Skip to content
English
Visit our website
  • There are no suggestions because the search field is empty.

Remote Desktop Protocol (RDP)

Severity: Critical
Likelihood: High

General Guidance

RDP should never be exposed directly to the internet without strong protections such as VPN access, multi-factor authentication (MFA), and strict access controls. Unsecured RDP is one of the most common entry points for ransomware attacks.

What is the concern?

RDP (typically on port 3389) allows remote administrative access to systems. When exposed externally, attackers can:

  • Perform brute-force or credential stuffing attacks

  • Exploit unpatched vulnerabilities (e.g., BlueKeep – CVE-2019-0708)

  • Gain full system control if credentials are compromised
    Because RDP often provides direct administrative access, a successful compromise can quickly lead to lateral movement and full network takeover.

Business Impact

  • Full network compromise

  • Ransomware deployment

  • Loss of sensitive data

  • Business interruption and downtime

  • Financial and reputational damage

How can this risk be resolved?

  • Do not expose RDP directly to the internet

  • Require access via VPN or Zero Trust solutions

  • Enforce MFA on all remote access

  • Use strong passwords and account lockout policies

  • Restrict access by IP allowlisting

  • Regularly patch systems and disable unused RDP services

  • Monitor for failed login attempts and unusual access patterns

RDP services should be hidden behind a firewall and/or VPN, or similar action taken, to prevent any unwanted access or intrusion which could later be used to access the internal network via any connecting devices or accidental connection onto the core network. If placing these services behind a firewall/VPN, only a narrow set of allow-listed services should be permitted to connect. If you do this, KYND will mark the issue as resolved.

If this isn’t possible, you should take alternative steps to mitigate the issue.

This could include adding extra layers of authentication, including MFA or PKI certificates to ensure that only authenticated users and services are able to connect.

If none of these are possible, then these services should be entirely separated from the rest of your organization's infrastructure, ensuring that there is no way an attacker could traverse from an attack on this service to gain access to sensitive data, services, networks or infrastructure.

Real-World Example

  • SamSam Ransomware Attacks (2016–2018): Attackers gained access to networks by brute-forcing exposed RDP services. Once inside, they deployed ransomware manually across systems, leading to millions in damages for organizations including hospitals and municipalities.

  • Colonial Pipeline (2021): While primarily tied to compromised credentials, remote access pathways (like VPN/RDP-type exposure) enabled attackers to access internal systems, contributing to a major fuel supply disruption in the U.S.

Detection Opportunities

  • High volume of failed login attempts

  • Login attempts from foreign or unusual IP addresses

  • Access outside normal business hours