Remote Desktop Protocol allows users to connect to Windows systems over a network. It is widely used for remote administration and remote working, and it is one of the most consistently exploited services in external network attacks. Despite years of high-profile incidents traced to exposed RDP, organisations continue to expose it to the internet with inadequate controls.
The risks associated with RDP are well-understood. They have been documented repeatedly in threat intelligence reports, incident post-mortems, and security guidance from the NCSC and other bodies. Yet the service continues to appear on external attack surfaces in penetration tests, often on systems that IT teams believed were protected.
How Attackers Exploit RDP
Brute force and credential stuffing attacks against RDP are automated and constant. Any host with port 3389 accessible from the internet will receive login attempts within minutes of exposure. Attackers use credential lists from previous data breaches, attempting combinations at scale until they find a valid pair.
BlueKeep and subsequent RDP vulnerabilities demonstrated that the protocol itself can be exploited without valid credentials. Though many systems are now patched against these specific CVEs, the pattern of delayed patching on RDP-exposed systems means that newly published vulnerabilities remain exploitable for longer than they should.
Expert Commentary
William Fieldhouse, Director of Aardwolf Security Ltd
“RDP is one of the most consistently exploited services we encounter in external network assessments. Organisations expose it directly to the internet, use weak credentials, and disable NLA for compatibility reasons. Each of those decisions adds risk. Combined, they create an environment where initial access is straightforward.”
The Ransomware Connection
Ransomware groups rely on compromised RDP as one of their primary initial access methods. Initial access brokers sell RDP credentials to ransomware operators specifically. Once inside via RDP, attackers have interactive access to the system, can move laterally through the network, and can operate with the same capabilities as the user whose credentials they obtained.
External network penetration testing identifies exposed RDP services and attempts to access them using default credentials, weak passwords, and credential stuffing techniques. The findings consistently show that exposed RDP with weak controls leads to access in a high proportion of attempts.
Reducing the RDP Attack Surface
The most effective control is removing RDP from internet exposure entirely. Where remote administration is required, routing it through a VPN or a privileged access workstation architecture limits the attack surface to authenticated VPN users rather than the entire internet.
Where RDP exposure cannot be eliminated immediately, Network Level Authentication (NLA) should be enforced. NLA requires authentication before a full RDP session is established, limiting the information exposed during failed attempts and removing some exploitation paths.
