Ports
RDP on the public internet: the single biggest ransomware vector for UK small businesses.
Published 2026-04-09 · Last updated 2026-04-09 · Vantyris editorial
Remote Desktop Protocol (RDP) on port 3389, reachable from the public internet, is the single most-exploited entry vector in UK SME ransomware incidents. NCSC reports consistently put it in the top three. The pattern: someone in 2020 needed remote access for COVID-era working, opened the port temporarily, and nobody closed it. Five years later it's still there. Vantyris flags it because closing it is one of the highest-impact 30-minute fixes a small business can do; the bots scanning for open RDP try every weak password they have within minutes of finding the port.
What this means for your business
- Port 3389 (the standard RDP port) is the first thing every credential-stuffing botnet checks. Once they find an open one, they hit it with weak-password lists scraped from old data breaches. Multiple successful logins per day is the norm on any open port.
- Once an attacker gets in, they have an interactive Windows session as the user they compromised. From there they install ransomware, exfiltrate data, or use the foothold to pivot deeper into the network.
- The fix is almost never 'use a stronger password' or 'enable MFA on RDP'. Strong passwords + MFA help but don't fix the underlying problem: exposing administrative services to the public internet at all. The fix is to put RDP behind a VPN or a Zero Trust gateway so the port isn't directly reachable.
How to fix
Close port 3389 at your firewall. Provide remote access via a VPN (WireGuard, Tailscale, Cloudflare WARP) or a Zero Trust gateway (Cloudflare Access, Tailscale, Twingate). Most modern options are free for small teams.
- Confirm the exposure. From outside your network, try connecting to your office's public IP on port 3389. Or use shodan.io to look up your IP. If you see an RDP listener, you have an exposed port.
- Decide your replacement remote-access path. Two cheap options. (1) Tailscale: free for up to 100 devices, install agents on the laptops + the office machine; remote access works without exposing any ports. (2) Cloudflare WARP + Cloudflare Tunnel: similar free tier, similar approach. Either eliminates the exposed port.
- Roll out the VPN client to anyone who needs remote access. Install the chosen client on every remote worker's laptop. Test that they can connect to the office machine over the VPN. Document the access pattern so new hires don't ask 'but why can't I just RDP'.
- Close port 3389 at your firewall. On your router or office firewall, remove the port-forward rule for 3389 (and any other admin port: 22 for SSH, 5900 for VNC, 5985-5986 for WinRM). Test that you can still RDP via the VPN; test that you cannot from the public internet.
- Audit other admin ports. While you're in the firewall, look for other commonly-exposed admin services: SSH, MySQL, RDP, VNC, WinRM. Close anything that doesn't have a deliberate business reason. The rule is 'admin services live behind the VPN; only public-facing services (HTTP, HTTPS, SMTP) face the public internet'.
Owner: Your IT administrator or web host. For small businesses with no IT, your web host's support team can usually do the firewall changes; the VPN setup might need an outside contractor. · Time: 1-2 hours including VPN rollout to a small team.
Common gotchas
- Don't replace one exposed admin port with another. Some businesses 'fix' the RDP exposure by moving it to port 3390 or 33890. Bots scan all ports, not just standard ones. The port number doesn't matter; the public exposure does.
- Strong passwords + MFA on RDP help but aren't the right fix. They're a partial mitigation, not a solution. A VPN puts the port behind authentication BEFORE the RDP layer; the attacker can't even attempt the RDP login.
- Some businesses think 'we only allow our office IP through the firewall'. Static IP allow-listing works if your office IP is genuinely static (most aren't; consumer-grade business broadband rotates). It also breaks the moment someone needs to work from home or travel.
- If you have an SLA requiring 24/7 remote access for an MSP or vendor, talk to them about the VPN setup before you close the port. Coordinate the cutover.
How to verify the fix
Vantyris's verified scan checks for exposed RDP and other admin ports in the Exposure category. Or use shodan.io to look up your public IP after closing the port; it should show no RDP listener within 24-48 hours of the firewall change.
Cyber Essentials alignment
This finding informs the following UK NCSC Cyber Essentials control areas:
- A1. Firewalls — boundary protection between the internet and your services.
- A4. User access control — accounts assigned the minimum required privileges.
Vantyris is not a CE certifying body. The mapping above is informational.
Common follow-up questions
We're a 5-person firm. Is a VPN really worth the setup?
Yes. Modern VPNs (Tailscale, Cloudflare WARP) are 15-minute setup, free for your size, and the attack class they prevent — ransomware via exposed RDP — is the most expensive incident class a small UK firm typically faces. The ROI is overwhelming.
What about cloud RDP services like Azure Bastion or AWS Session Manager?
Both are excellent if you already use Azure / AWS. They tunnel RDP over your cloud login instead of the public internet. For firms using on-premises Windows + no cloud presence, Tailscale or Cloudflare is the lighter-weight choice.
Will closing RDP break our remote staff?
Yes temporarily, until they install the VPN client. Coordinate the cutover; don't close the port at 5pm Friday.
Is RDP the only port we should worry about?
It's the highest-risk single one. Other commonly-exposed admin ports: SSH (22), MySQL (3306), MongoDB (27017), Redis (6379), Elasticsearch (9200), WinRM (5985-5986), SMB (445). Close all of them; expose only HTTP, HTTPS, and SMTP.
References
- NCSC: Remote Desktop Protocol NCSC
- CISA: RDP attacks alert CISA
- Microsoft: secure RDP configuration Vendor
Related explainers
Want Vantyris to scan your domain for this and 80 other findings?
Free teaser scan, no card. Verified scan from €10 with the full workspace around it: workflow, score trend, three PDF layouts, share links, monitoring.
Vantyris editorial team · methodology v1.0.0