TCP Dangerous Remote Access

Port 3389 (RDP)

Learn about port 3389 (RDP) - security risks, vulnerabilities, and common uses. Find devices with port 3389 open.

Quick Info

Port Number

3389

Protocol

TCP

Service

RDP

IANA Name

RDP

Service Description

TCP port 3389 is the default port for the Remote Desktop Protocol (RDP), a proprietary protocol developed by Microsoft. RDP enables a user to connect to another computer over a network connection, providing a graphical interface, allowing the user to control the remote machine as if they were sitting in front of it. The protocol operates at the application layer and relies on TCP for reliable transport. The service works by establishing a connection between an RDP client and an RDP server. The client sends connection requests and authentication information to the server. Upon successful authentication, the server transmits graphical output to the client, and the client sends input events (keyboard, mouse) back to the server. RDP uses channels for various purposes, including printing, audio, and clipboard redirection.

## Firewall Recommendations

Blocking port 3389 on the firewall is recommended if RDP is not required for external access. If RDP access is necessary, it should be restricted to specific IP addresses or networks using firewall rules. Consider using a VPN to create a secure tunnel for RDP connections. Always enable Network Level Authentication (NLA) to require authentication before the RDP session is established. Regularly update the operating system and RDP client/server software to patch known vulnerabilities. Implement strong, unique passwords and multi-factor authentication (MFA) for all user accounts. Consider changing the default RDP port to a non-standard port to reduce the risk of automated attacks. Regularly audit RDP logs for suspicious activity.

Security Information

RDP is a common target for attackers due to its prevalence in corporate networks and its potential for providing complete control over a compromised system. If RDP is exposed directly to the internet without proper security measures, it becomes an easy target for brute-force attacks, where attackers attempt to guess usernames and passwords. Successful brute-force attacks can grant unauthorized access to the remote system. Additionally, vulnerabilities in the RDP protocol itself or in the RDP server implementation can be exploited to gain remote code execution or other privileges. Weak passwords, unpatched systems, and misconfigured firewalls are common factors that contribute to RDP-related security incidents. The use of default settings and the absence of multi-factor authentication further exacerbate the risks.

Known Vulnerabilities

CVE	Name	Severity	Description
CVE-2019-0708	BlueKeep	Critical	A remote code execution vulnerability exists in Remote Desktop Services – formerly known as Terminal Services – when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests.
CVE-2019-0887	Remote Desktop Client Remote Code Execution Vulnerability	Critical	A remote code execution vulnerability exists in Remote Desktop Client when a user connects to a malicious server. An attacker who successfully exploited this vulnerability could execute arbitrary code on the client system.
CVE-2020-0681	Remote Desktop Services Denial of Service Vulnerability	Medium	A denial of service vulnerability exists in Remote Desktop Services. An attacker who successfully exploited this vulnerability could cause the RDP service to crash.
CVE-2020-1036	Remote Desktop Client Information Disclosure Vulnerability	Medium	An information disclosure vulnerability exists in Remote Desktop Client when it improperly handles objects in memory.
CVE-2022-21893	Remote Desktop Client Remote Code Execution Vulnerability	Critical	A remote code execution vulnerability exists in Remote Desktop Client. An attacker who successfully exploited this vulnerability could execute arbitrary code on the victim system.