Port 3389 (TCP/UDP) – RDP

What runs on port 3389?

Port 3389 is the default for Microsoft's Remote Desktop Protocol (RDP), the graphical remote-administration protocol built into Windows. It carries the full desktop session — keyboard, mouse, display, clipboard, drive and printer redirection — between an RDP client (mstsc.exe, FreeRDP, Remmina) and a host running Remote Desktop Services.

Why it matters for security

RDP is a direct, interactive path to a Windows host, which makes 3389 one of the most aggressively scanned ports on the internet. Internet-wide scanners catalog every open 3389, and exposed endpoints are sold on access-broker markets as the first foothold for ransomware crews. Two problems compound the risk: weak or reused credentials make brute force trivial, and unpatched servers remain vulnerable to wormable pre-authentication RCE such as BlueKeep (CVE-2019-0708), which needs no credentials at all.

How it's attacked

Attackers mass-scan for open 3389, then launch credential brute force or password spraying against discovered hosts, often pivoting from a single valid login to the whole domain. Where Network Level Authentication is off, the session can be downgraded or intercepted. Against unpatched hosts, BlueKeep and the DejaBlue chain give code execution before login.

Hardening checklist

Keep 3389 off the public internet — front it with a VPN or Remote Desktop Gateway. Require NLA so the client must authenticate before a session is created, enforce MFA, and apply account-lockout and strong-password policy. Patch on day zero for any RDP CVE, since these bugs are repeatedly weaponized. Use the nmap snippet above to confirm encryption settings and NLA status on hosts you are authorized to test.