What Is RDP and Its Common Vulnerabilities
Table of Contents
What RDP Does
Remote Desktop Protocol (RDP) provides graphical remote access to Windows computers. It transmits the screen content from the remote machine to the client and sends keyboard and mouse input back. RDP is built into every edition of Windows (Professional and above for hosting, all editions for connecting) and is the standard method for remotely managing Windows servers and workstations.
RDP operates on TCP port 3389 by default. When you connect to a Windows machine via Remote Desktop Connection, your client establishes a TCP connection to port 3389, negotiates encryption, authenticates, and begins streaming the desktop session.
Microsoft developed RDP in the late 1990s, based on the T.128 application sharing protocol from the ITU. It has been a core Windows feature since Windows XP.
How the Protocol Works
RDP uses a multi-channel architecture. The main channel carries screen updates and input. Additional virtual channels handle clipboard sharing, drive redirection, printer redirection, audio redirection, and USB device forwarding.
graph TD
subgraph "RDP Connection Flow"
C[Client] -->|TCP connect to port 3389| S[Server]
S -->|Security negotiation| C
C -->|Authentication - NLA or legacy| S
S -->|License check| C
C -->|Capability exchange| S
S -->|Graphical channel opens| C
C -->|Input channel - keyboard and mouse| S
S -->|Screen updates stream to client| C
end
subgraph "Virtual Channels"
VC1[Clipboard sharing]
VC2[Drive redirection]
VC3[Printer redirection]
VC4[Audio redirection]
VC5[USB forwarding]
end
RDP negotiates security and authentication before streaming the desktop over multiple channels
RDP supports several security modes. The legacy mode uses RDP's built-in encryption (RC4-based, considered weak). TLS mode wraps the RDP connection in TLS encryption. CredSSP (Credential Security Support Provider) adds NLA (Network Level Authentication), which requires authentication before the full RDP connection is established.
Port 3389 on the Internet
Port 3389 is one of the most scanned and attacked ports on the internet. Shodan consistently finds millions of systems with RDP exposed to the public internet. Automated scanning tools sweep the entire IPv4 address space looking for open RDP ports, completing a full scan in under an hour.
Every exposed RDP port is a target. Attackers probe these ports with credential brute force attacks, exploit known vulnerabilities, and test for misconfigurations. Security research firms report that a newly exposed RDP port begins receiving attack traffic within minutes.
The COVID-19 pandemic dramatically increased RDP exposure. Organizations rushed to enable remote access for employees working from home, and many took the shortcut of exposing RDP directly to the internet rather than deploying proper VPN infrastructure.
Credential Brute Force
The most common attack against exposed RDP is credential brute force. Attackers use automated tools that try thousands of username and password combinations against the RDP login. Common usernames (Administrator, admin, user) are tested with common passwords, passwords from previous data breaches, and systematically generated combinations.
These attacks are relentless. A single exposed RDP port can receive tens of thousands of login attempts per day from multiple attacking IPs. Botnets distribute the brute force across many source addresses to evade simple IP-based blocking.
Successful brute force gives the attacker full interactive access to the Windows desktop. From there, they can disable security tools, install ransomware, exfiltrate data, or use the compromised machine as a pivot point to attack other systems on the network.
BlueKeep - CVE-2019-0708
BlueKeep is a critical vulnerability in the RDP implementation on older Windows versions (Windows 7, Windows Server 2008 R2, and earlier). Disclosed in May 2019, it allows remote code execution without authentication - an attacker only needs to send specially crafted packets to port 3389.
graph TD
subgraph "BlueKeep Attack Characteristics"
B1[CVE-2019-0708] --> B2[Pre-authentication - no credentials needed]
B1 --> B3[Remote code execution]
B1 --> B4[Wormable - can self-propagate]
B1 --> B5[Affects Windows 7 and Server 2008 R2]
B2 --> B6[Attacker sends crafted RDP packets]
B6 --> B7[Use-after-free in RDP channel handling]
B7 --> B8[Kernel-level code execution]
B8 --> B9[Full system compromise]
end
BlueKeep provides unauthenticated remote code execution through RDP - similar severity to EternalBlue
BlueKeep is wormable, meaning malware can exploit it to spread automatically from one vulnerable machine to another, similar to how WannaCry used EternalBlue. Microsoft was so concerned that they released patches for unsupported operating systems (Windows XP and Server 2003) and the NSA issued a rare public advisory urging immediate patching.
The vulnerability exists in the RDP channel handling code. Specifically, it is a use-after-free bug in how the RDP service handles channel join requests during the pre-authentication phase. An attacker can trigger the use-after-free condition to execute arbitrary code in the kernel context.
RDP as Ransomware Entry Point
RDP has become the number one initial access vector for ransomware attacks. Security incident response reports consistently show that a majority of ransomware incidents begin with compromised RDP access.
The attack pattern is straightforward. Attackers buy RDP credentials on dark web marketplaces (where they sell for as little as a few dollars per machine), or brute force their way in. Once inside, they spend days or weeks performing reconnaissance, disabling backups, and mapping the network. When ready, they deploy ransomware across all reachable systems simultaneously.
The RDP-to-ransomware pipeline is so well-established that it has been industrialized. Initial access brokers specialize in compromising RDP endpoints and selling access to ransomware operators. This division of labor makes the overall operation more efficient and harder to disrupt.
Network Level Authentication
Network Level Authentication (NLA) is a security feature that requires the user to authenticate before the full RDP connection is established. Without NLA, the server allocates resources and presents a login screen to anyone who connects. With NLA, the authentication happens during the connection setup phase, before the server creates a session.
NLA provides two benefits. First, it reduces the server's exposure to denial-of-service attacks because unauthenticated connections are rejected early. Second, it prevents pre-authentication exploits like BlueKeep from being exploited by unauthenticated attackers (though BlueKeep specifically affects the pre-NLA phase on older systems).
NLA uses CredSSP, which supports NTLM and Kerberos authentication. On domain-joined machines, Kerberos is used by default. NLA should be enabled on every system that exposes RDP.
Securing RDP
The most effective defense is simple: never expose RDP directly to the internet. If remote access is needed, place RDP behind a VPN, an SSH tunnel, or a Remote Desktop Gateway (RD Gateway).
VPN first. Users connect to the corporate VPN, then access RDP through the VPN tunnel. The RDP port is only reachable from inside the VPN network, not from the public internet.
RD Gateway. Microsoft's Remote Desktop Gateway is an HTTPS-based proxy for RDP. Users connect to the gateway on port 443 (HTTPS), authenticate, and the gateway proxies the RDP connection to the internal server. This eliminates the need to expose port 3389.
Enable NLA. Always. There is no reason to allow unauthenticated connections to reach the RDP login screen.
Use MFA. Multi-factor authentication for RDP access stops credential-based attacks even if the password is compromised. Duo, Azure MFA, and other solutions integrate with RDP through NLA or RD Gateway.
Rate limiting and account lockout. Configure account lockout policies to lock accounts after a small number of failed login attempts. This stops brute force attacks but can create a denial-of-service risk if attackers intentionally lock out legitimate accounts.
Knowing what ports and services your network exposes is the foundation of security. The BLEShark Nano helps you discover wireless devices on your network, providing the visibility needed to audit which systems might be running exposed services like RDP.
Get the BLEShark Nano - $36.99+