Is having port 3389 open on my server 2012 RDP server risky

Posted on 2016-08-12
Last Modified: 2016-08-22
Is having port 3389 open on my server 2012 RDP server risky
Question by:dannyfccs
LVL 33

Accepted Solution

it_saige earned 500 total points
ID: 41753991
The cold hard truth is that *any* open port is a potential security threat.  Internal, external; It does not matter, you are still allowing access to something via a communications port.  In most instances, the port is well-known, well-defined and in of itself, the communication poses little to no threat to system integrity.  In your case you are allowing access to the system in question via 3389, the default RDP port.  Now all a potential attacker needs to do is get past windows security.

In order to minimize the threat level, most admin's will do any (or all) of the following:

A.  Change the port.
B.  Provide a proxy to the port.
C.  Restrict access to the port (this can be accomplished in a multitude of ways; e.g. - targeted source/destination firewall rules).

LVL 95

Expert Comment

by:Lee W, MVP
ID: 41754210
I agree that any port open is risky.

You should not expose RDS to the internet.  Setup a VPN and allow your users to connect to that first.  Or an Remote Desktop Gateway server.  Exposing ANY port to the internet is risky for any reason and it's generally considered safer to allow access through VPN or RD Gateway instead of direct RDS.

Expert Comment

by:Senior IT System Engineer
ID: 41754809
Yes it is.
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

LVL 28

Expert Comment

ID: 41754893
Only if it's directly on the internet.  If it's only accessible within your secure, local network you should have no problems.

Author Comment

ID: 41766093
what alternatives would you use to RDP 3389 then?
LVL 95

Expert Comment

by:Lee W, MVP
ID: 41766354
I'll repeat:
Setup a VPN and allow your users to connect to that first.  Or an Remote Desktop Gateway server

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I don't know if many of you have made the great mistake of using the Cisco Thin Client model with the management software VXC. If you have then you are probably more then familiar with the incredibly clunky interface, the numerous work arounds, and …
Let’s list some of the technologies that enable smooth teleworking. 
In this Micro Tutorial viewers will learn how to restore single file or folder from Bare Metal backup image of their system. Tutorial shows how to restore files and folders from system backup. Often it is not needed to restore entire system when onl…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

930 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now