Remote Desktop Protocol (RDP) is a Microsoft-developed network protocol that lets one device display and control a Windows-based computer over a network connection. It is widely used to access Windows systems remotely, which makes it important to understand both how it functions and how organizations manage its use.

• Remote Desktop Protocol establishes remote sessions through a staged connection process, and its security depends heavily on version and configuration.
• Attackers frequently abuse exposed RDP for credential theft, lateral movement, and ransomware deployment.
• Safer deployments keep RDP off the public internet and wrap each session in layered controls such as VPN access, phishing-resistant MFA, and session monitoring.
• Comparing RDP with other remote display options clarifies its strengths and limitations in enterprise environments.

Remote Desktop Protocol works by establishing a layered remote session that carries display data to the client and user input back to the host.

RDP establishes remote connections through a layered architecture built on the T.120 family of ITU-T telecommunication standards.

The protocol operates as a series of layers stacked on top of one another. At the base, TCP carries the traffic. Above that sit X.224, T.125 MCS, and T.124 GCC. RDP sits at the top, using the MCS layer to manage multiple virtual channels for data transmission. Most sessions rely on a primary channel for keyboard, mouse, and display data, but additional channels can carry device redirection, clipboard sharing, audio streaming, printer output, serial device communication, and licensing information alongside the visual desktop stream. This architecture means a single RDP session can support several redirected functions without interfering with the primary graphical display.

Every RDP session follows a nine-phase sequence before the user sees a desktop. Understanding these phases helps security teams identify where controls should be applied and where vulnerabilities have historically appeared.

• Connection Initiation and Settings Exchange: The client sends an X.224 negotiation request specifying its preferred security protocol, and the server responds by selecting one. Both sides then exchange core settings, security data, and network information through MCS Connect Initial and Response messages containing GCC Conference Create packets.
• Channel Connection and Security Commencement: The client attaches to the MCS domain and joins the user channel, I/O channel, and static virtual channels. From this point forward, traffic may be encrypted via a security header.
• Secure Settings Exchange and Licensing: The Client Info packet transmits credentials inside the encrypted channel. The server then issues a client license for storage and re-presentation on future reconnections.
• Capability Negotiation and Connection Finalization: The server sends a Demand Active message and the client responds with Confirm Active, with each side advertising what it can support. Synchronization messages confirm both sides are ready.
• Data Exchange: Ongoing transmission of user input and remote graphical output begins.

Remote Desktop Protocol security varies sharply by mode, with modern deployments relying on pre-authentication and external security protocols to reduce exposure.

RDP supports three distinct security configurations, and the differences between them are significant. The legacy Standard RDP Security mode uses RC4 stream ciphers and is now deprecated because it is vulnerable to known cryptographic attacks. Enhanced RDP Security without Network Level Authentication (NLA) uses TLS but still presents a graphical login screen before authenticating the user, which exposes the full session stack to unauthenticated connections.

The current standard, Enhanced RDP Security with NLA via CredSSP, authenticates the user before a full session is established. This matters because NLA constrains pre-authentication exploits to authenticated users only. Modern RDP supports multiple external security protocols, including TLS, CredSSP, RDSTLS, and RDS AAD Auth.

Remote Desktop Protocol security evolved from weak legacy encryption to stronger pre-authentication and more modern transport protections over successive versions.

Microsoft has released multiple major RDP versions since its original release. The most security-relevant milestones follow.

• RDP 4.0: This initial release shipped with Windows NT Terminal Server and supported only RC4 data encryption with no pre-authentication or TLS.
• RDP 6.0: This version marked a major security turning point, introducing NLA and TLS and becoming the first version suitable for more secure deployments.
• RDP 8.0: This was a major transport update, adding UDP transport alongside TCP and adaptive graphics.
• RDP 10.0+: The current generation supports modern graphics compression, newer TLS support, and cloud-native features for Azure Virtual Desktop and Windows 365.

Remote Desktop Protocol is one remote display option among several, and the main differences come down to platform integration, transport design, and deployment needs.

The baseline Microsoft RDP implementation ships with Windows and integrates with Active Directory, Group Policy, and NLA.

For large-scale virtual desktop infrastructure, Citrix Independent Computing Architecture (ICA) serves as the virtual channel transport, while High Definition Experience (HDX) manages display, audio, and device redirection through adaptive compression that evaluates user context and adjusts per session. PCoIP takes a different approach: it compresses and transmits the full rendered framebuffer as a pixel stream, in contrast with RDP's command-based rendering. VMware Blast Extreme is also used in virtual desktop environments and emphasizes display performance and transport flexibility across different client platforms.

Open-source and cross-platform alternatives trade deep Windows integration for broader compatibility and different deployment models.

The Virtual Network Computing (VNC) protocol is based on IETF RFC 6143, the Remote Framebuffer (RFB) standard, and works across X11, Linux, macOS, and Windows. Key implementations include TigerVNC, TightVNC, and RealVNC. VNC lacks RDP's built-in NLA and Group Policy management, and security guidance recommends placing it behind a secondary encrypted channel.

Apache Guacamole is a clientless remote desktop gateway that translates RDP, VNC, and SSH sessions into HTML5 rendered in a standard web browser, with no plugins or client software required. It is increasingly used as a bastion host replacement in cloud environments.

Red Hat's open-source SPICE protocol offers clipboard integration, USB redirection, and dynamic display resolution for KVM/QEMU virtualization stacks.

Remote Desktop Protocol appears in real-world intrusions both as an initial access path and as a lateral movement tool after attackers gain a foothold.

Exposed RDP is one of the most common entry points for ransomware operators. According to the Verizon 2025 DBIR, credential abuse accounted for a large share of confirmed breaches, the same credential-based initial access pattern that makes exposed RDP so attractive to attackers.

Attackers use RDP in several ways, from brute force access against exposed systems to hijacking sessions and moving between internal hosts.

MITRE ATT&CK documents RDP across multiple attack techniques. Three are particularly relevant: T1021.001 for lateral movement via RDP sessions, T1563.002 for RDP session hijacking where an attacker at SYSTEM-level privilege uses tscon.exe to take over a disconnected session without a password, and T1110 for brute force credential access against exposed RDP ports. Threat actor groups using these techniques include nation-state groups and financially motivated groups.

The FBI IC3 has documented a consistent attack pattern in multiple advisories for ransomware families including Phobos, BlackSuit, Akira, Play, and BianLian: attackers scan for exposed RDP services, run brute force tools against weak credentials or purchase valid credentials from dark web marketplaces, profile the victim organization, deploy remote access tools for persistence, move laterally via RDP to additional hosts, and then execute ransomware.

Several high-profile vulnerabilities have shown how dangerous exposed Remote Desktop Protocol can be when critical flaws require no user interaction.

BlueKeep (CVE-2019-0708) was a critical flaw that required no authentication or user interaction. CISA classified it as "wormable" and issued urgent patching guidance. The vulnerability allowed an unauthenticated attacker to send specially crafted packets to systems with RDP enabled and achieve remote code execution on affected Windows versions.

The DejaBlue vulnerabilities affected more modern systems, which meant organizations that had patched BlueKeep on legacy systems still faced comparable risk on current infrastructure. Both BlueKeep and DejaBlue required no user interaction, making them candidates for automated exploitation at scale.

Critical RDP vulnerabilities have continued beyond that cluster, reinforcing that RDP vulnerability management is an ongoing concern rather than a historical one limited to Microsoft's codebase.

Organizations reduce Remote Desktop Protocol risk by limiting exposure first and then layering controls around every allowed session.

Government cybersecurity agencies recommend disabling RDP entirely when there is no legitimate business need, and applying layered controls when the service must remain active. Here are the steps organizations should consider, drawn from current CISA, NIST, and NSA guidance:

• Eliminate Internet Exposure: Removing direct internet exposure for RDP is the baseline control recommended by government agencies. CISA's StopRansomware Guide designates this as a foundational requirement.
• Require VPN Access: All external RDP sessions should pass through a VPN using SSL/TLS or IPsec encryption. CISA's 2025 advisory specifies this requirement.
• Enforce Phishing-Resistant MFA: CISA's 2025 advisory specifies phishing-resistant MFA at AAL3 assurance level for RDP and VPN sessions, not just standard two-factor authentication.
• Enable Network Level Authentication: NLA authenticates the user before the full RDP session is established, reducing the attack surface of session-layer vulnerabilities.
• Set Account Lockout Policies: Locking accounts after a defined number of failed login attempts slows brute force attacks.
• Use Strong Passwords: CISA guidance specifies minimum password standards for accounts with remote access.
• Restrict Access by Role: Limiting RDP permissions to specific security groups and blocking local accounts from remote access via Group Policy reduces exposure.
• Enable Remote Credential Guard: This prevents credential theft during RDP sessions by not sending credentials to the remote host.
• Segment Networks: Restricting RDP traffic between network segments and disabling RDP and SMB from DMZ systems to internal networks limits lateral movement.
• Disable TCP 3389 on Unused Systems: Auditing the network for all systems with RDP enabled and disabling it where there is no business requirement removes unnecessary attack surface.
• Maintain Aggressive Patching: Security updates for RDP components deserve priority given the protocol's history of critical pre-authentication vulnerabilities.
• Log and Monitor All Sessions: Reviewing the TerminalServices-RemoteConnectionManager event log and Windows Security log, and establishing a baseline of normal RDP activity, helps identify unexpected behavior.

Remote Desktop Protocol remains deeply embedded in enterprise operations because it provides direct, practical remote access. Organizations manage its risk more effectively when they treat it as a controlled privilege rather than a default service, supported by limited exposure, strong authentication, segmentation, and continuous monitoring.

Not by itself. External RDP access becomes much riskier when the service is exposed directly to the internet because attackers can target it with credential attacks and exploit attempts. Safer deployments place RDP behind a VPN, require strong authentication, apply account lockout controls, and log sessions for review.

RDP uses TCP port 3389 by default. That default matters because exposed systems listening on that port are easy for attackers to find, which is why organizations often focus on restricting access rather than relying on the port itself for protection.

Both provide remote graphical access, but they differ in design and management model. RDP is closely tied to Windows environments and supports features such as pre-authentication and centralized policy control. VNC is based on the Remote Framebuffer model and is commonly used across different operating systems for straightforward screen sharing and remote control.

They serve different purposes. RDP carries the remote desktop session itself, including screen updates and user input. A VPN creates an encrypted tunnel between a client and a network. In practice, they are often used together: the VPN protects the connection path, while RDP provides the remote desktop experience inside that path.

Once attackers have valid access inside a network, they can use RDP to move from one system to another while blending in with normal administrative activity. A common sequence starts with one compromised endpoint, followed by credential theft or reuse, and then additional RDP sessions to reach higher-value systems.