Ports

Port 3389: RDP

Windows Remote Desktop. High value target for brute force and ransomware operators.

Where you will see it: You will see this in scans, firewall rules, vulnerability reports, and service configs. Treat open ports as exposure points and verify the service is expected, hardened, and restricted.

What it is

TCP port 3389 is the default port for Remote Desktop Protocol, which provides an interactive remote session to Windows systems. A port is a transport layer number used together with an IP address and a protocol such as TCP or UDP to direct traffic to the correct service on a host. A server process binds a socket to a port and listens, while a client typically chooses an ephemeral source port for outbound connections.

The combination of source and destination IP addresses, source and destination ports, and the transport protocol uniquely identifies a flow so the operating system can keep many conversations separate. Firewalls, NAT, and scanners talk about ports because the destination port is the stable rendezvous point that exposes a service to the network.

An RDP service listens on 3389, and a client connects from an ephemeral source port to start a session. After the TCP handshake, the client and server negotiate security and session parameters, and with Network Level Authentication the user authenticates before the full desktop session is created.

The session then carries screen updates, clipboard, file redirection, and input events. Because RDP is full remote control, it is a high value target.

Exposed 3389 is heavily scanned and is associated with password spraying, brute force, and exploitation of unpatched vulnerabilities. In practice, safe designs place RDP behind VPN or jump hosts, enforce MFA, and monitor for failed logins and unusual session creation.

How it works in broad strokes

  1. Client connects and negotiates session parameters and encryption.
  2. User authenticates, ideally with Network Level Authentication before the full desktop session is established.
  3. The session carries screen updates, input, clipboard, and sometimes drive mapping and file transfer features.

Concrete example

An MSP exposes RDP to manage servers. After a password leak, an attacker logs in and deploys ransomware. The safer design is VPN plus MFA and a jump host with tight auditing.

Why it matters

RDP exposure is a major risk factor. Attackers brute force credentials, exploit unpatched flaws, or buy leaked credentials, then use RDP for interactive control. Even internally, excessive RDP access can speed up lateral movement.

Security angle

  • Use VPN or a bastion host, enforce MFA, and restrict by IP and device posture.
  • Enable NLA and keep Windows patched.
  • Monitor logons, lockout events, and unusual session durations or geographies.

Common pitfalls

  • Publishing RDP directly to the internet without MFA and strong access control.
  • Allowing weak passwords or shared accounts.
  • Leaving clipboard and drive redirection enabled where it is not needed.