Is Port 3389 (RDP) Safe to Have Open?
Port 3389 is the default for Remote Desktop. Over 4 million instances sit exposed on the internet. Here is why that is a problem and what to do about it.
There are over 4.4 million machines with port 3389 exposed to the internet right now. You can verify this yourself on Shodan. Each one is an open invitation for brute force bots, credential stuffers, and ransomware operators who buy access in bulk.
So no. Port 3389 is not safe to have open. But let us talk about why, because the answer is more nuanced than “close it.”
What Runs on Port 3389
Port 3389 is the default for Microsoft’s Remote Desktop Protocol (RDP). It lets you control a Windows machine remotely, seeing the desktop, running applications, transferring files. System administrators use it constantly. It is one of the most useful tools in Windows, and one of the most dangerous when misconfigured.
RDP itself is not inherently insecure. The protocol supports encryption, certificate validation, and Network Level Authentication (NLA). The problem is how it gets deployed: default port, weak passwords, no NLA, exposed directly to the internet with no restrictions. That combination turns a management tool into an attack surface.
Why Attackers Love It
RDP is the easiest door to knock on because it answers back with useful information. A bot scanning port 3389 can immediately tell if RDP is running, whether NLA is enabled, and what version of Windows is behind it. That is a lot of reconnaissance from a single port probe.
Brute force is trivial. Tools like Hydra and Medusa generate thousands of authentication attempts per minute against exposed RDP endpoints. If the account is “Administrator” and the password is “Company2024!”, it falls in hours. No exploit needed, no vulnerability required. Just patience and a wordlist.
Stolen credentials work even better. Attackers do not always guess. Credential dumps from previous breaches contain billions of username/password combinations. If an employee reused their corporate password on a service that got breached, attackers can walk right in without triggering account lockout. This is credential stuffing, and it is effective precisely because people reuse passwords.
Initial access brokers sell RDP access. There is an entire market for compromised RDP sessions. Prices range from around $250 for a small business to $10,000 or more for high-value targets. Ransomware operators buy this access, skip the hard part of breaking in, and go straight to deploying payloads. We covered this supply chain in our ransomware landscape breakdown.
What Goes Wrong
Ransomware. RDP compromise was present in 90% of ransomware cases investigated by Sophos in 2023. That number may have shifted since, but RDP and VPN remain the top two initial access vectors for ransomware in every major incident report. The pattern is consistent: brute force or credential stuff into RDP, disable security tools, deploy ransomware, encrypt everything.
BlueKeep (CVE-2019-0708). Disclosed in 2019, this is a wormable remote code execution vulnerability in RDP itself. No authentication required. An attacker sends a crafted request to port 3389 and gets system-level code execution. Microsoft patched it, but unpatched systems still exist, especially older Windows 7 and Server 2008 machines that organizations refuse to retire. Public exploit code is available in Metasploit.
Lateral movement. Once inside via RDP, attackers use the same protocol to move between machines on the internal network. RDP is a legitimate tool, so it blends into normal traffic. Security teams often overlook internal RDP connections because they look like regular admin activity. This is the “living off the land” approach where the attacker never needs to install malware.
How to Check if You Are Exposed
The quickest way: scan your public IP for port 3389.
nmap -p 3389 your.public.ipIf the state is “open,” your RDP is accessible from the internet. If it says “filtered” or “closed,” you are probably fine on this port.
For a broader view, Sentinel checks all 65535 ports and flags exposed RDP as a critical finding. The report includes whether NLA is enabled and what version of RDP is running. Free, no account required.
You can also check Shodan for your IP, but that shows cached data. If you changed your configuration yesterday, Shodan might not reflect it yet. A direct scan gives you the current state.
How to Fix It
Option 1: Do not expose RDP to the internet at all. This is the correct answer for almost everyone. Put RDP behind a VPN. Users connect to the VPN first, then RDP to the machine. The RDP port never touches the public internet. If you have a firewall, block port 3389 for all inbound traffic from external sources.
Option 2: If you absolutely must have RDP exposed, lock it down.
Enable Network Level Authentication (NLA). Without NLA, an attacker gets a login screen just by connecting. With NLA, they must authenticate before the session even starts. This blocks unauthenticated exploits like BlueKeep and makes brute force slightly harder.
Change the default port. Moving RDP from 3389 to something non-standard will not stop a determined attacker (a full port scan finds it in minutes), but it will eliminate 99% of automated bot traffic that only checks 3389. Security through obscurity is not a strategy by itself, but combined with other measures, it reduces noise.
Restrict source IPs. If you know which IP addresses need RDP access, configure your firewall to only allow connections from those addresses. Everyone else gets dropped at the network level.
Enforce strong passwords and account lockout. If brute force is the primary attack, make it fail. Require long, unique passwords. Lock accounts after 5 failed attempts. Use multi-factor authentication if your RDP setup supports it (it does through RD Gateway or third-party tools).
Option 3: Use an alternative. RDP through Remote Desktop Gateway adds TLS encryption and allows MFA. Or switch to a zero-trust remote access solution entirely. The industry is moving away from exposing individual services to the internet for good reason.
The Short Version
Port 3389 open to the internet means your Windows machine is accepting remote desktop connections from anyone on the planet. Bots will find it within hours. If the password is weak, they will get in. If the system is unpatched, they might not even need a password.
Close the port. Put it behind a VPN. If you are not sure whether it is exposed, scan your IP and find out. Knowing is the first step.