What it is
Remote Desktop Protocol (RDP) is a Microsoft protocol that provides graphical remote access to Windows desktops and servers. It commonly listens on TCP port 3389. RDP delivers full keyboard, mouse, and display control, making it indispensable for remote administration and remote work scenarios. However, weak authentication, default settings, and unpatched vulnerabilities make exposed RDP services attractive entry points for adversaries.
Attackers exploit RDP through brute-force attacks, credential stuffing with stolen passwords, exploitation of protocol flaws (such as BlueKeep-class vulnerabilities), or by purchasing access from initial access brokers. Once inside, attackers can escalate privileges, deploy malware, or exfiltrate data.
Why it matters
RDP compromise provides immediate, high-level access to systems. Homes, SMBs, and enterprises often expose RDP to the internet without adequate defenses, leading to rapid ransomware deployment and domain compromise. Within internal networks, lax segmentation allows compromised RDP sessions to reach critical systems. Because RDP supports file transfer and clipboard sharing, attackers can easily stage tools and steal data.
How to reduce risk
- Avoid exposing raw RDP on the public internet; front it with VPNs, remote access gateways, or zero-trust brokers.
- Enforce multi-factor authentication (MFA) for all remote desktop access.
- Segment administrative hosts and limit RDP access to dedicated jump servers.
- Keep Windows systems patched and enable Network Level Authentication (NLA).
- Use RDP gateways with logging, monitoring, and session recording for accountability.
- Replace static passwords with smartcards, certificates, or Azure AD Conditional Access policies.
- Monitor for unusual RDP session activity, failed login spikes, and lateral movement attempts.