Port Authority Edition – Internet Vulnerability Profiling
by Steve Gibson,  Gibson Research Corporation.





Goto Port 3388
Probe Port 3389
Enter Port: 0-65535
Goto Port 3390



Port Authority Database

Port 3389

Name: 
msrdp

Purpose: 
Microsoft Remote Display Protocol

Description: 
This port is used by Microsoft's "Terminal Server" or "Terminal Services" which were renamed to "Remote Desktop" for their appearance in Windows XP.

Related Ports: 
-




Background and Additional Information:

With their introduction of Windows XP, Microsoft renamed their original Terminal Server technology, which they purchased from Citrix years before, to the more user friendly "Remote Desktop". Terminal Server / Remote Desktop allows a remote client to remotely logon to a properly equipped and enabled machine and to then display a fully graphical desktop from that remote machine.

It's all very cool and it works surprisingly well (for a remotely connected graphical user interface), but you can imagine the security implications. Since everyone knows that Remote Desktop runs over TCP port 3389, world wide Internet scans for port 3389 are becoming more common. From a strict security standpoint, regardless of the user name and strength of the passwords available on the hosting machine, anyone who is deliberately leaving port 3389 wide open and available to the entire Internet is courting extreme danger.

You must not forget that ALL open ports — like 3389 — have Internet servers and services running behind them, even if it's on a machine in your home. The same risk and exploitation of Internet vulnerabilities that you hear and read about daily becomes YOUR liability when you deliberately open and expose ports to the Internet.

While it could be argued that no one would be able to guess a sufficiently bizarre user name and password, and while choosing strange names and secure passwords for publicly exposed services is always important, that's NOT the only security risk. Microsoft's track record of publicly exposed, remotely exploitable server vulnerabilities is so bad that it's probably true that they have never offered a server or service in which multiple security vulnerabilities were NOT eventually discovered (and often exploited). That being the case, you do NOT want to be running an exposed "Remote Desktop" server on the day when the community of malicious Internet hackers discovers a means to overflow an "unchecked buffer" or otherwise circumvent your security and exploit the faith you have implicitly placed in Microsoft's security.

So what can you do?

The only secure solution is to prevent your system's port 3389 from being globally exposed. In this way no one other than specifically pre-assigned remote users will have any idea that your port 3389 is open.

If you must be able to access your system from anywhere on the Internet, from any IP address, there is nothing you can do to hide the port. You'll have no way to restrict who can see port 3389 on your system if you need to be able to see it from any IP. But if, as is the case for many people, you only need to access your system from one or a few locations having fixed IPs, or fixed ranges of IPs, many free or inexpensive desktop personal firewall products can be used to restrict the IPs from which traffic to and from your system's port 3389 may flow.

In this way, you may continue to have unfettered access to your remote system from specific locations (by IP address) while no one else who may be scanning the Internet will find any opportunity for potential exploitation.

The entire contents of this page is copyright © 2008 by Gibson Research Corporation.


Jump to top of page
Gibson Research Corporation is owned and operated by Steve Gibson.  The contents
of this page are Copyright (c) 2016 Gibson Research Corporation. SpinRite, ShieldsUP,
NanoProbe, and any other indicated trademarks are registered trademarks of Gibson
Research Corporation, Laguna Hills, CA, USA. GRC's web and customer privacy policy.
Jump to top of page