3,389 Reasons to Worry About Your Open RDP Ports

In 2023, the FBI's IC3 received over 880,000 cybercrime complaints with losses exceeding $12.5 billion — and a staggering number of those incidents traced back to compromised Remote Desktop Protocol (RDP) connections. I've personally responded to incidents where a single exposed RDP port led to a full-blown ransomware deployment in under four hours. The threat actor didn't need a sophisticated zero-day exploit. They just needed a password.

Remote desktop security risks are the unlocked back doors of the modern enterprise. If your organization runs RDP — and statistically, you probably do — this post breaks down exactly how attackers exploit it, what the real-world consequences look like, and what you can do about it starting today.

Why Remote Desktop Protocol Is a Hacker's Favorite Target

RDP runs on TCP port 3389 by default. Every threat actor on the planet knows this. Automated scanning tools like Shodan and Masscan can identify exposed RDP endpoints across the entire internet in minutes. As of early 2026, Shodan regularly indexes over 3 million devices with port 3389 open to the public internet.

Here's what makes RDP so attractive to attackers. It gives them a full graphical desktop session on your system. Once they're in, they can browse file shares, install malware, exfiltrate data, disable antivirus, and pivot laterally — all through a legitimate remote management tool that your own IT team uses daily.

The Verizon 2024 Data Breach Investigations Report found that stolen credentials were involved in roughly 31% of all breaches over the past decade. RDP credential theft is one of the most common ways those stolen credentials get used. Attackers buy valid RDP credentials on dark web marketplaces for as little as $10 per endpoint. That's the going rate for full access to your network.

The 5 Most Dangerous Remote Desktop Security Risks

1. Brute Force and Credential Stuffing Attacks

Attackers run automated tools that try thousands of username and password combinations against your RDP login screen. If your accounts use weak passwords or if you've reused credentials from a previous data breach, they'll get in. I've seen brute force attacks succeed in under 20 minutes against accounts using passwords like "Company2025!".

2. BlueKeep and Unpatched Vulnerabilities

CVE-2019-0708, known as BlueKeep, was a wormable vulnerability in older versions of RDP that allowed unauthenticated remote code execution. Microsoft patched it, but years later, thousands of systems remain unpatched. Newer RDP vulnerabilities continue to surface regularly. If you're not patching RDP services within days of a critical advisory, you're exposed.

3. Man-in-the-Middle Attacks

When RDP sessions aren't properly secured with Network Level Authentication (NLA) and valid TLS certificates, attackers on the same network can intercept credentials in transit. This is especially dangerous when employees connect from hotel Wi-Fi, coffee shops, or other untrusted networks.

4. Lateral Movement After Initial Access

Once inside one system via RDP, attackers use tools like Mimikatz to dump cached credentials, then RDP hop from machine to machine across your internal network. This is exactly how many ransomware operators — including groups like Conti and LockBit — have escalated from a single compromised endpoint to full domain compromise.

5. Social Engineering for RDP Credentials

Phishing remains the number one delivery mechanism for credential theft. An employee clicks a link, enters credentials on a spoofed page, and the attacker now has valid RDP login details. This intersection of social engineering and remote access is where most organizations get hit. Training your team to recognize these attacks is essential, and our phishing awareness training for organizations addresses this exact scenario.

What Does a Real RDP-Based Attack Look Like?

Here's a pattern I've seen repeated dozens of times across incident response engagements:

  • Day 1: Attacker purchases valid RDP credentials from a dark web marketplace or obtains them through a phishing campaign.
  • Day 1, Hour 2: Attacker logs in via RDP, usually during off-hours. They disable Windows Defender and any endpoint detection tools.
  • Day 1, Hour 3: Attacker runs Mimikatz or similar tools to harvest additional credentials, including domain admin accounts.
  • Day 1, Hour 4-6: Attacker maps the network, identifies critical servers, domain controllers, and backup systems.
  • Day 2-3: Attacker deploys ransomware across the environment, encrypts backups first, then production systems.
  • Day 3: You arrive at work to a ransom note demanding six or seven figures in cryptocurrency.

This isn't theoretical. CISA has published multiple advisories documenting exactly this attack chain. Their cybersecurity advisories page catalogs dozens of incidents where RDP was the initial access vector.

How Do You Secure Remote Desktop Protocol?

This is the question I get asked most. Here's what actually works — not theoretical best practices, but the controls that stop real attacks.

Never Expose RDP Directly to the Internet

This is rule number one. If port 3389 is reachable from the public internet, you're running on borrowed time. Place RDP behind a VPN or use a zero trust network access (ZTNA) solution. If users need remote access, they authenticate to the VPN first, then connect to RDP internally.

Enforce Multi-Factor Authentication

Passwords alone are not enough. Multi-factor authentication (MFA) on every RDP gateway and VPN connection is non-negotiable in 2026. Even if an attacker steals credentials through a phishing attack, MFA blocks them from logging in. This single control prevents the vast majority of credential-based RDP compromises.

Implement Network Level Authentication

NLA requires users to authenticate before a full RDP session is established. This reduces the attack surface significantly and prevents unauthenticated exploitation of RDP vulnerabilities like BlueKeep.

Limit RDP Access with Firewall Rules and Allowlists

Restrict RDP access to specific IP addresses or ranges. Use Windows Firewall or your network firewall to block port 3389 from any source not explicitly authorized. Log every connection attempt and alert on failures from unknown IPs.

Patch Relentlessly

Subscribe to Microsoft's security update notifications. When a critical RDP vulnerability drops, patch within 48 hours — not 48 days. NIST's National Vulnerability Database is a reliable source for tracking CVEs affecting RDP and related services.

Deploy Account Lockout Policies

Configure account lockout after 5 failed login attempts within 15 minutes. This simple Group Policy setting stops brute force attacks cold. Combine it with monitoring so your security team sees the lockout events in real time.

The Human Layer: Your Biggest Remote Desktop Security Risk

Every technical control I've listed above can be undermined by one employee who clicks the wrong link and hands over their credentials. Security awareness isn't optional — it's foundational. Your people need to understand why a phishing email that captures their VPN or RDP password can lead to a catastrophic ransomware event.

I recommend starting with a comprehensive cybersecurity awareness training program that covers credential hygiene, social engineering tactics, and the specific risks of remote access tools. Combine that with regular phishing simulations to measure and improve your organization's resilience over time.

What About RDP Alternatives?

Some organizations are moving away from RDP entirely in favor of solutions that operate on a zero trust model — where no user or device is trusted by default, and every session is verified continuously. This is a sound architectural direction. But if you're still running RDP (and most enterprises are), the controls above will dramatically reduce your risk.

The Bottom Line on Remote Desktop Security Risks

Remote desktop security risks aren't a future problem. They're being exploited right now, against organizations of every size, in every industry. The FBI IC3 continues to track RDP compromise as a leading vector for ransomware and data breach incidents.

You don't need to rip out RDP overnight. You need to stop exposing it to the internet, enforce MFA, patch aggressively, and train your people to resist the phishing attacks that hand credentials to threat actors. Every one of these steps is actionable today.

The organizations that get breached through RDP aren't the ones that didn't know the risk. They're the ones that didn't act on it.