Skip to main content
Vantyris

Ports

RDP on the public internet: the single biggest ransomware vector for UK small businesses.

Published 2026-04-09 · Last updated 2026-04-09 · Vantyris editorial

Remote Desktop Protocol (RDP) on port 3389, reachable from the public internet, is the single most-exploited entry vector in UK SME ransomware incidents. NCSC reports consistently put it in the top three. The pattern: someone in 2020 needed remote access for COVID-era working, opened the port temporarily, and nobody closed it. Five years later it's still there. Vantyris flags it because closing it is one of the highest-impact 30-minute fixes a small business can do; the bots scanning for open RDP try every weak password they have within minutes of finding the port.

What this means for your business

How to fix

Close port 3389 at your firewall. Provide remote access via a VPN (WireGuard, Tailscale, Cloudflare WARP) or a Zero Trust gateway (Cloudflare Access, Tailscale, Twingate). Most modern options are free for small teams.

  1. Confirm the exposure. From outside your network, try connecting to your office's public IP on port 3389. Or use shodan.io to look up your IP. If you see an RDP listener, you have an exposed port.
  2. Decide your replacement remote-access path. Two cheap options. (1) Tailscale: free for up to 100 devices, install agents on the laptops + the office machine; remote access works without exposing any ports. (2) Cloudflare WARP + Cloudflare Tunnel: similar free tier, similar approach. Either eliminates the exposed port.
  3. Roll out the VPN client to anyone who needs remote access. Install the chosen client on every remote worker's laptop. Test that they can connect to the office machine over the VPN. Document the access pattern so new hires don't ask 'but why can't I just RDP'.
  4. Close port 3389 at your firewall. On your router or office firewall, remove the port-forward rule for 3389 (and any other admin port: 22 for SSH, 5900 for VNC, 5985-5986 for WinRM). Test that you can still RDP via the VPN; test that you cannot from the public internet.
  5. Audit other admin ports. While you're in the firewall, look for other commonly-exposed admin services: SSH, MySQL, RDP, VNC, WinRM. Close anything that doesn't have a deliberate business reason. The rule is 'admin services live behind the VPN; only public-facing services (HTTP, HTTPS, SMTP) face the public internet'.

Owner: Your IT administrator or web host. For small businesses with no IT, your web host's support team can usually do the firewall changes; the VPN setup might need an outside contractor. · Time: 1-2 hours including VPN rollout to a small team.

Common gotchas

How to verify the fix

Vantyris's verified scan checks for exposed RDP and other admin ports in the Exposure category. Or use shodan.io to look up your public IP after closing the port; it should show no RDP listener within 24-48 hours of the firewall change.

Cyber Essentials alignment

This finding informs the following UK NCSC Cyber Essentials control areas:

Vantyris is not a CE certifying body. The mapping above is informational.

Common follow-up questions

We're a 5-person firm. Is a VPN really worth the setup?

Yes. Modern VPNs (Tailscale, Cloudflare WARP) are 15-minute setup, free for your size, and the attack class they prevent — ransomware via exposed RDP — is the most expensive incident class a small UK firm typically faces. The ROI is overwhelming.

What about cloud RDP services like Azure Bastion or AWS Session Manager?

Both are excellent if you already use Azure / AWS. They tunnel RDP over your cloud login instead of the public internet. For firms using on-premises Windows + no cloud presence, Tailscale or Cloudflare is the lighter-weight choice.

Will closing RDP break our remote staff?

Yes temporarily, until they install the VPN client. Coordinate the cutover; don't close the port at 5pm Friday.

Is RDP the only port we should worry about?

It's the highest-risk single one. Other commonly-exposed admin ports: SSH (22), MySQL (3306), MongoDB (27017), Redis (6379), Elasticsearch (9200), WinRM (5985-5986), SMB (445). Close all of them; expose only HTTP, HTTPS, and SMTP.

References

Related explainers

Want Vantyris to scan your domain for this and 80 other findings?

Free teaser scan, no card. Verified scan from €10 with the full workspace around it: workflow, score trend, three PDF layouts, share links, monitoring.

Editorial

Vantyris editorial team · methodology v1.0.0