Exposed RDP (Remote Desktop, port 3389)

How attackers find and exploit it

• Internet-wide scanners enumerate TCP/3389 and common alternate RDP ports across the target's registered netblocks and cloud egress ranges.
• The pre-auth handshake leaks the hostname, NetBIOS/domain name, and OS build, which fingerprints the patch level and CVE exposure.
• Attackers spray credentials harvested from breach corpora, or brute-force weak passwords, until a valid session sticks — low-noise, durable access.
• Unpatched hosts are targeted for pre-auth remote code execution (e.g. BlueKeep) to bypass authentication entirely.
• Once inside, the operator pivots to file shares, dumps credentials, and stages ransomware or data exfiltration.

How to detect it on your surface

• Enumerate every public IP and cloud egress range you own, then probe for 3389 and non-standard RDP listeners.
• Correlate any discovered RDP host against your asset inventory — exposed RDP is frequently shadow IT or a forgotten jump box.
• Cross-reference each host's OS-build fingerprint against the CISA KEV catalog for RDP-related CVEs.
• Track whether the listener appeared recently, which usually signals an unreviewed firewall or security-group change.

Detection signals

• TCP/3389 (or an alternate port) open to 0.0.0.0/0 with a completed RDP negotiation response.
• A pre-auth banner disclosing the NetBIOS/domain name and OS build.
• A TLS certificate whose common name reveals an internal hostname.
• Network Level Authentication (NLA) absent on the negotiation, widening the pre-auth surface.

Validate before you report

• Confirm the listener actually completes an RDP negotiation rather than being a honeypot or an unrelated service squatting on 3389.
• Capture the pre-auth fingerprint (screenshot plus the raw handshake) as evidence for the report.
• Determine whether NLA is enforced; its absence materially changes the severity narrative.
• Resolve the host to an owner and confirm it is in assessment scope before any active testing.

What looks like this but isn't

• Port 3389 forwarded to a deliberately exposed honeypot — validate by protocol behavior, not the port number alone.
• An RD Gateway brokering RDP over 443 is a different, often acceptable, control — do not report it as raw exposed RDP.
• A load balancer health check that opens the port without a real RDP service behind it.

Remediation

• Remove RDP from the public internet; place it behind a VPN, RD Gateway, or zero-trust access broker.
• Enforce Network Level Authentication and phishing-resistant MFA for all remote access.
• Restrict inbound source IPs with an allowlist, and patch to eliminate known pre-auth CVEs.
• Alert on failed-login spikes and on any newly internet-facing 3389 listener.

Operational checklist

• Add 3389 and common alternate RDP ports to continuous external-surface monitoring.
• Default-deny inbound RDP at the cloud security-group and firewall layer.
• Inventory and decommission forgotten jump boxes on a recurring cadence.
• Require change-control approval before any host exposes a remote-access service.
• Re-validate after remediation and capture closing evidence in the report.

Weakness references (CWE)

• CWE-284 — Improper Access Control
• CWE-1327 — Binding to an Unrestricted IP Address