Port 3389 is the default port used to facilitate remote access to Windows computers through the Remote Desktop Protocol (RDP). That allows users to operate a remote desktop or server from anywhere on the globe. However, any IT manager worth their salt will tell you it's a big no-no. Why? Because the default configuration of port 3389 poses substantial security risks for your organization.
Cybercriminals actively target port 3389. They even initiate automated scans across the internet to hunt for it. Once they identify you're using it, they will launch a range of attacks, like brute force attempts to exploit the port's known vulnerabilities. It's a prime target precisely because they know how to break into it. Using a remote desktop through port 3389 is like asking to get hacked.
Thankfully, there are ways around the vulnerability. Intelligent Technical Solutions (ITS) is an IT service company dedicated to helping businesses use technology more securely. In this article, we'll help you understand the dangers of using the default port and the best practices to mitigate the risks based on our experience.
5 Reasons NOT to Use Port 3389
The key reasons to avoid using port 3389 for RDPs are as follows:
1. Brute Force Attacks
Systems with port 3389 are more visible and prone to scanning by attackers. Hackers often employ automated tools to scan the internet for systems with open RDP ports, attempting to brute-force their way in by guessing usernames and passwords.
2. Vulnerabilities in RDP Protocol
RDP has a history of security vulnerabilities. Exploitable weaknesses in the protocol itself have been discovered over time, allowing attackers to execute various attacks, ranging from unauthorized access to the compromise of the entire system. Vulnerabilities like BlueKeep (CVE-2019-0708) revealed critical flaws that could lead to remote code execution without user interaction, posing a severe threat to unpatched systems.
3. Credential Attacks and Weak Passwords
Attackers frequently attempt to exploit weak credentials associated with RDP. They might use stolen or default login credentials, launching attacks such as brute force or credential stuffing, where large sets of username and password combinations are systematically tried until a successful match is found. Weak or easily guessable passwords only exacerbate this vulnerability.
RELATED: How to Make Strong Passwords
4. Unencrypted Traffic
If RDP sessions are not configured to use encryption properly, the data transmitted between the remote system and the client can be intercepted, leading to potential data theft or manipulation by attackers. Unencrypted traffic exposes sensitive information to eavesdropping or tampering.
5. RDP Exposure
Directly exposing RDP to the internet without proper security measures significantly increases the risk. Attackers can easily discover systems with open ports and attempt various exploits and attack methods, even without being within the local network.
Best Practices when Using RDP
To mitigate the risks associated with port 3389 and RDP vulnerabilities, you can take the following steps:
1. Zero Trust Network Access (ZTNA) or VPN for Remote Access
Implementing a Virtual Private Network (VPN) is a viable and secure option for remote access. Users connect to the VPN first, and then internal resources, including RDP services, are accessed through the encrypted VPN tunnel. VPNs can provide an additional layer of security by authenticating and encrypting traffic between the user and the internal network.
However, according to Ed Griffin, ITS Security and GRC Executive, a better option than VPN is Zero Trust Network Access (ZTNA). Unlike VPNs, which provide direct tunneled access to an endpoint, ZTNA solutions are founded on the principle of "never trust; always verify." That means they continuously verify that all users and devices trying to access resources in your network are who they say they are. Not to mention, it restricts access only to explicitly authorized resources and resource groups rather than the entire network.
2. Remote Desktop Gateway (RD Gateway)
Another option to consider is using Remote Desktop Gateway, which acts as a middleman between remote clients and internal RDP servers. RD Gateway provides a secure and encrypted channel for remote desktop connections by tunneling RDP traffic over HTTPS. It allows users to securely access RDP resources without exposing the RDP service directly to the internet.
Griffin adds, however, that while an RD Gateway can reduce RDP exposure, it also introduces HTTPS vulnerabilities. To address that, you must ensure that the RD Web Access, RD Gateway, and the rest of the RD services are locked down. “Ideally, the RD Web Access and RD Gateway servers would be behind the ZTNA or VPN gateway to eliminate public exposure,” he said.
3. Network Access Control and IP Whitelisting
Restricting access to RDP by implementing network access control lists (ACLs) or IP whitelisting ensures that only specified IP addresses or ranges are allowed to connect to the RDP service. This significantly reduces the attack surface by limiting access to trusted entities only.
4. Multi-factor Authentication (MFA)
Implementing multi-factor authentication adds an additional layer of security by requiring more than just a password for authentication. Even if attackers obtain login credentials, they would need an additional factor (such as a code from a mobile device) to gain access. While there are ways around MFA, it is enough to deter many hackers trying to penetrate your defenses via brute force methods.
Combining these strategies enhances your cybersecurity posture significantly and mitigates the risks associated with directly exposing RDP services on port 3389 to the internet.
Need Help Implementing RDP Safely?
Given the constant evolution of cyber threats, relying on port 3389 for RDP without adequate protection puts your organization at risk. Its susceptibility to brute force attacks, exploits, and unauthorized access underscores the critical need for alternative strategies. You can do that by:
- Leveraging ZTNA or VPN
- Using RD Gateway
- Implementing Network Access Control Lists
- Enforcing MFA
Combining these practices greatly enhances your security and mitigates the risks of using RDP. If you need help setting up security measures, our team of cybersecurity experts at ITS can guide you. Schedule a free IT security assessment with us. Or learn more about remote access by checking the following resources:
- What is the Best Way to Access Your Network Remotely: AVD or RDS?
- Open Ports: What They Are and Why You Need to Secure Them
- eBook: Data Breaches - A Definitive Guide for Business Owners