When you think about remote access, one number often comes to mind for IT professionals: 3389. This is the default port for the RDP protocol, specifically TCP 3389. It acts as the universal digital doorway, letting users connect to and take control of another computer across a network.
Think of your company's network as a massive, secure office building. To get inside from anywhere in the world, you need a specific entrance and the right key. In this scenario, the Remote Desktop Protocol (RDP) is the high-tech access system, and the RDP protocol port is the well-known main entrance—door number 3389.
This port is a designated endpoint for communication. It's how RDP clients and servers locate each other to establish a connection. When you initiate a remote desktop session, your machine sends a request to the target computer's IP address, targeting port 3389. If that port is open and the RDP service is listening, the two machines perform a handshake to set up a secure, encrypted channel for your session.
For a quick overview, here are the essential details.
| Attribute | Description |
|---|---|
| Port Number | 3389 |
| Protocol | TCP (Transmission Control Protocol) |
| Service Name | ms-wbt-server (Microsoft Windows Based Terminal Server) |
| IANA Status | Officially Assigned |
| Primary Use | Remote Desktop Protocol (RDP) communications |
| Security Risk | High (if exposed to the public internet) |
This table explains why port 3389 is critical and why it demands careful attention.
So, why 3389? The Internet Assigned Numbers Authority (IANA), the organisation that coordinates these things, officially assigns port 3389 to RDP. This standardisation is great for simplicity; it ensures that different systems can communicate with each other without confusion. System administrators know exactly which port to configure on firewalls, and developers can build RDP clients that just work.
But this convenience has a sharp edge. Because 3389 is the universally known RDP port, it’s a massive target for cybercriminals. Attackers and automated bots relentlessly scan the internet for open port 3389, looking for vulnerable systems they can easily exploit.
The default nature of port 3389 makes it low-hanging fruit for attackers. Leaving this port open to the public internet without extra security layers is one of the most common—and most avoidable—security risks an organisation can take.
RDP is a workhorse, supporting countless remote work, education, and administrative tasks across the globe. In highly connected digital economies, RDP has become a cornerstone of remote business operations and virtual learning. The country's top-tier internet infrastructure makes RDP incredibly effective, giving students and professionals seamless access to the resources they need from anywhere. This has been absolutely vital for maintaining productivity and business continuity. You can dig deeper into how RDP facilitates global connectivity and business from Singaporean hubs.
Understanding how the default RDP port works is the first step toward securing it. It enables powerful remote capabilities, but its default status means you need a proactive security posture to keep threats at bay.
Leaving the default RDP port open to the internet is like leaving your office front door wide open overnight with a sign that says, "Come on in." While RDP is a fantastic tool for remote administration, an exposed port 3389 is a glowing beacon for cybercriminals. Attackers run automated scanners 24/7, constantly probing the internet for this exact open door.
Make no mistake, this oversight creates a direct, unguarded pathway straight into your network. It's not a question of if attackers will find it, but when. Once they do, that exposed port becomes the prime target for a relentless storm of automated attacks designed to smash through your defences.
The most common attack against an open RDP port (3389) is Brute-Force Attack. Think of an automated robot trying millions of different key combinations on your front door lock every single second. That's exactly what a brute-force attack does, but with usernames and passwords.
These attacks are brutally simple but shockingly effective, especially against weak or common login details. Attackers deploy massive lists of predictable passwords (think "Password123" or "admin") and dictionary words, hammering the RDP login screen until a match is found.
Just as dangerous is credential stuffing. With this method, attackers use stolen usernames and passwords from other massive data breaches to attempt to log in to your RDP. Since so many people reuse passwords across different services, this technique often gives them a direct ticket inside.
A single successful login from a brute-force or credential stuffing attack is all an intruder needs. This initial foothold is the launchpad for much more destructive activities, turning a simple remote access port into the epicentre of a major security breach.
This isn't just a hypothetical problem; it's a global issue that has exploded in recent years. While the Remote Desktop Protocol is vital in highly connected regions like Singapore, this dependency also cranks up the risk. At the start of 2020, there were about three million RDP ports exposed to the internet worldwide. Just a few months later, that number shot up to over four and a half million. While specific numbers for Singapore aren't public, the region's focus on advanced encryption is a critical defence. You can learn more about how cybercriminals are actively exploiting RDP vulnerabilities to stay ahead of their tactics.
Once an attacker gets in through a compromised RDP port, the real nightmare begins. This initial breach is almost never the end goal; it's just the key to the front door, allowing them to carry out far more malicious campaigns.
Here’s what typically happens next:
A single exposed RDP protocol port can completely undermine your organisation's security posture. What starts as a convenient tool for remote work can quickly become the weak link that leads to catastrophic financial loss, reputational damage, and operational chaos. The convenience of RDP is directly proportional to the risk of disaster if it isn't properly secured from the start.
Knowing the risks of an exposed RDP protocol port is one thing; building a solid defence is another entirely. The best shield you have against the constant barrage of automated attacks is a layered security strategy. It’s not about finding a single perfect solution, but about creating multiple barriers that work together to protect your remote access points.
Your first and most effective line of defence should be Network Level Authentication (NLA). Think of NLA as a bouncer checking IDs at the door before anyone even gets a glimpse of the login screen.
This pre-authentication step is a game-changer. It forces any connecting user to prove their identity to the network before a full RDP session can even start. By doing so, NLA mitigates many common brute-force and denial-of-service attacks. They can't just relentlessly hammer the login prompt, which saves your system a ton of resources.
With NLA standing guard, the next layer is ensuring the credentials themselves are rock-solid. Even the most secure system can be brought down by a weak or stolen password.
Global trends show just how critical these measures are. While specific data for Singapore is limited, a 2023 report revealed RDP was the initial entry point in a shocking 90% of attacks handled by Sophos' incident response team. This highlights the urgent need to lock down RDP, especially in highly connected hubs like ours. You can discover more insights about how RDP is abused in cyberattacks.
Once you’ve secured who can log in, the next question is what they can do once they're inside. This is where the principle of least privilege (PoLP) becomes essential. It’s a simple but powerful idea: give users the absolute minimum level of access—or permissions—they need to do their jobs.
Imagine giving every employee a master key that opens every door in your office. Convenient, maybe, but incredibly risky. Instead, you give each person only the keys for the rooms they need to enter. PoLP applies that exact same logic to your IT environment.
An admin who only needs to manage one specific server shouldn't have domain-wide admin rights. By tightly restricting access, you dramatically shrink the potential damage an attacker can cause if they compromise a user's account. This approach mitigates the threat, preventing an intruder from moving laterally across your network to reach more valuable targets. Getting this right is a cornerstone of any mature security posture. To get started, check out our guide on 11 essential privileged access management best practices.
By combining NLA, strong MFA-backed authentication, and a strict adherence to the principle of least privilege, you create a formidable defence. These layers work in concert to shrink your RDP attack surface, turning what was once an easy target into a hardened, resilient access point. This layered approach is the bedrock of a modern, defensible security strategy for any organisation that relies on RDP.
Moving your RDP protocol port away from the default 3389 is a classic security best practice. Think of it like this: instead of leaving your front door where everyone expects it to be, you're boarding it up and creating a less obvious side entrance.
Sure, a determined intruder with a floor plan might still find their way in, but you'll avoid the drive-by, opportunistic scanners that only check the main entrance. This tactic, known as security through obscurity, won't stop a targeted attack, but it’s remarkably effective at deflecting low-effort scans and reducing the constant noise from brute-force attempts.
By simply making your RDP service harder to find, you immediately become a much less attractive target.
The RDP listening port is set deep within the Windows Registry, the central nervous system for all system settings. Mucking around in here requires a steady hand, as one wrong move can cause all sorts of system instability.
Critical Warning: Before you touch a single thing in the Windows Registry, always create a full backup. An incorrect change can stop services from starting or even prevent Windows from booting at all. Proceed with caution.
The process involves locating a specific registry key and changing the value associated with the RDP port.
Windows key + R, type regedit, and hit Enter. You'll need administrator privileges to make any changes.HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-TcpPortNumber value. Double-click it to open the editor.3389. Change this to your new port number (something like 3391 or another number above 1024 is a good bet) and click OK.Once you save this, the new port number is locked in. But the system won't start using it until you either restart the Remote Desktop Services or just reboot the whole machine.
Changing the port in the registry is only half the job. This is a classic rookie mistake: if you stop here, your firewall will keep blocking the new port while leaving the old one wide open. You've effectively locked yourself out while leaving the security hole unplugged.
You absolutely must configure your firewall to allow incoming traffic on your new RDP port. Just as importantly, you need to block all traffic on the legacy port 3389.
This process flow visualises the core layers of RDP security, starting with Network Level Authentication (NLA) and reinforced by strong passwords and Multi-Factor Authentication (MFA).
These foundational steps must be in place before you expose any port, whether the default or a custom one.
To get your firewall in line, you'll need to create a new inbound rule.
After you've updated both the registry and the firewall, the last step is to make the changes stick. You can do this by restarting the "Remote Desktop Services" service, but honestly, rebooting the entire machine is often the most reliable way to ensure everything reloads correctly.
Now, to connect to the machine using the new port, you have to specify it in your RDP client. The format is simple: just add a colon and the port number after the computer name or IP address.
For example: YourComputerName:3391
Changing the default RDP port is a straightforward yet effective layer in a broader security strategy. It significantly reduces your visibility to automated bots and is a crucial first step in hardening any remote access setup.
While changing the default RDP protocol port can throw automated scanners off the scent, it's really just security through obscurity. Any port directly facing the public internet, whether it’s 3389 or 54321, is a gaping hole in your defences. A determined attacker will find your new port with a simple port scan. It's only a matter of time.
Real, enterprise-grade security means ditching this reactive mindset. The core principle is simple: never expose RDP directly to the internet. Instead, tuck it securely behind a hardened perimeter that requires users to prove their identity before they can even access the RDP service. This one change flips the security dynamic from defence to complete control.
One of the most common ways to reduce RDP exposure is to place it behind a Virtual Private Network (VPN). This approach removes direct internet exposure by requiring users to authenticate to a VPN gateway before accessing internal systems.
While this significantly improves security compared to exposing port 3389 publicly, it still operates on a network-level trust model. Once connected, users often gain broad access to the internal network segment, increasing the risk of lateral movement if credentials are compromised.
Think of it like a secure, private hallway into your office building. A user must first authenticate with the VPN gateway using their credentials. Only once they're verified and inside this protected tunnel can they even see the internal servers running RDP. From the outside world, your RDP port is completely invisible, shielded from scans and brute-force attacks.
This setup is a huge leap forward in security.
VPNs reduce exposure, but they do not eliminate the architectural risk of network-based access. If an attacker successfully authenticates, they may still explore other internal systems beyond the intended RDP server.
However, traditional VPNs aren't without their headaches. They often come with clunky client software and can grant users overly broad access to the entire network once they're connected.
A more modern and elegant solution is the RDP Gateway (RD Gateway). This is a role service in Windows Server that acts as a centralised, secure checkpoint for all incoming RDP connections. It's the only part of the setup that needs to face the internet, typically on the standard HTTPS port 443, which blends in with normal web traffic and doesn't trigger firewall alarms.
An RDP Gateway works like a highly intelligent security concierge. Instead of connecting directly to an internal server, remote users first connect to the gateway. The gateway authenticates them and securely forwards their RDP traffic to the appropriate internal host.
An RDP Gateway enforces security policies at the perimeter, ensuring only authorised and authenticated users can access internal resources. This proxy-based approach provides granular control and enhanced monitoring capabilities that are essential for modern security architectures.
This model offers several key advantages over direct exposure or even certain VPN configurations.
By deploying either a VPN or an RDP Gateway, you shift from simply hiding your RDP port to securing it behind an authenticated and authorised perimeter. For organisations looking to take the next step, this approach aligns perfectly with the principles of Zero Trust. To see this in action, learn more about how ZTNA ensures secure remote access by treating every single connection request as untrusted until it's been thoroughly verified.
However, RDP Gateways still rely on perimeter-based access models. Although they centralize authentication and monitoring, they continue to provide network-based connectivity once access is granted.
This means that the underlying RDP service still exists within the network, and broader visibility may remain possible depending on internal segmentation.
Even the best strategies for hardening the RDP protocol port are, at their core, reactive. Changing the port, funnelling traffic through a VPN, or even deploying a full-blown RDP Gateway—these are all ways of building taller, thicker walls around a fundamentally outdated architecture. The problem is, today’s threats operate on the assumption that your walls can and will be breached.
This is where a completely different security philosophy comes in: Zero Trust. It’s a model built on one simple but profound principle: never trust, always verify. It throws out the old idea of a "trusted" internal network and an "untrusted" Internet. Instead, every single request to access a resource is treated with suspicion, no matter where it's coming from.
Traditional security, including how we’ve always used RDP, is obsessed with granting network access. Once a user gets past the initial checkpoint, they can often see and explore a wide range of resources on that network segment. This creates a huge attack surface. If a threat actor compromises just one user's account, they have a launchpad to move laterally across the network and hunt for more valuable targets.
Zero Trust flips this entire model on its head. Instead of giving a user the keys to an entire network segment, it surgically connects a verified identity directly to the specific application or resource they need.
In a Zero Trust framework, the network itself becomes almost irrelevant. Access is granted based on a strict combination of user identity, device health, location, and other real-time signals, essentially creating a tiny, individual perimeter around every single resource.
This means a user has access only to the server they need, for the exact time they need it, and nothing else. If their account gets compromised, the attacker's blast radius is tiny. They can't scan the network or discover other services because, from their compromised viewpoint, nothing else exists.
This modern approach is enabled by solutions such as Zero Trust Network Access (ZTNA). ZTNA platforms act as an intelligent broker, sitting between your users and the applications they need to do their jobs. A user no longer connects directly to a server or its RDP port.
Instead, the workflow looks something like this:
This isn't just a minor improvement; it's a game-changer. It delivers far superior security by completely eliminating exposed ports from the internet. For your team, the experience is often smoother and faster, as they don't have to fiddle with clunky VPN clients. And for administrators, it provides granular, pinpoint control over who can access what, from where, and when.
Moving beyond simply securing the RDP port and embracing a Zero Trust mindset isn't just an option—it's the definitive future of secure remote access.
For organizations handling privileged administrative access, Zero Trust must go beyond simple application connectivity. Privileged Remote Access (RPAM) extends Zero Trust principles specifically to high-risk administrative sessions, ensuring elevated access is time-bound, policy-driven, and continuously monitored.
For organizations managing privileged accounts, this distinction is critical. Remote desktop access often involves administrative credentials, service accounts, or third-party maintenance access. In these scenarios, eliminating exposed ports is only the first step.
A modern RPAM architecture ensures privileged sessions are controlled, monitored, and fully auditable, reducing both external attack risk and internal misuse.
Rather than focusing solely on protecting port 3389, modern Zero Trust platforms eliminate the need to expose it.
In a Zero Trust Privileged Remote Access (RPAM) model:
This dramatically reduces the attack surface compared to traditional VPN or gateway-based approaches.
Let's dig into some of the most common questions we hear about the RDP protocol port. Getting clear, straightforward answers here can help you take a hard look at your own security posture and make smarter decisions about your remote access setup.
Absolutely not. While changing the RDP port from the default 3389 is a decent first step, it’s far from a complete security solution.
This tactic, known as "security through obscurity," is essentially about hiding your RDP service from the most basic automated scans that look for open port 3389. The problem is, a determined attacker won't be fooled for long. A simple port scan across a wider range will reveal your new port in no time.
Think of it this way: changing the RDP port reduces your visibility, but it does nothing to fix the underlying vulnerability of having RDP exposed to the internet. It must be paired with much stronger measures like properly configured firewalls, VPNs, and Multi-Factor Authentication.
RDP actually uses both, but for different reasons.
It primarily relies on TCP port 3389 to establish a stable, reliable connection. This is crucial for ensuring that all main-session data—such as your keyboard strokes and mouse movements—reaches the destination without errors.
However, RDP can also use UDP on the same port to improve performance for applications that prioritize speed over perfect accuracy, such as streaming video or intensive graphics. UDP doesn't wait for confirmation that data packets have arrived, allowing it to send visual data much faster.
Of course, strong authentication is critical regardless of the port or protocol you're using. For a deeper look into why, check out our guide on what role MFA plays in Zero Trust security.
Safous enables identity-based, port-free privileged access without exposing inbound ports, deploying traditional VPN clients, or rearchitecting your internal network — making secure remote access achievable across IT, OT, and third-party environments.