Security Experts:

Connect with us

Hi, what are you looking for?


Endpoint Security

Millions of Endpoints Exposed via RDP: Report

There are 4.1 million Windows endpoints online that would accept communication via the Remote Desktop Protocol (RDP) in one way or another, a recent Rapid7 report reveals.

There are 4.1 million Windows endpoints online that would accept communication via the Remote Desktop Protocol (RDP) in one way or another, a recent Rapid7 report reveals.

As part of a study focused on the overall RDP exposure of Windows endpoints, the security firm discovered that there are 11 million open 3389/TCP endpoints, and that 4.1 million of them are “RDP speaking of some manner or another.”

The research follows previous reports from the company, which revealed 10.8 million supposedly open RDP endpoints in early 2016, and 7.2 million such endpoints in the first quarter of this year. According to Rapid7, however, the actual risk doesn’t come from exposing the endpoint, but from exposing the protocol.

While RDP is disabled by default on Windows, it is commonly exposed in internal networks to enable easy access for administration and support. From a security perspective, however, the protocol poses great many risks, especially with Microsoft addressing two dozen vulnerabilities in it over the past fifteen years.

“The default RDP configuration on older versions of Windows left it vulnerable to several attacks when enabled; however, newer versions have upped the game considerably by requiring Network Level Authentication (NLA) by default,” Rapid7 notes.

Earlier this year, the EsteemAudit exploit that the ShadowBrokers made public after supposedly stealing it from the National Security Agency-related Equation Group was targeting RDP on Windows 2003 and XP systems. Microsoft released security updates for Windows XP to address ShadowBrokers vulnerabilities, including CVE-2017-0176, the bug EsteemAudit was exploiting.

In March this year, a security report revealed that RDP had surpassed email for ransomware distribution. After RDP was associated with the delivery of various ransomware variants, researchers concluded that attackers were increasingly relying on brute-forcing RDP credentials for the deployment of this type of malware.

“RDP finds itself exposed on the public internet more often than you might think. Depending on how RDP is configured, exposing it on the public internet ranges from suicidal on the weak end to not-too-unreasonable on the other. […] There are all manner of ways that RDP could end up exposed on the public internet, deliberately or otherwise,” Rapid7 notes.

According to their report, most of the exposed RDP endpoints (28.8%, or over 1.1 million) are located in the United States. China has a great deal of exposed RDP endpoints as well (17.7%, or around 730,000), followed by Germany (4.3%, ~ 177,000), Brazil (3.3%, ~ 137,000), and Korea (3.0%, ~ 123,000).

The security researchers also had a look at the organizations that own the IPs with exposed RDP endpoints: Amazon (7.73% of exposed endpoints), Alibaba (6.8%), Microsoft (4.96%), China Telecom (4.32%), and Comcast (2.07%).

This also revealed why some countries had significantly more exposed endpoints than others: most of the providers are known for their cloud, virtual, or physical hosting services, “where remote access to a Windows machine is a frequent necessity,” Rapid7 notes.

The security researchers also discovered that over 83% of the RDP endpoints identified were willing to proceed with CredSSP as the security protocol, meaning that the RDP session was highly secured. However, while some selected SSL/TLS, over 15% of the exposed endpoints indicated that they didn’t support SSL/TLS.

“While 83% of the RDP speaking endpoints support CredSSP, this does not mean that they don’t also support less secure options; it just means that if a client is willing, they can take the more secure route,” Rapid7 points out. However, the company also underlines that it’s highly impressive that over 80% of exposed endpoints include support for common means for securing RDP sessions.

Related: RDP Tops Email for Ransomware Distribution: Report

Related: Compromised RDP Servers Used in Corporate Ransomware Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

CISO Strategy

Varied viewpoints as related security concepts take on similar traits create substantial confusion among security teams trying to evaluate and purchase security technologies.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Endpoint Security

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Endpoint Security

The Zero Day Dilemma

Application Security

After skipping last month, Adobe returned to its scheduled Patch Tuesday cadence with the release of fixes for at least 38 vulnerabilities in multiple...