What Is an RDP Brute Force Attack? A Plain-English Guide

Right now, somewhere on the internet, an automated script is trying to log into your Windows server. It is not personal. The script does not know who you are or what your business does. It found your server because port 3389 was open, and now it is working through a list of passwords — thousands per hour — hoping one of them works.

This is called an RDP brute force attack, and it is one of the most common ways businesses get compromised. If you run a Windows server with Remote Desktop enabled, this article is for you.

What is RDP, exactly?

RDP stands for Remote Desktop Protocol. It is a built-in Windows feature that lets you control a computer from somewhere else — your home office, a coffee shop, another country. Millions of businesses rely on it every day to manage servers, access files, and run applications remotely.

The problem is that attackers rely on it too.

How an RDP brute force attack works

The concept is simple. An attacker points an automated tool at your server's Remote Desktop login screen and starts trying username-and-password combinations. Think of someone standing at your front door with a keyring holding ten thousand keys, methodically trying each one.

Modern brute force tools can test thousands of combinations per minute. They pull from lists of commonly used passwords, leaked credential databases, and predictable patterns like Admin2026! or Company123. No human is sitting at a keyboard. The whole process runs on autopilot, often from networks of compromised machines spread across the globe.

If a password matches, the attacker is in — with the same access as a legitimate user.

Why attackers love RDP

Remote Desktop was designed for convenience, not for being exposed to the open internet. A few things make it an especially attractive target:

It is everywhere. Millions of RDP servers are directly reachable from the internet — Shodan scans consistently show the number in the millions. Each one is a potential door to try.

The default port is well-known. RDP listens on port 3389 by default. Attackers do not need to guess — they scan the entire internet for that port and build target lists automatically.

There is no built-in rate limiting on most server versions. On many Windows Server installations, there is no default account lockout policy — an attacker can try passwords indefinitely unless you have configured lockout thresholds yourself. (Newer versions like Windows 11 and Server 2022 introduced default lockout policies, but many production servers still run without them.)

Stolen credentials are cheap. Access broker advertisements — where criminals sell stolen login credentials — grew 50% year-over-year in 2024, according to CrowdStrike. RDP credentials are among the most commonly traded. Attackers buy working logins in bulk, making brute force just one piece of a larger access economy.

The real-world damage

This is not a theoretical risk. The numbers from recent security reports paint a clear picture.

RDP is the most abused legitimate tool in cyberattacks. Sophos found that RDP was involved in 84% of managed detection and incident response cases in 2024. Even as awareness grows, their 2026 report still places RDP as the single most exploited legitimate tool in breaches.

Ransomware groups specifically target RDP. The Akira ransomware group — one of the most active in 2024 — uses several entry methods including RDP brute force, particularly against small and mid-sized businesses. CISA issued a dedicated advisory warning about Akira's tactics.

Small businesses bear the brunt. Small and mid-sized businesses are disproportionately targeted by ransomware. According to the Sophos State of Ransomware 2025 report, organizations with fewer resources and smaller IT teams face the highest risk — and recovery costs can be devastating for a small business, even before accounting for downtime and lost data.

Attackers work while you sleep. According to the Sophos 2025 Active Adversary Report, 83% of ransomware deployments in 2024 happened outside business hours. Their 2026 follow-up found this figure rose to 88%. By the time you arrive at work Monday morning, the damage may already be done.

Three myths that get businesses in trouble

"We have strong passwords — we're fine"

Strong passwords help, but they are not enough on their own. The Verizon 2025 Data Breach Investigations Report found that compromised credentials were involved in 22% of all breaches as the initial access method. More striking: 54% of ransomware victims had their credentials found in infostealer malware logs. These are passwords that were stolen from other breaches or captured by malware — no amount of complexity protects a password that has already been leaked.

For more on why passwords alone fall short, see our post on why a strong password is not enough.

"Nobody targets small businesses"

The opposite is true. Smaller organizations with limited IT resources are consistently among the most targeted by ransomware. Small businesses are attractive precisely because they typically have fewer security layers, smaller IT teams, and less monitoring in place.

"We would notice if someone was attacking us"

Probably not — at least not quickly enough. According to the Sophos 2025 report, the median time from initial access to Active Directory compromise was 11 hours — and their 2026 report found it dropped to just 3.4 hours. With the vast majority of ransomware dropped outside business hours, most attacks begin Friday evening and finish before anyone checks on Monday. Failed login attempts pile up in Windows Event Logs, but few organizations actively monitor them.

What you can do about it

The good news: protecting RDP does not require a massive budget or a dedicated security team. Here are practical steps that make a real difference.

Change the default RDP port. Moving RDP off port 3389 will not stop a determined attacker, but it eliminates the bulk of automated scanning traffic. It is a five-minute change that reduces noise significantly.

Enable Network Level Authentication (NLA). NLA requires users to authenticate before a full Remote Desktop session is established. This blocks many brute force tools that rely on reaching the login screen directly.

Restrict who can connect. Use your firewall to limit RDP access to specific IP addresses or ranges. If only your office and your home IP need access, there is no reason the entire internet should be able to reach port 3389.

Configure account lockout policies. Windows does not lock accounts after failed logins by default. Set a lockout threshold — for example, lock the account for 30 minutes after 5 failed attempts. This is a built-in Windows feature that many administrators never enable.

Use a VPN for remote access. Placing RDP behind a VPN adds a strong layer of protection. The RDP port never needs to be exposed to the public internet at all.

Add automated brute force detection. Tools that monitor login attempts and automatically block offending IP addresses close the gap between a failed login and a response. BruteFence is one option — it watches for repeated failed RDP logins and blocks the source IP in real time, installs in about five minutes, and runs entirely on your server with no cloud dependency. It is not the only tool in this category, but it is worth evaluating if you want something lightweight that works alongside your existing setup. You can read more in the documentation.

No single measure is bulletproof. The strongest protection combines several of these steps together.

Check your server in five minutes

If your Windows server is online with Remote Desktop accessible, someone is likely already trying passwords against it. That is not meant to alarm you — it is just the reality of running internet-facing services in 2026.

The steps above are straightforward, and most of them take minutes, not hours. Pick one and start there. If you want to see what is happening on your server right now, BruteFence offers a free 7-day trial — at minimum, the login attempt logs will show you exactly how often your server is being tested.