Port 3389 is a default port that remote workers or administrators use to remotely access and control a Windows desktop from another computer via the Remote Desktop Protocol (RDP). When a user needs to access an unfamiliar computer in another organization remotely, RDP TCP port 3389 works by default.
What is RDP TCP Port 3389?
RDP TCP Port 3389 is a Remote Desktop Protocol connection port that facilitates users’ access to take control of another computer’s desktop from a different location. It’s popular in most organizations that remotely access and control Microsoft Windows desktops.
When users initiate an RDP session, their client connects to port 3389 on the target system. Network administrators use RDP to remotely log in to servers to diagnose issues and perform administrative duties from anywhere. Ports 3389 are the default and well-known ports used for RDP traffic as assigned by the Internet Assigned Numbers Authority (IANA).
What is the TCP 3389 Port Used for?
RDP connections use TCP port 3389. IT teams, remote workers, MSPs, and other users requiring graphical remote access to Windows systems find port 3389 useful when accessing their work desktops virtually. RDP allows them to remotely access and control a desktop environment that runs on Windows machines.
Through RDP on port 3389, they access their work desktops when working remotely or when they can’t physically bring the desktop. Connecting via RDP on port 3389 makes it as though the user is sitting directly in front of the remote desktop. It allows them to access files, run applications, and generally use the desktop environment from another device.
What are the Security Risks of Using a RDP 3389 Port?
The RDP 3389 port is a popular and essential component for remote access, and unfortunately, hackers understand this as well. RDP’s capabilities make it a valuable intrusion vector, and one compromised port grants unauthorized remote control. Among other security risks, cybercriminals can use port scans to detect an open port 3389 and exploit areas of weakness.
Risk of RDP Misconfiguration
When an RDP server is insecurely configured and lacks strong access controls and security settings, it exposes the system to threat actors, especially when using the public internet. Weak or blank passwords, unrestricted access rules, simple typos, and unchecked configuration options increase vulnerability with an open port 3389.
Hackers exploit such misconfigurations to gain unauthorized access without having to be sophisticated. Once in the network, they spread malware like ransomware to other accessible devices, which can lead to potential data theft, system encryption or hijacking, and damage to an organization’s reputation.
Higher Potential for Unsecured RDP Exposure
Port 3389 is a well-known default port that threat actors specifically target in their scans looking for vulnerable RDP servers. They realize unsecured RDP on this port is relatively common, as many users and administrators need to modify it or ensure the RDP has proper firewalls or strong passwords.
Increased Threat Potential for Access to Unpatched Systems
An unpatched system is a computer, device, or other networked equipment that’s missing security updates. Patches fix vulnerabilities that hackers are aware of and can exploit. Using RDP port 3389 presents an increased threat potential for accessing unpatched systems.
Hackers exploit outdated or unpatched RDP and install ransomware and malware with minimal effort. Port 3389 is low-hanging fruit for attackers attempting to leverage newly revealed RDP vulnerabilities and code flaws.
More Susceptible to Brute-Force Attacks
Port 3389 on RDP servers is often a target for brute-force attacks. Attackers use bots to scan ports, looking for vulnerabilities and exposing them to password spraying and brute-force attempts. Organizations often discover failed log attempts resulting from brute-force attacks, where attackers use lists of common or breached passwords to attempt unauthorized access.
Opens the Door to Credential Attacks
Port 3389 is an open door for credential attacks. Hackers target human weaknesses, like reusing credentials to acquire lists of commonly used passwords. With port 3389 readily accessible, unprotected systems become targets for credential-stuffing attacks that leverage breached username and password combinations. Discovery of this vulnerable RDP port accelerates attempts to log in directly rather than search for unpatched vulnerabilities.
Increased Risk of Unencrypted Traffic Interception
Unencrypted RDP traffic exposes sensitive data to interception and theft by attackers, enabling man-in-the-middle attacks. Interception enables dangerous exploits like injecting malware, stealing credentials, and changing files undetected. By default, RDP runs over an unencrypted port, openly transmitting log in credentials, files, network activity, and full remote access in plain text. Attackers deploying scans to capture credentials exploit this open communication channel.
8 Ways to Decrease Risks When Using RDP
Protecting the RDP from brute-force attacks, man-in-the-middle attacks, and unauthorized access requires a multifaceted approach. Here’s how a chief information security officer (CISO) can fortify the RDP in an organization.
1. Implement a Virtual Private Network (VPN)
Implement a Virtual Private Network for all remote connections to protect data transmissions via RDP. When users access the internal network through a VPN, it encrypts data for all Internet traffic.
The encryption blocks any visibility to sensitive RDP sessions and transmissions from interceptions by threat actors. VPN encryption shields internal RDP traffic and private networks from exposure if remote access is compromised. Using a VPN with RDP ensures that only authorized VPN users can decrypt and access private resources, reducing the risks of credential theft, data exfiltration, and network intrusion.
2. Require Zero Trust Network Access (ZTNA)
Zero Trust Network Access (ZTNA) decreases RDP risks and enhances security and control over remote access by applying granular identity and access management principles. ZTNA validates user identities before restricting access to only required resources on a need-to-know basis and prevents unnecessary lateral movement across the network.
Through micro-segmentation, even valid users accessing the network are limited in what they can reach, reducing the impact of compromised credentials. Combining ZTNA and remote desktop protocols ensures robust, secure remote networking and access.
3. Consider Using Remote Desktop (RD) Gateway
The Remote Desktop Gateway stands between remote users and RDP servers and tunnels traffic through HTTPS. This tunneling approach provides encryption and adds an additional layer of security beyond standard RDP ports.
Routing all remote desktop connections through the gateway before reaching actual RDP servers ensures more secure connections. The gateway also validates credentials, enforces conditional access policies, and filters traffic according to rules.
4. Put Network Access Restrictions in Place
With RDP, the key to secure remote access is limiting network reach, exposure, and connectivity. Putting restrictions such as network segmentation, firewall rules, and VLANS decreases RDP risks by limiting network exposure and accessibility. Default-deny firewall policies block all inbound traffic by default while controlling outbound RDP access.
These access controls make it harder for systems to be detected remotely, reduce attack vectors, and contain any compromise within restricted zones. Authorized RDP traffic passes through inspection layers, increasing visibility and preventing lateral movement threats.
5. Consider IP Whitelisting
IP whitelisting is a stringent cybersecurity measure that permits only trusted users access to systems. It restricts RDP access to known trusted internal systems like VPN endpoints and Remote Desktop Gateways. Shrinking the attack surface and denying untrusted external sources protect RDP servers from common exploits, like brute-force attacks, and prevent damage from compromised credentials.
Whitelisting IP addresses implements restrictive access controls at the network layer, blocking unauthorized access attempts and limiting the exposure of RDP ports. Combined with other measures like a VPN, it decreases vulnerabilities and hardens RDP protections.
6. Enforce Multi-Factor Authentication (MFA)
Enforcing Multi-Factor Authentication strengthens authentication for RDP by requiring multiple verification factors beyond just a username and password. It makes it much harder for threat actors to gain unauthorized access via stolen credentials alone.
With MFA, users must confirm their identity with a second factor (such as their phone or security key) to make it more sophisticated for attackers to gain unauthorized RDP access even with stolen credentials. It also slows down brute-force login attempts.
7. Require Secure Password Policies
Strong passwords are the first line of defense against credential theft and should be a requirement for remote connections. IT teams should set up policies that dictate minimum length and complex mixes of characters that are harder to guess or crack.
Passwords should be unique from other accounts and changed periodically. Weak or default passwords make RDP servers easy targets for malicious actors and credential-stuffing attacks on port 3389. If they’re easy to remember but hard to figure out, they help prevent brute-force hacking attempts from accessing RDP ports.
Keep Your Organization Safe with Group-IB
As the paradigm of workspaces shifts from hybrid to remote, more employees working away from the office require access to corporate systems like files, applications, and servers. Secure remote access via RDP becomes critical as port 3389 grows appealing to users and hackers alike.
The ultimate strategy in ensuring a secure RDP is seeking professional help to set up security measures. Group-IB cybersecurity professionals assess your organization’s RDP implementation and environment to identify and remediate any existing vulnerabilities or misconfigurations.
When a computer attempts to log on to a protected resource, like an internal logging page shielded by Group-IB Fraud Protection, while being remotely controlled by a malicious actor via an RDP connection using TCP port 3389, the system is designed to detect this anomaly. It recognizes that the machine is under remote control and, based on its security protocols, may allow or deny access to the resource. This proactive measure helps prevent unauthorized access to sensitive data and potential system compromise.
To keep up-to-date with the latest tactics and techniques cybercriminals use to target RDP, and build a combative strategy, activate a tailored threat intelligence platform for your business.
Group-IB’s two decades of industry-specific security expertise primes it to offer continuous protection through 24/7 monitoring, vulnerability prioritization, industry’s largest adversary-centric threat intelligence, and incident response planning to fortify your RDP protection. To build complete denfese strategy agsisnt RDP related cyber threats and more, talk to our experts today.
Port 3389 RDP: FAQs
What is port 3389?
Port 3389 is the default port for Remote Desktop Protocol connections, which allow users to access Windows systems remotely.
Is port 3389 a vulnerability?
Using the default port 3389 for remote desktop protocol connections exposes systems to vulnerabilities. An attacker could scan and steal credentials to access systems if this port is exposed without proper authentication and encryption.
Does RDP always use 3389?
RDP mainly uses 3389, but it’s possible to configure RDP to listen on alternative ports for added security through obscurity.
What is the difference between port 3389 and port 443?
Port 3389 and port 443 serve different purposes. Port 3389 is used to enable access with Remote Desktop Protocol (RDP) for Windows systems. Port 443 is used for HTTPS, which secures regular internet traffic through encryption and authentication. While both ports can be secured, port 443 is more commonly used for general secure web traffic and is less inherently risky when properly configured with strong encryption and authentication.
How do I know if port 3389 is blocked or open?
To check whether the 3389 port is blocked or open, you can use the ‘netstat -an’ command, scan with Nmap, verify firewall rules, or attempt to change the RDP port. MSTSC port 3389 will likely be blocked if a different port allows a connection.
Are there alternatives to the 3389 port RDP?
Yes, there are some alternatives to using the default port 3389 for RDP connections:
Virtual Network Computing (VNC): VNC is a remote desktop protocol that uses TCP ports 5900+ by default. Its platform-independent design provides multi-OS compatibility and offers an alternative to RDP for remotely controlling systems.
Secure Socket Shell (SSH) port forwarding: Secure Socket Shell (SSH) port forwarding allows the encryption and tunneling of remote desktop connections. It securely routes traffic on one host port through an SSH session to another, providing a private tunnel to circumvent firewalls and enable remote access even over public networks.