What is RDP Security?

How RDP Became a Primary Attack Vector

Remote Desktop Protocol, Microsoft's proprietary protocol for graphical remote access to Windows systems, became a primary ransomware delivery vector for a straightforward reason: it provides direct, authenticated access to Windows systems from the internet, and enormous numbers of organizations left it exposed on the default port (3389) with weak or default credentials. Scanning for exposed RDP and attempting credential attacks against it became a standard first step in ransomware affiliate playbooks. The Shodan internet scanning service consistently reveals millions of exposed RDP instances at any given time.

RDP Vulnerabilities

BlueKeep — CVE-2019-0708 — was a critical pre-authentication remote code execution vulnerability in RDP that affected Windows 7, Windows Server 2008, and earlier versions. NSA and CISA classified it as one of the most severe vulnerabilities disclosed in years, warning that it could enable worm-like spreading across unpatched networks. DejaBlue — CVE-2019-1181 and related — extended similar vulnerabilities to newer Windows versions. Neither required user interaction to exploit.

Securing RDP

The most impactful RDP security control is removing direct internet exposure. RDP should never be accessible directly from the internet. Organizations that require remote administration access to Windows systems should route that access through a VPN or Zero Trust Network Access solution, requiring authentication before the RDP service is even reachable. This single change eliminates the most common RDP attack vector: unauthenticated credential spraying against internet-exposed RDP.

Where RDP exposure cannot be immediately eliminated, compensating controls include: Network Level Authentication requiring credentials before a session is established; account lockout policies limiting failed authentication attempts; IP allowlisting restricting access to known administrative source addresses; and monitoring for failed authentication attempts and successful authentications from unexpected sources.

RDP in Ransomware Operations

RDP remains among the top three initial access vectors in ransomware incidents analyzed by Cloudskope. The consistency of this finding reflects the persistence of exposed RDP in mid-market environments despite years of security guidance advising against it. The combination of technical ease — finding exposed RDP requires only basic internet scanning; attacking it requires only credential lists and patience — and high value — successful RDP access provides immediate interactive access to Windows systems — makes it a perennial favorite for ransomware affiliates seeking initial access.

Real-World Example: Change Healthcare — Compromised Citrix (RDP-Equivalent) Credentials

The February 2024 Change Healthcare breach — the largest healthcare data breach in US history — began with compromised credentials for a Citrix remote access portal, the enterprise equivalent of direct RDP exposure. The portal lacked MFA. The attacker used purchased or phished credentials to authenticate directly to Change Healthcare's production environment through the remote access portal. The breach demonstrated that remote access services without MFA enforcement represent equivalent risk regardless of whether they use RDP or a commercial remote access platform.