Why Port 3389 is a No-No for Remote Desktop

Cybersecurity

Port 3389 is the default port used to facilitate remote access to Windows computers through the Remote Desktop Protocol (RDP). That allows users to operate a remote desktop or server from anywhere on the globe. However, any IT manager worth their salt will tell you it's a big no-no. Why? Because the default configuration of port 3389 poses substantial security risks for your organization.   

Cybercriminals actively target port 3389. They even initiate automated scans across the internet to hunt for it. Once they identify you're using it, they will launch a range of attacks, like brute force attempts to exploit the port's known vulnerabilities. It's a prime target precisely because they know how to break into it. Using a remote desktop through port 3389 is like asking to get hacked.  

Thankfully, there are ways around the vulnerability. Intelligent Technical Solutions (ITS) is an IT service company dedicated to helping businesses use technology more securely. In this article, we'll help you understand the dangers of using the default port and the best practices to mitigate the risks based on our experience. 

5 Reasons NOT to Use Port 3389 

Two cyber criminals discussing hacking strategies, possibly involving port 3389

The key reasons to avoid using port 3389 for RDPs are as follows: 

1. Brute Force Attacks

Systems with port 3389 are more visible and prone to scanning by attackers. Hackers often employ automated tools to scan the internet for systems with open RDP ports, attempting to brute-force their way in by guessing usernames and passwords.   

2. Vulnerabilities in RDP Protocol

RDP has a history of security vulnerabilities. Exploitable weaknesses in the protocol itself have been discovered over time, allowing attackers to execute various attacks, ranging from unauthorized access to the compromise of the entire system. Vulnerabilities like BlueKeep (CVE-2019-0708) revealed critical flaws that could lead to remote code execution without user interaction, posing a severe threat to unpatched systems.  

3. Credential Attacks and Weak Passwords

Attackers frequently attempt to exploit weak credentials associated with RDP. They might use stolen or default login credentials, launching attacks such as brute force or credential stuffing, where large sets of username and password combinations are systematically tried until a successful match is found. Weak or easily guessable passwords only exacerbate this vulnerability.  

RELATED: How to Make Strong Passwords 

4. Unencrypted Traffic

If RDP sessions are not configured to use encryption properly, the data transmitted between the remote system and the client can be intercepted, leading to potential data theft or manipulation by attackers. Unencrypted traffic exposes sensitive information to eavesdropping or tampering.  

5. RDP Exposure 

Directly exposing RDP to the internet without proper security measures significantly increases the risk. Attackers can easily discover systems with open ports and attempt various exploits and attack methods, even without being within the local network. 

Best Practices when Using RDP 

Hacker in a hoodie at a workstation, possibly exploiting port 3389 vulnerabilities

To mitigate the risks associated with port 3389 and RDP vulnerabilities, you can take the following steps: 

1. Zero Trust Network Access (ZTNA) or VPN for Remote Access

Implementing a Virtual Private Network (VPN) is a viable and secure option for remote access. Users connect to the VPN first, and then internal resources, including RDP services, are accessed through the encrypted VPN tunnel. VPNs can provide an additional layer of security by authenticating and encrypting traffic between the user and the internal network. 

However, according to Ed Griffin, ITS Security and GRC Executive, a better option than VPN is Zero Trust Network Access (ZTNA). Unlike VPNs, which provide direct tunneled access to an endpoint, ZTNA solutions are founded on the principle of "never trust; always verify." That means they continuously verify that all users and devices trying to access resources in your network are who they say they are. Not to mention, it restricts access only to explicitly authorized resources and resource groups rather than the entire network. 

2. Remote Desktop Gateway (RD Gateway)

Another option to consider is using Remote Desktop Gateway, which acts as a middleman between remote clients and internal RDP servers. RD Gateway provides a secure and encrypted channel for remote desktop connections by tunneling RDP traffic over HTTPS. It allows users to securely access RDP resources without exposing the RDP service directly to the internet. 

Griffin adds, however, that while an RD Gateway can reduce RDP exposure, it also introduces HTTPS vulnerabilities. To address that, you must ensure that the RD Web Access, RD Gateway, and the rest of the RD services are locked down. “Ideally, the RD Web Access and RD Gateway servers would be behind the ZTNA or VPN gateway to eliminate public exposure,” he said. 

3. Network Access Control and IP Whitelisting

Restricting access to RDP by implementing network access control lists (ACLs) or IP whitelisting ensures that only specified IP addresses or ranges are allowed to connect to the RDP service. This significantly reduces the attack surface by limiting access to trusted entities only. 

4. Multi-factor Authentication (MFA)

Implementing multi-factor authentication adds an additional layer of security by requiring more than just a password for authentication. Even if attackers obtain login credentials, they would need an additional factor (such as a code from a mobile device) to gain access. While there are ways around MFA, it is enough to deter many hackers trying to penetrate your defenses via brute force methods.  

mfa

Combining these strategies enhances your cybersecurity posture significantly and mitigates the risks associated with directly exposing RDP services on port 3389 to the internet. 

Need Help Implementing RDP Safely? 

Programmers hands on a keyboard, potentially securing or exploiting port 3389

Given the constant evolution of cyber threats, relying on port 3389 for RDP without adequate protection puts your organization at risk. Its susceptibility to brute force attacks, exploits, and unauthorized access underscores the critical need for alternative strategies. You can do that by: 

  • Leveraging ZTNA or VPN  
  • Using RD Gateway  
  • Implementing Network Access Control Lists  
  • Enforcing MFA  

Combining these practices greatly enhances your security and mitigates the risks of using RDP. If you need help setting up security measures, our team of cybersecurity experts at ITS can guide you. Schedule a free IT security assessment with us. Or learn more about remote access by checking the following resources: