More than 11 million devices with 3389/TCP ports exposed online, and over 4.1 million accept communication via the Remote Desktop Protocol (RDP).
Remote Desktop Protocol is pointed to as RDP, the protocol was developed by Microsoft and used to provide a graphical means of connecting to a network-connected machine. Outside of Microsoft’s products, there are RDP clients available for most other operating systems. RDP gives a user with a graphical interface to connect to another computer over a network connection.
The protocol is disabled by default for all versions of Windows but is generally exposed in internal networks to allow easy access for administration and support.
According to rapid7:
“11 million open 3389/TCP endpoints,and 4.1 million responded in such a way that they were RDP speaking of some manner or another. This number is shockingly high when you remember that this protocol is effectively a way to expose keyboard, mouse and ultimately a Windows desktop over the network. Furthermore, any RDP speaking endpoints discovered by this Sonar study are not applying basic firewall rules or ACLs to protect this service, which brings into question whether or not any of the other basic security practices have been applied to these endpoints.”
The researchers found that over 83% of the remote desktop endpoints identified were ready to proceed with CredSSP as the security protocol, indicating that the RDP session was highly secured. However, while some selected SSL/TLS, over 15% of the exposed endpoints showed that they didn’t support SSL/TLS.
“Given the myriad of ways that RDP could end up exposed on the public Internet as observed in this recent Sonar study, it is hard to say why any one country would have more RDP exposed than another at first glance, but clearly the United States and China have something different going on than everyone else:”