What RDP Does
Remote Desktop Protocol gives you a full graphical desktop session on a remote Windows machine as if you were sitting in front of it. The remote computer renders its desktop, compresses the display data, and streams it to your client. Your keyboard and mouse inputs travel back in the opposite direction. The result is an interactive session that supports running applications, accessing files, and administering the system — all through a network connection.
RDP also supports virtual channels that extend the basic display-input stream. Clipboard redirection lets you copy and paste between your local machine and the remote session. Drive redirection makes your local drives appear as network drives inside the remote session. Audio redirection plays the remote system's audio through your local speakers. Printer redirection lets you print from the remote session to a locally attached printer.
How RDP Works Technically
RDP uses TCP port 3389 as its primary transport. Modern RDP versions also use UDP 3389 for enhanced performance, particularly for features like RemoteFX that benefit from lower-latency delivery even at the cost of occasional packet loss.
The display stream uses progressive rendering and compression. RDP does not send raw pixel data for every frame — it sends incremental updates covering only the screen regions that changed, compressed using codecs including RemoteFX (H.264/AVC-based) for rich graphical content and RDP 8.0 adaptive graphics. The server-side rendering approach means the remote machine does all the GPU work; the client only needs to decompress and display the stream, which keeps client hardware requirements low.
Virtual channels are multiplexed over the single TCP connection. Each channel handles a specific capability: the clipboard channel, the drive redirection channel, the audio channel, and so on. This architecture allows RDP to be extended with additional capabilities without changing the core protocol.
RDP Clients
The built-in Windows RDP client is mstsc.exe (Microsoft Terminal Services Client), accessible by running mstsc from the Run dialog or searching "Remote Desktop Connection" in the Start menu. It supports all RDP features including drive, printer, and clipboard redirection. Microsoft publishes official RDP client apps for macOS (Microsoft Remote Desktop from the Mac App Store), iOS, and Android. FreeRDP is an open-source, cross-platform RDP client and library that runs on Linux, macOS, and Windows and supports most RDP features including NLA and RemoteFX.
Network Level Authentication (NLA)
NLA is the single most important RDP security control. Without NLA, the Windows server creates a full remote session — rendering the login screen and allocating session resources — before the user has authenticated. This means an unauthenticated attacker can reach the Windows login screen directly, which was the attack surface exploited by BlueKeep and similar vulnerabilities.
With NLA enabled, the client must authenticate using CredSSP (Credential Security Support Provider) before the server establishes a session. Authentication happens at the network level before the RDP session begins. The server never renders a login screen for unauthenticated clients. NLA is enabled by default on Windows Server 2012 R2 and later. You should verify it is active and never disable it on internet-reachable systems.
RDP Security Vulnerabilities
RDP has accumulated a significant list of critical vulnerabilities. BlueKeep (CVE-2019-0708), disclosed in May 2019, allowed unauthenticated remote code execution on Windows 7 and Windows Server 2008 through a pre-authentication memory corruption bug in the RDP service. Microsoft issued emergency patches and the US government issued rare public warnings urging immediate patching. DejaBlue (CVE-2019-1181 and CVE-2019-1182) followed months later with similar pre-auth RCE bugs affecting Windows 8, 10, and Server 2012–2019.
Beyond these specific vulnerabilities, internet-exposed RDP is a primary ransomware entry vector. Automated tools constantly scan the internet for port 3389, attempt credential stuffing with leaked username/password combinations, and sell or exploit successful logins. Threat intelligence consistently identifies exposed RDP as the most common initial access method in ransomware incidents.
How to Secure RDP
The most effective protection is to never expose RDP directly on port 3389 to the public internet. Place it behind a VPN so only authenticated VPN users can reach the RDP port, or use a Remote Desktop Gateway (RD Gateway) server that acts as an HTTPS reverse proxy for RDP sessions. Enable NLA on every RDP-capable server. Configure account lockout policies (lock after 5–10 failed attempts) to defeat brute-force attacks. Enable multi-factor authentication either at the VPN layer or through RD Gateway. Keep the system patched — RDP vulnerabilities are patched promptly by Microsoft but only help if you apply the updates.
Remote Desktop Gateway for Enterprise
Remote Desktop Gateway (RD Gateway) is a Windows Server role that allows clients to connect to internal RDP hosts through an HTTPS tunnel. Clients connect to the RD Gateway on TCP 443 using RPC over HTTPS, and the gateway proxies the RDP session to the internal target. From the client's perspective, the connection looks like an HTTPS request to a web server — it traverses firewalls easily and requires only port 443 outbound. RD Gateway supports NLA, integrates with Active Directory for authorization, and can require smart card or certificate authentication. It is the Microsoft-recommended approach for enterprise RDP access without a full VPN client.
RDP vs VNC vs SSH Compared
| Feature | RDP | VNC | SSH |
|---|---|---|---|
| Platform (server) | Windows (native); Linux via xrdp | Windows, macOS, Linux | Linux, macOS, Windows |
| Protocol | Proprietary Microsoft RDP | Open RFB protocol | Open SSH protocol (IETF) |
| Default port | TCP 3389 | TCP 5900+ | TCP 22 |
| Built-in encryption | Yes (TLS) | Minimal (tunnel over SSH recommended) | Yes (always encrypted) |
| Performance | Excellent (server-side rendering) | Good on LAN; slow over WAN | Text only (fast); GUI via X11/tunneling |
| Primary use case | Full Windows GUI remote access | Cross-platform GUI remote access | Secure terminal, file transfer, tunneling |
| Requires specific target OS | Windows (or xrdp on Linux) | No — any OS with VNC server | No — any OS with SSH server |
Frequently Asked Questions
What port does RDP use?
RDP listens on TCP port 3389 by default (and UDP 3389 for enhanced performance features). This port is widely known and heavily scanned by attackers looking for exposed RDP servers. Changing the RDP listening port is a minor deterrent but not a security control on its own — automated scanners regularly scan all 65535 ports. The effective protections are NLA, a VPN gateway, and account lockout policies, not port obscurity.
Is RDP secure to use over the internet?
Exposing RDP directly to the internet on port 3389 is not recommended. RDP has a long history of critical vulnerabilities — including BlueKeep (CVE-2019-0708), which allowed unauthenticated remote code execution on unpatched systems — and internet-facing RDP servers are constant targets for brute-force credential attacks that fuel ransomware campaigns. The secure approach is to place RDP behind a VPN or Remote Desktop Gateway so that only authenticated VPN users can reach it.
What is NLA in RDP?
NLA stands for Network Level Authentication. It requires the client to authenticate before the full RDP session is established — specifically before the Windows login screen is rendered and sent to the client. Without NLA, the server creates a full session for every connection attempt before authentication, which wastes resources and exposes the login screen to unauthenticated attackers. NLA uses the CredSSP protocol and significantly reduces the attack surface. NLA should always be enabled on any RDP server.
How do I enable RDP on Windows?
On Windows 10 and 11: open Settings, go to System, then Remote Desktop, and toggle Enable Remote Desktop on. On Windows Server: open Server Manager, go to Local Server, and click the Remote Desktop status link. You must also ensure Windows Firewall allows inbound connections on TCP 3389. RDP is only available on Windows Pro, Enterprise, and Server editions — Windows Home does not include an RDP server, though it can run the RDP client.
Why is RDP a security risk?
RDP is a high-value attack target because it provides full interactive access to a Windows system. The combination of a well-known port (3389), password-based authentication subject to brute force, and a history of critical unauthenticated vulnerabilities makes internet-exposed RDP one of the most common initial access vectors for ransomware. Threat intelligence reports consistently identify exposed RDP as the leading entry point for ransomware deployments. Mitigations include NLA, MFA, VPN gating, and ensuring the system is fully patched.
Can I use RDP to connect to a Mac or Linux machine?
RDP is a Microsoft protocol and requires an RDP server on the target machine. macOS and Linux do not include a built-in RDP server. However, third-party RDP server software exists for both platforms — xrdp is a popular open-source RDP server for Linux that works with most standard RDP clients. For macOS, native remote access uses either Apple Remote Desktop (ARD) or VNC-compatible screen sharing. Microsoft's official RDP client apps are available for macOS, iOS, and Android for connecting to Windows targets.