Key takeaways
  • Port 3389 is the default port for the Remote Desktop Protocol (RDP), which lets administrators and remote workers control a Windows desktop from another location.
  • Because it is the default and well-known port, attackers first scan for an open 3389 port, then run brute-force attacks, credential stuffing, and exploits against unpatched or misconfigured RDP servers.
  • Group-IB tracks RDP attacker tactics and leaked credentials through the Threat Intelligence Platform and flags machines under malicious remote control with Fraud Protection.

 

Port 3389 is a default port that remote workers or administrators use to remotely access and control a Windows desktop from another computer via the Remote Desktop Protocol (RDP). When a user needs to access an unfamiliar computer in another organization remotely, RDP TCP port 3389 works by default.

What is RDP TCP Port 3389?

RDP TCP Port 3389 is the Remote Desktop Protocol connection port that enables users to access and control another computer’s desktop from a different location. It’s popular in most organizations that remotely access and control Microsoft Windows desktops.

When users initiate an RDP session, their client connects to port 3389 on the target system. Network administrators use RDP to remotely log in to servers to diagnose issues and perform administrative duties from anywhere. Port 3389 is the default and well-known port used for RDP traffic, as assigned by the Internet Assigned Numbers Authority (IANA).

What is TCP Port 3389 Used for?

RDP connections use TCP port 3389. IT teams, remote workers, MSPs, and other users who require graphical remote access to Windows systems find port 3389 useful for accessing their work desktops virtually. RDP allows them to remotely access and control a desktop environment that runs on Windows machines.

Using RDP on port 3389, they access their work desktops when working remotely or when they can’t physically bring their desktops. Connecting via RDP on port 3389 makes it as though the user is sitting directly in front of the remote desktop. It allows them to access files, run applications, and generally use the desktop environment from another device.

What are the Security Risks of Using a RDP 3389 Port?

The RDP 3389 port is a popular and essential component for remote access, and unfortunately, hackers understand this as well. RDP’s capabilities make it a valuable intrusion vector, and one compromised port grants unauthorized remote control. Among other security risks, cybercriminals can use port scans to detect an open port 3389 and exploit weaknesses.

1. Risk of RDP misconfiguration

When an RDP server is insecurely configured and lacks strong access controls and security settings, it exposes the system to threat actors, especially when using the public internet. Weak or blank passwords, unrestricted access rules, simple typos, and unchecked configuration options increase vulnerability when port 3389 is open.

Hackers exploit such misconfigurations to gain unauthorized access without having to be sophisticated. Once in the network, they spread malware, such as ransomware, to other accessible devices, which can lead to data theft, system encryption or hijacking, and damage to an organization’s reputation.

2. Higher potential for unsecured RDP exposure

Port 3389 is a well-known default port that threat actors specifically target in their scans looking for vulnerable RDP servers. They realize unsecured RDP on this port is relatively common, as many users and administrators need to modify it or ensure the RDP has proper firewalls or strong passwords.

3. Increased threat potential for access to unpatched systems

An unpatched system is a computer, device, or other networked equipment that’s missing security updates. Patches fix vulnerabilities that hackers are aware of and can exploit. Using RDP port 3389 poses a greater threat of accessing unpatched systems.

Hackers exploit outdated or unpatched RDP and install ransomware and malware with minimal effort. Port 3389 is low-hanging fruit for attackers attempting to leverage newly revealed RDP vulnerabilities and code flaws.

4. More susceptible to Brute-Force Attacks

Port 3389 on RDP servers is often targeted by brute-force attacks. Attackers use bots to scan ports, looking for vulnerabilities and exposing them to password spraying and brute-force attempts.

Organizations often discover failed login attempts resulting from brute-force attacks, where attackers use lists of common or breached passwords to attempt unauthorized access.

5. Opens the door to credential attacks

Port 3389 is an open door for credential attacks. Hackers target human weaknesses, such as reusing credentials, to obtain lists of commonly used passwords.

With port 3389 readily accessible, unprotected systems become targets for credential-stuffing attacks that exploit breached username-password combinations. Discovery of this vulnerable RDP port accelerates attempts to log in directly rather than search for unpatched vulnerabilities.

6. Increased risk of unencrypted traffic interception

Unencrypted RDP traffic exposes sensitive data to interception and theft by attackers, enabling man-in-the-middle attacks. Interception enables dangerous exploits like injecting malware, stealing credentials, and changing files undetected.

By default, RDP runs over an unencrypted port, openly transmitting login credentials, files, network activity, and full remote access in plain text. Attackers deploying scans to capture credentials exploit this open communication channel.

8 Ways to Decrease Risks When Using RDP

Protecting the RDP from brute-force attacks, man-in-the-middle attacks, and unauthorized access requires a multifaceted approach. Here’s how a chief information security officer (CISO) can fortify an organization’s RDP.

1. Implement a Virtual Private Network (VPN)

Implement a Virtual Private Network for all remote connections to protect data in transit over RDP. When users access the internal network through a VPN, the VPN encrypts all Internet traffic.

The encryption blocks visibility into sensitive RDP sessions and transmissions, preventing interception by threat actors. VPN encryption shields internal RDP traffic and private networks from exposure if remote access is compromised. Using a VPN with RDP ensures that only authorized VPN users can decrypt and access private resources, reducing the risks of credential theft, data exfiltration, and network intrusion.

2. Require Zero Trust Network Access (ZTNA)

Zero Trust Network Access (ZTNA) decreases RDP risks and enhances security and control over remote access by applying granular identity and access management principles. ZTNA validates user identities before restricting access to only the required resources on a need-to-know basis, preventing unnecessary lateral movement across the network.

Through micro-segmentation, even valid users accessing the network are limited in what they can reach, reducing the impact of compromised credentials. Combining ZTNA and remote desktop protocols ensures robust, secure remote networking and access.

3. Consider using Remote Desktop (RD) gateway

The Remote Desktop Gateway serves as a proxy between remote users and RDP servers, tunneling traffic over HTTPS. This tunneling approach provides encryption and adds an additional layer of security beyond standard RDP ports.

Routing all remote desktop connections through the gateway before reaching actual RDP servers ensures more secure connections. The gateway also validates credentials, enforces conditional access policies, and filters traffic according to rules.

4. Put network access restrictions in place

With RDP, the key to secure remote access is limiting network reach, exposure, and connectivity. Implementing restrictions such as network segmentation, firewall rules, and VLANs reduces RDP risks by limiting network exposure and accessibility. Default-deny firewall policies block all inbound traffic by default while controlling outbound RDP access.

These access controls make it harder for systems to be detected remotely, reduce attack vectors, and contain any compromise within restricted zones. Authorized RDP traffic passes through inspection layers, increasing visibility and preventing lateral movement threats.

5. Consider IP whitelisting

IP whitelisting is a stringent cybersecurity measure that permits only trusted users access to systems. It restricts RDP access to known, trusted internal systems, such as VPN endpoints and Remote Desktop Gateways. Shrinking the attack surface and denying access to untrusted external sources protect RDP servers from common exploits, such as brute-force attacks, and prevent damage from compromised credentials.

Whitelisting IP addresses implements restrictive access controls at the network layer, blocking unauthorized access attempts and limiting the exposure of RDP ports. When combined with other measures like a VPN, it reduces vulnerabilities and strengthens RDP protections.

6. Enforce Multi-Factor Authentication (MFA)

Enforcing Multi-Factor Authentication strengthens RDP authentication by requiring multiple verification factors beyond a username and password. It makes it much harder for threat actors to gain unauthorized access via stolen credentials alone.

With MFA, users must confirm their identity with a second factor (such as a phone or security key), making it more difficult for attackers to gain unauthorized RDP access even with stolen credentials. It also slows down brute-force login attempts.

7. Require Secure Password Policies

Strong passwords are the first line of defense against credential theft and should be a requirement for remote connections. IT teams should set up policies that dictate minimum lengths and complex character mixes that are harder to guess or crack.

Passwords should be unique to each account and changed periodically. Weak or default passwords make RDP servers easy targets for malicious actors and credential-stuffing attacks on port 3389. If they’re easy to remember but hard to guess, they help prevent brute-force attacks from accessing RDP ports.

Common Business Use Cases for Port 3389

Businesses use port 3389 whenever someone needs to operate a Windows machine they cannot sit in front of. The port carries the remote desktop session that lets an administrator, employee, or outside technician work as if they were at the keyboard. The use cases below are where it earns its keep day to day.

1. IT administration and server management

IT teams open port 3389 to reach servers and workstations, apply patches, and fix problems without walking to the machine. One administrator can manage devices across multiple offices or data centers using a single RDP client. That eliminates travel and updates systems faster than on-site visits would.

2. Remote and hybrid workforce access

Staff connect via port 3389 to access the office desktop that hosts their files and licensed software. This matters for roles tied to a specific machine or to data that cannot leave the corporate network. RDP provides those workers with a full desktop from home, a client site, or a hotel room.

3. Third-party and vendor support

Companies often grant short-term RDP access so an outside vendor can troubleshoot the software or hardware they supplied. The vendor connects via port 3389, identifies the fault, and fixes it without shipping a part or scheduling a site visit. Session logging and tight access controls prevent that convenience from becoming a way in for attackers.

Port 3389 vs Other Remote Access Ports

Port 3389 carries graphical Windows remote control, while other ports handle different protocols and access needs. The right choice depends on the operating system, how much encryption you need, and whether you want a full desktop or just a command line. The table below compares port 3389 against the alternatives writers and admins most often meet.

Port Protocol Primary use Default encryption
3389 RDP Full graphical control of Windows desktops Weak by default; depends on configuration
443 HTTPS Secure web traffic and gateway-tunneled access Strong (TLS)
22 SSH Command-line access and secure tunneling, mainly Linux and Unix Strong
5900+ VNC Cross-platform graphical control None by default; needs added encryption

Port 3389 wins in the Windows desktop experience, but it offers weaker protection than HTTPS or SSH. Teams often keeps RDP and routes it through an HTTPS gateway on port 443, so the desktop session rides inside a strong tunnel. The aim is to pair the access people want with the encryption the connection needs.

Future of Secure Remote Access Beyond Port 3389

Remote access is shifting toward models that verify every connection instead of trusting an open port. Port 3389 will stay in use for years, but zero trust and cloud-brokered access are shrinking how often organizations expose it to the internet. The directions below show where secure remote access is going.

1. Zero trust and identity-first access

Zero trust treats every request as untrusted until the user and device prove who they are. It checks identity, device health, and context before opening a path to one specific resource rather than the whole network. Applied to RDP, this pulls the open port off the public internet and runs the connection through a verified broker.

2. Cloud-delivered and brokered access

Cloud access services and RD Gateways are replacing direct exposure on port 3389 with brokered sessions over HTTPS. The user signs in to a cloud service, which then opens a controlled session to the target machine. The RDP port remains closed to the outside world, while the remote desktop still works as before.

3. Continuous monitoring and adaptive controls

Newer remote access relies on monitoring that watches sessions in real time and reacts when something looks off. A login from a strange location, an odd hour, or a sudden spike in data transfer can trigger extra verification or end the session. Backing port 3389 with threat intelligence and detection keeps remote work practical without leaving it open.

Keep Your Organization Safe with Group-IB

As the paradigm of workspaces shifts from hybrid to remote, more employees working away from the office require access to corporate systems like files, applications, and servers. Secure remote access via RDP becomes critical as port 3389 grows appealing to users and hackers alike.

The ultimate strategy for ensuring a secure RDP is to seek professional help to set up security measures. Group-IB cybersecurity professionals assess your organization’s RDP implementation and environment to identify and remediate vulnerabilities and misconfigurations.

When a computer attempts to log on to a protected resource, such as an internal logging page shielded by Group-IB Fraud Protection, while being remotely controlled by a malicious actor via an RDP connection on TCP port 3389, the system is designed to detect this anomaly. It recognizes that the machine is under remote control and, in accordance with its security protocols, may allow or deny access to the resource. This proactive measure helps prevent unauthorized access to sensitive data and potential system compromise.

To keep up to date with the latest tactics and techniques cybercriminals use to target RDP and build a robust strategy, activate a tailored threat intelligence platform for your business.

Group-IB’s two decades of industry-specific security expertise prime it to offer continuous protection through 24/7 monitoring, vulnerability prioritization, the industry’s largest adversary-centric threat intelligence, and incident response planning to fortify your RDP protection. To build a complete defense strategy against RDP-related cyber threats and more, talk to our experts today.

 

FAQs

What is port 3389?

arrow_drop_down

Port 3389 is the default port for Remote Desktop Protocol connections, which allow users to access Windows systems remotely. Because it is the default, it is also one of the first ports attackers scan for, which is why securing it matters as much as using it.

 

Is port 3389 a vulnerability?

arrow_drop_down

Using the default port 3389 for Remote Desktop Protocol connections exposes systems to vulnerabilities. An attacker could scan and steal credentials to access systems if this port is exposed without proper authentication and encryption.

Does RDP always use 3389?

arrow_drop_down

RDP primarily uses port 3389, but it’s possible to configure it to listen on alternative ports for added security through obscurity. Changing the listening port can reduce automated scans, but it offers little protection on its own without encryption, access controls, and MFA in place.

What is the difference between port 3389 and port 443?

arrow_drop_down

Port 3389 and port 443 serve different purposes. Port 3389 is used to enable access with the Remote Desktop Protocol (RDP) for Windows systems. Port 443 is used for HTTPS, which encrypts and authenticates regular internet traffic. While both ports can be secured, port 443 is more commonly used for general secure web traffic and is less inherently risky when properly configured with strong encryption and authentication.

How do I know if port 3389 is blocked or open?

arrow_drop_down

To check whether the  3389 port is blocked or open, you can use the ‘netstat -an’ command, scan with Nmap, verify firewall rules, or attempt to change the RDP port. MSTSC port 3389 will likely be blocked if a different port allows a connection.

Are there alternatives to the 3389 port RDP?

arrow_drop_down

Yes, there are some alternatives to using the default port 3389 for RDP connections:

Virtual Network Computing (VNC): VNC is a remote desktop protocol that uses TCP ports 5900+ by default. Its platform-independent design provides multi-OS compatibility and offers an alternative to RDP for remote system control.

Secure Socket Shell (SSH) port forwarding: Secure Socket Shell (SSH) port forwarding allows the encryption and tunneling of remote desktop connections. It securely routes traffic on one host port through an SSH session to another, providing a private tunnel to circumvent firewalls and enable remote access even over public networks.

Why is port 3389 commonly targeted by attackers?

arrow_drop_down

Port 3389 is targeted because it is the default RDP port, so attackers know exactly where to look. A single open port can grant full control of a Windows machine, making it a high-value find. Scanners constantly sweep the internet for it, then try brute-force attacks and stolen credentials against whatever they uncover.

Can port 3389 be changed to another port number?

arrow_drop_down

Yes, you can change RDP to listen on a different port through the Windows registry or Group Policy. Moving off 3389 reduces automated scans that only check the default, which trims some background noise. It does not count as real security on its own, so keep the encryption, access limits, and MFA in place after the switch.

How can organizations monitor suspicious activity on port 3389?

arrow_drop_down

Organizations monitor port 3389 by logging RDP sessions and reviewing failed login attempts for patterns of brute force. Network monitoring and intrusion detection tools flag odd source addresses, off-hours connections, and sudden spikes in traffic. Feeding those signals into a threat intelligence or detection platform lets a security team step in before a foothold turns into a breach.

Does closing port 3389 eliminate all RDP-related risks?

arrow_drop_down

No, closing port 3389 removes one common entry point but not the whole risk. Attackers can still reach RDP via a different port, a compromised VPN, or stolen credentials that pass standard checks. Real protection comes from layering encryption, access restrictions, MFA, and monitoring rather than relying on a single closed port.

Group-IB: Fight
against cybercrime