love RDP. Once they're in, they have a legitimate remote session on your network. They look like an authorized user. They can move laterally, escalate privileges, disable antivirus, and deploy ransomware — all through a tool your IT department installed on purpose.

Brute Force: The Attack That Never Sleeps

The most common attack against RDP is a brute-force or credential-stuffing attack. Automated tools cycle through thousands of username and password combinations per hour. If your organization doesn't enforce account lockout policies or multi-factor authentication, it's only a matter of time before an attacker guesses correctly.

I've reviewed logs from compromised systems where attackers made over 100,000 login attempts before succeeding. The dwell time between initial access and ransomware deployment? Sometimes less than four hours.

Credential Theft and the Dark Web Marketplace

Brute force isn't the only path. Stolen RDP credentials are bought and sold on dark web marketplaces for as little as $10. The now-defunct UAS (Ultimate Anonymity Services) marketplace was found to have sold access to over 1.3 million RDP credentials before it was taken down. Many of those credentials came from social engineering campaigns and phishing attacks that harvested passwords from unsuspecting employees.

This is exactly why phishing awareness training for organizations matters so much. A single employee who falls for a credential theft phishing email can hand an attacker the keys to your entire network via RDP.

The $4.88M Lesson: Real-World Consequences of Exposed RDP

The Verizon 2021 Data Breach Investigations Report found that desktop sharing software (which includes RDP) was involved in a significant percentage of ransomware incidents. The median cost of a ransomware attack, factoring in downtime, recovery, and reputational damage, keeps climbing. IBM's 2021 Cost of a Data Breach Report put the average data breach cost at $4.24 million globally — the highest in 17 years.

Let's look at real incidents.

The Colonial Pipeline Connection

The Colonial Pipeline ransomware attack in May 2021 was attributed to DarkSide ransomware operators. While the confirmed initial access vector was a compromised VPN credential, the broader DarkSide affiliate model heavily leveraged exposed RDP as an entry point across dozens of other victim organizations. CISA's analysis of DarkSide tactics, techniques, and procedures (TTPs) specifically called out RDP exploitation as a primary access method.

Dharma Ransomware's RDP Playbook

The Dharma ransomware family, active throughout 2020 and 2021, almost exclusively targeted exposed RDP services. Attackers would brute-force their way in, disable Windows Defender, and manually deploy the ransomware payload. The FBI's Internet Crime Complaint Center (IC3) received over 2,000 ransomware complaints in 2020 alone, with damages exceeding $29 million in reported losses — and that figure is widely understood to be a dramatic undercount. Many of these attacks started with RDP.

What Are Remote Desktop Security Risks? A Quick Breakdown

Remote desktop security risks are the vulnerabilities, misconfigurations, and attack vectors associated with using Remote Desktop Protocol (RDP) or similar remote access tools. The primary risks include:

• Brute-force attacks — automated password guessing against exposed RDP ports
• Credential stuffing — using stolen username/password pairs from previous data breaches
• Man-in-the-middle attacks — intercepting RDP sessions that lack proper encryption
• BlueKeep and related vulnerabilities — unpatched RDP flaws that allow remote code execution (CVE-2019-0708)
• Lateral movement — once inside, attackers pivot across the network using legitimate RDP sessions
• Ransomware deployment — RDP is the number one delivery mechanism for ransomware in 2021

Every one of these risks is preventable with proper configuration, monitoring, and user training.

7 Steps to Lock Down RDP Before Attackers Find It

I'm going to be specific here because vague advice like "improve your security posture" helps no one. These are the exact steps I recommend to every organization I work with.

1. Stop Exposing RDP to the Internet

This is non-negotiable. Run an external port scan on your public IP ranges today. If port 3389 is open to the world, close it immediately. Use a VPN or a zero trust network access (ZTNA) solution to gate remote access. RDP should never be directly reachable from the internet.

CISA has repeatedly emphasized this in their ransomware guidance: cisa.gov/stopransomware.

2. Enforce Multi-Factor Authentication

Even if an attacker steals a valid password, multi-factor authentication (MFA) stops them at the door. Implement MFA on all remote access points — VPN, RDP gateways, cloud applications. No exceptions. Hardware tokens or authenticator apps are far more secure than SMS-based codes.

3. Implement Network Level Authentication (NLA)

NLA requires users to authenticate before an RDP session is established, rather than after. This dramatically reduces the attack surface because unauthenticated users can't even reach the login screen. Enable NLA on every system running RDP. It's a Group Policy setting that takes minutes to deploy.

4. Use an RDP Gateway

A Remote Desktop Gateway acts as an intermediary, encrypting the RDP connection over HTTPS (port 443) and providing a central point for access control, logging, and MFA enforcement. This is a baseline requirement for any organization that needs remote desktop access.

5. Limit User Access and Privileges

Not every employee needs RDP access. Not every RDP user needs admin privileges. Apply the principle of least privilege. Remove users from the "Remote Desktop Users" group who don't need it. Use dedicated admin accounts that are separate from daily-use accounts. This limits the blast radius if a credential is compromised.

6. Monitor and Alert on RDP Activity

If you're not monitoring Windows Event Logs for failed and successful RDP logins (Event IDs 4624, 4625, 4648), you're flying blind. Set up alerts for:

• Multiple failed login attempts from a single IP
• Successful logins from unfamiliar geolocations
• RDP sessions initiated outside business hours
• New user accounts added to Remote Desktop Users

Feed these logs into a SIEM if you have one. If you don't, even a basic log monitoring script is better than nothing.

7. Patch Relentlessly

The BlueKeep vulnerability (CVE-2019-0708) was disclosed in May 2019. It allows unauthenticated remote code execution via RDP. Microsoft issued a patch immediately. Two and a half years later, I still encounter unpatched systems in production environments. NIST's National Vulnerability Database tracks RDP-related CVEs that your team should be monitoring regularly: nvd.nist.gov.

The Human Factor: Why Security Awareness Training Matters for RDP

Here's what I see over and over: organizations invest in firewalls, endpoint detection, and network segmentation but completely ignore the human element. Your employees are the ones choosing passwords, clicking phishing links, and falling for social engineering attacks that harvest the credentials attackers use to log in via RDP.

A 2021 study from Stanford University found that approximately 88% of data breaches are caused by employee mistakes. That lines up with everything I've seen in the field.

This is where security awareness becomes a force multiplier. When your employees understand what a phishing simulation looks like, when they know not to reuse passwords across personal and work accounts, when they recognize a social engineering attempt — you've just eliminated the most common way RDP credentials get stolen in the first place.

I strongly recommend enrolling your team in cybersecurity awareness training that covers credential hygiene, phishing recognition, and safe remote work practices. It's the highest-ROI security investment most organizations aren't making.

Zero Trust: The Framework That Makes RDP Risks Manageable

The zero trust model assumes that no user, device, or network connection should be trusted by default — even if it originates inside the corporate perimeter. This approach is particularly effective against remote desktop security risks because it eliminates the concept of a "trusted internal network" that RDP was designed around.

In a zero trust architecture:

• Every RDP session requires identity verification and device health checks
• Access is granted on a per-session, per-resource basis
• Microsegmentation prevents lateral movement even if a session is compromised
• Continuous monitoring flags anomalous behavior in real time

NIST Special Publication 800-207 provides the definitive framework for zero trust architecture: csrc.nist.gov/publications/detail/sp/800-207/final. If you haven't read it, put it at the top of your list for 2022.

Your RDP Checklist for This Week

Don't let this become another blog post you read and forget. Here's what to do in the next five business days:

• Monday: Run an external scan for port 3389 on all your public IPs. Shut down any exposed instances immediately.
• Tuesday: Audit your Remote Desktop Users group across all servers and workstations. Remove anyone who doesn't need access.
• Wednesday: Enable Network Level Authentication and verify MFA is enforced on all remote access pathways.
• Thursday: Check patch status for all RDP-related CVEs, starting with BlueKeep (CVE-2019-0708) and CVE-2020-0609/0610.
• Friday: Enroll your team in phishing awareness training and schedule your first phishing simulation for later this month.

Remote desktop security risks aren't theoretical. They're being exploited against organizations like yours right now, as you read this. The attackers have automated tools, stolen credential databases, and all the time in the world. Your advantage is that every single one of these attack vectors is preventable — if you act.