Weak user authentication and port targeting are two of the main vulnerabilities present in the Remote Desktop Protocol (RDP).
After reading this article you will be able to:
Related Content
Subscribe to theNET, Cloudflare's monthly recap of the Internet's most popular insights!
Copy article link
RDP, or the Remote Desktop Protocol, is one of the main protocols used for remote desktop sessions, which is when employees access their office desktop computers from another device. RDP is included with most Windows operating systems and can be used with Macs as well. Many companies rely on RDP to allow their employees to work from home.
A vulnerability is a gap or an error in the way a piece of software is constructed that allows attackers to gain unauthorized access. Think of an improperly installed deadbolt on the front door of a house that allows criminals to break in.
These are the most important vulnerabilities in RDP:
*In networking, a port is a logical, software-based location that is designated for certain types of connections. Assigning different processes to different ports helps computers keep track of those processes. As an example, HTTP traffic always goes to port 80, while HTTPS traffic goes to port 443.
To reduce the prevalence of weak sign-in credentials:
Single sign-on (SSO): Many companies already use SSO services to manage user logins for various applications. SSO gives companies an easier way to enforce strong password usage, as well as implementing even more secure measures like two-factor authentication (2FA). It is possible to move RDP remote access behind SSO in order to shore up the user login vulnerability described above. (Cloudflare Zero Trust, for instance, allows companies to do this.)
Password management and enforcement: For some companies, moving RDP behind SSO may not be an option. At the bare minimum, they should require employees to reset their desktop passwords to something stronger.
To protect against port-based attacks:
Lock down port 3389: Secure tunneling software can help stop attackers from sending requests that reach port 3389. With a secure tunnel (e.g. Cloudflare Tunnel) in place, any requests that do not pass through the tunnel will be blocked.
Firewall rules: It may be possible to manually configure a corporate firewall so that no traffic to port 3389 can come through, except traffic from allowlisted IP address ranges (e.g. the devices known to belong to employees). However, this method takes a lot of manual effort, and is still vulnerable to attack if attackers hijack an allowlisted IP address or employee devices are compromised. In addition, it is typically very difficult to identify and allowlist all employee devices in advance, resulting in continual IT requests from blocked employees.
RDP has other vulnerabilities that have technically been patched, but which are still severe if left unchecked.
One of the most severe vulnerabilities in RDP is called "BlueKeep." BlueKeep (officially classified as CVE-2019-0708) is a vulnerability that allows attackers to execute any code they want on a computer if they send a specially crafted request to the right port (usually 3389). BlueKeep is wormable, which means it can spread to all computers within a network without any actions from users.
The best defense against this vulnerability is to disable RDP unless it is needed. Blocking port 3389 using a firewall can also help. Finally, Microsoft issued a patch that corrects this vulnerability in 2019, and it is essential that system administrators install this patch.
Like any other program or protocol, RDP has several other vulnerabilities as well, and most of these can be eliminated by always using the very latest version of the protocol. Vendors typically patch vulnerabilities in each new version of software they release.
To simplify and secure RDP access, Cloudflare built a fast-performing RDP proxy that incorporates the Zero Trust security controls of our SASE platform. Cloudflare now offers clientless, browser-based RDP access: no additional infrastructure and no extra configuring on the client device are needed. Learn more about Cloudflare's SASE platform and RDP access.
RDP is a common technical standard that allows individuals to use a computer from a different location. Companies frequently use this protocol to help employees access their office computers while working from home.
The two most significant risks are weak login credentials and unrestricted access to port 3389. Because many organizations do not manage RDP passwords through centralized systems, users often use simple or reused passwords that are easy for attackers to guess. Additionally, since RDP uses port 3389, attackers can target this specific port to launch attacks or gain unauthorized entry.
BlueKeep is a critical security flaw, officially labeled CVE-2019-0708, that allows attackers to run unauthorized code on a computer by sending a specific type of request to its RDP port. This vulnerability is "wormable," meaning it can automatically spread across an entire network to other computers without any help from a user.
Integrating RDP with an SSO service allows organizations to move remote access behind a more secure login process. This enables companies to enforce stronger password requirements and implement additional security layers, such as two-factor authentication (2FA), to verify a user's identity more effectively.
Organizations can protect this port by using secure tunneling software that blocks any requests that do not travel through a designated, secure path. Another option is to set up firewall rules that only allow traffic from specific, trusted IP addresses, though this method can be difficult to manage manually for large teams.
Cloudflare provides a fast RDP proxy that applies Zero Trust security controls to every connection. By using tools like Cloudflare Access and secure tunnels, companies can hide their RDP resources from the public Internet and ensure that only authenticated users with the correct permissions can gain entry.