Home » Wiki » What is Port 3389: Everything You Need to Know About It

What is Port 3389: Everything You Need to Know About It

by | Ports

Port 3389

What is Port 3389?

Port 3389 is a commonly used port for the Remote Desktop Protocol (RDP). RDP allows remote access connections to Windows machines, whether that’s a desktop or server OS. With RDP, users can access the full Windows graphical interface remotely as if they were sitting at the physical machine.

Some key facts about port 3389:

  • It provides the entry point for RDP communications, allowing incoming connections.
  • This port is listening by default on all recent Windows operating systems, including desktop OSes like Windows 10 and server platforms like Windows Server 2019.
  • The RDP service associated with port 3389 is named TermService in Windows and uses TCP as its transport protocol.

Key Takeaways

  • Port 3389 is used for Remote Desktop Protocol (RDP) connections that allow remote access to Windows machines.
  • Keeping port 3389 open exposes systems to attacks, so it should be closed by default and only selectively opened when needed for remote access.
  • Restricting access to port 3389 is crucial. Use firewall rules, VPNs, and RDP gateway servers to limit exposure. Enable other security measures, like Network-Level Authentication.
  • Monitor activity on port 3389 to detect brute-force attacks. Use tools like RDPGuard to block IPs after failed login attempts.
  • Replace RDP with more secure remote access alternatives when possible, like VNC over SSH or remote desktop gateways.

Why is Port 3389 Important?

Port 3389 is one of the most commonly used ports by Windows administrators and support teams.

Here’s why it’s so important:

  • Enables Remote Access: RDP is a critical remote access technology on Windows. It allows IT support teams to troubleshoot issues, manage servers, or use workstations remotely. Employees can also access work desktops and applications from home.
  • Built-in on Windows: Unlike many other ports and protocols, RDP over 3389 is built into Windows and enabled by default. No additional software is required.
  • Graphical Access: Unlike command-line remote access tools like SSH, RDP provides full graphical access for an experience identical to sitting at the physical computer. This is vital for remote desktops.
  • Central Management: Admins can centrally manage RDP connectivity, permissions, gateways, and other aspects through Group Policy and tools like Remote Desktop Services.
  • Common Target for Attackers: RDP’s ubiquity across Windows networks makes it a prime target for brute-force password attacks. A compromised RDP session gives full control.

How Port 3389 Works: Technical Details

On a technical level, how exactly do Remote Desktop and port 3389 function?

Here are some key details:

  • The Remote Desktop Protocol (RDP) defines the communication and data formats used for the connection. It’s an open standard defined in RFCs.
  • Microsoft’s implementation uses TCP port 3389 for RDP traffic by default. The TCP service is named TermService.
  • The client and server exchange authentication messages to establish identity and permissions. Encryption, such as TLS, secures connections.
  • RDP traffic can contain input events like keystrokes and mouse movements, as well as graphical output like bitmaps, allowing remote control.
  • RDP has extensions like clipboard sharing, drive mounting, USB redirection, and multimedia redirection for features like video playback.
  • Network-level authentication (NLA) is an extension that enhances security by performing an authentication pre-check before establishing a full RDP session.

When to Open Port 3389

Since port 3389 exposes systems to remote access, it should only be left open permanently if absolutely required. Here are scenarios when opening port 3389 makes sense:

  • Temporary Remote Access: Admins troubleshooting a specific issue may temporarily open port 3389 just for the duration of that remote session. It should be closed again afterward.
  • Remote Desktop Gateways: Gateway servers can accept RDP traffic and route connections to internal desktops. This consolidates exposure to the Internet on the gateway only.
  • Application Testing: Developers may need to test applications remotely through RDP during development. Port 3389 can be opened only during testing.
  • Supporting Remote Workers: For remote call center staff, port 3389 may need to be permanently open to allow access to desktops. Strict firewall rules should limit access.
  • Managed Service Providers: MSPs managing client networks often use RDP for remote administration. Port 3389 needs to be open for MSP IP addresses.

The decision on whether to open port 3389 depends on the specific use case. However, in general, it is best to limit exposure as much as possible.

How to Secure Port 3389

Because port 3389 exposes critical remote access capabilities, proper security is crucial.

Here are best practices to secure RDP connectivity:

  • Close Port 3389 By Default: Do not leave Port 3389 open permanently unless absolutely required. Use firewall rules to block access.
  • Limit Access: When the port needs to be open, restrict access using firewall rules only to specific source IP addresses or VPN subnets that need access.
  • Enable Network-Level Authentication (NLA). NLA enhances security by requiring authentication before establishing a full RDP session, breaking the pass-the-hash attack.
  • Use VPNs: Utilize VPNs so all RDP traffic is encapsulated within an encrypted tunnel instead of traversing the open Internet.
  • Deploy RDP Gateways: Gateway servers proxy the RDP connection, avoiding direct Internet exposure. Use firewall rules and VPNs for in-depth defense.
  • Monitor Activity: Review firewall and system logs to detect scan and brute force attack activity on port 3389. Tools like RDPGuard can also automatically block abusive IPs.
  • Strong Credentials: Enforce long, complex passwords and account lockouts to protect against brute-force credential attacks. Enable multi-factor authentication where possible.
  • Replace RDP Where Possible: For server management, shift toward more secure protocols like SSH, VNC over SSH tunnels, or remote desktop gateways instead of direct RDP.

Proper RDP security requires layers of protection to limit exposure and make brute force compromise difficult.

What are the Common Attacks on Port 3389

The ubiquitous nature of RDP makes it a magnet for attackers. Some common attacks against port 3389 include:

  • Brute-force attacks: Attackers continuously try compromised username and password lists over RDP connections, hoping to guess a valid credential and eventually gain remote access.
  • Password Spraying: A variant of brute force attacks that tries a single commonly used password across many different user accounts.
  • Pass-the-HashCaptures hashed Windows credentials and forwarded them to authenticate on the remote system without cracking them. NLA prevents this.
  • BlueKeep Exploit: A dangerous RCE vulnerability in older versions of Windows RDP could allow full remote code execution. It is critical to patch.
  • RDP Hijacking: Tricks RDP clients into connecting to attacker systems instead of legitimate servers, capturing all traffic and credentials.
  • Man-in-the-Middle: Intercepts the RDP connection, observing or even manipulating the session in transit between client and server.

Proper RDP hygiene is crucial to avoiding these common attacks. Limiting exposure, monitoring activity, and patching vulnerabilities help mitigate the risk.

Port 3389 Audit and Logging

Auditing and logging activity on port 3389 provides visibility into how it’s being used and can detect attacks. Here are best practices:

  • Windows Firewall Logging: Enable firewall logging and monitor events related to port 3389. This will show all connection attempts.
  • RDP Connection Logs: Windows records RDP connection and disconnection events. Review them regularly for failed logins or unknown users.
  • Syslog Aggregation: Use an SIEM or log aggregation tool to collect firewall and system logs in a central location for easy monitoring.
  • RDPGuard: Specialized tool to monitor RDP connections and block brute force attackers after a threshold of failed logins from a source IP.
  • File Integrity Monitoring: Detect changes made during an RDP session, especially critical system files that could indicate malware or hacking activity.
  • Network Traffic Analysis: Inspect packet captures for unusual spikes in RDP traffic that may signify brute force attacks.

Proper audit logging provides visibility into how port 3389 is utilized within the environment. The logs help identify brute force attacks and other malicious activity.

What are the Alternatives to Port 3389 RDP

For increased security, there are alternatives to direct RDP over port 3389 in some scenarios:

  • VNC over SSH: Use VNC for remote graphical access tunneled through an encrypted SSH connection. More secure than RDP.
  • Remote Browser Isolation: This option allows remote website access by streaming an isolated disposable browser session, not the full desktop.
  • Windows Remote Desktop Gateway: Gateway servers proxy RDP connections, avoiding direct Internet exposure. This is useful for remote workers.
  • SSH: Linux/Unix servers can be managed more securely using SSH command-line access instead of graphical RDP sessions.
  • Remote Desktop Manager: Special client software creates encrypted tunnels and proxies rather than direct RDP sessions.
  • Remote Access VPN: Use a VPN to encapsulate all RDP traffic into an encrypted tunnel with endpoint authentication.

While RDP is still helpful in many cases, these alternatives can enhance security: especially for external remote access across the open Internet.

Port 3389 on Public Cloud Providers

Major public cloud platforms like AWS, Azure, and Google Cloud all support RDP access over port 3389 to Windows virtual machines:

  • AWS: RDS port 3389 is open by default on Amazon EC2 Windows instances. Use security groups to control source IP access.
  • Azure: Add Network Security Group (NSG) rules to restrict RDP to allowed IPs only. Disable RDP access from the Internet fully where possible.
  • Google Cloud: Create firewall rules on Compute Engine instances to limit port 3389 access. VPN or Cloud IAP proxying enhances security.
  • Enable Monitoring: Cloud platforms provide activity logging. Monitor auth failures to detect brute force attacks.
  • Additional Authentication: Use mechanisms like SSH keys on top of RDP passwords to require 2 forms of authentication.

While convenient, port 3389 still poses risks to cloud providers. Proper security groups, firewall rules, and additional authentication help reduce the attack surface.

Final Thoughts

Port 3389 is a vital component of remote access on Windows environments via the Remote Desktop Protocol. While extremely useful, RDP also introduces security risks if port 3389 is exposed on the open Internet.

Following cybersecurity best practices is critical: implementing firewall rules and VPNs to restrict access, monitoring logs to detect attacks, enabling NLA and multi-factor authentication, and considering more secure alternatives like VNC or SSH where possible.

With proper precautions, organizations can safely utilize port 3389 and RDP for convenient remote desktop access while also keeping their systems secured against attacks.

Frequently Asked Questions (FAQ) Related to Port 3389

Is port 3389 open by default on Windows?

Yes, port 3389 is open by default on all modern Windows versions to allow Remote Desktop connections. The associated RDP services start automatically.

Should port 3389 be closed or open externally?

It’s recommended that port 3389 on perimeter firewalls be closed by default to block external access, only opening selectively and temporarily as needed for remote access.

What are the most common attacks against RDP port 3389?

Brute-force password guessing and password spraying attacks are very common. Attackers use compromised credentials to gain remote access.

How can you tell if someone is scanning or attacking port 3389?

Review firewall logs for repeated connection attempts, especially from a single source IP. Failed Windows login auditing events can also signal attacks.

What are the alternatives to direct RDP over port 3389?

More secure options include VNC over SSH tunnels, remote desktop gateways, VPN-encapsulated RDP, and remote browser isolation.

Is using port 3389 on cloud providers like AWS risky?

Potentially, yes, though risks can be reduced by restricting source IP access, enabling additional authentication, and monitoring activity.

What are the most important methods to secure RDP and port 3389 access?

Using firewall rules, VPNs, or proxies to limit exposure, monitoring activity logs, and enforcing strong credentials through policies.

Priya Mervana

Priya Mervana

Verified Badge Verified Web Security Experts

Priya Mervana is working at SSLInsights.com as a web security expert with over 10 years of experience writing about encryption, SSL certificates, and online privacy. She aims to make complex security topics easily understandable for everyday internet users.