Still Using RDP Instead of a VPN in 2025? What the F*!k Are You Thinking?

Scene 1: An Open Port and a Prayer

Let’s not fuck about here.

If you're exposing RDP directly to the internet in 2025, you're a bloody menace. There is no kind way to say this. There is no "well, it's just temporary" or "only for me to check emails." You're lighting a flare for ransomware gangs and hoping they politely ignore you. Spoiler: they won’t.

RDP has been the root cause of so many breaches, it should have a support group. And yet, every week, someone thinks it’s fine to just forward 3389 from the firewall and hope for the best. No VPN. No gateway. No protection. Just pure, uncut negligence.

Still Think Changing the Port Helps?

Oh yes, the old chestnut.

“We moved it to port 3390, so it’s secure.”
Brilliant. That’ll confuse the three-year-old running Shodan scans, I’m sure.

Changing the port doesn’t hide you. It advertises your incompetence with slightly more flair. Anyone scanning IPs for RDP services will find you. It’s not clever. It’s not “obscurity equals security.” It’s just lazy, embarrassing nonsense.

Let's Talk About Passwords, Shall We?

You’re exposing RDP to the internet. So what’s the password?

• admin / admin

• companyname1

• Welcome2023! (still)

• your CEO’s dog’s name

If you don’t have MFA, that’s it. That’s all it takes. A basic brute force. No zero-day, no nation-state sophistication. Just automated scripts hammering your login page until someone inevitably gets in.

And if that someone is using the same password they use for LinkedIn or Netflix? Game over.

What Actually Happens After They Get In

You’re not getting a courtesy email. There’s no pop-up saying, “Hey mate, just letting you know we logged in from Kazakhstan.”

No. They slip in quietly.

• They check your network.

• They map out your shares.

• They dump credentials.

• They look for backups.

• Then they nuke the lot.

By the time you realise something’s wrong, it’s too late. Your files are gone. Your backups are encrypted. And someone is demanding Bitcoin while pretending to care about your recovery window.

And guess what? If you tell the ICO, they’ll ask what protections you had in place. And when you say “we opened a port to save time,” they’ll respond with a fine. Deservedly.

MSPs, Let’s Have a Word

If you’re an MSP still setting up RDP like this, I hope your insurance is paid up—because your client will come for you when it all goes sideways.

And they should.

You’re not doing them a favour. You’re not “saving them money.” You’re trading long-term security for short-term convenience, and you’re the first one who’ll be blamed when the lights go out.

If you think the fix is “we added an IP whitelist,” you’ve missed the fucking point.

Remote access needs:

• User validation

• Device validation

• Session validation

• Access logging

• Expiry controls

• Strong MFA

• Monitoring

RDP alone, even on a non-standard port, does none of this.

Oh But We Have a Firewall

Great. That’s like saying “we have a door” in response to a burglary. Does your firewall log RDP attempts? Does it alert on brute force attacks? Does it enforce GeoIP restrictions? Do you even review the logs?

No? Then it’s a door with a welcome mat that says "Hack Me."

The 2025 RDP Hall of Shame Checklist

Let’s see how many apply to your setup:

• RDP port open to the internet

• No MFA

• No VPN

• No conditional access

• No logging

• Default usernames

• Passwords recycled from other services

• No account lockout thresholds

• Flat internal network

• Backups stored locally on the same machine

• No segmentation

• No detection or alerting

If you ticked more than zero, you have a problem. If you ticked five or more, you are a breach waiting to happen. If you ticked all of them, stop reading and unplug your firewall before someone else does it.

There Are Alternatives. Use Them.

Option 1: VPN + Conditional Access

Yes, a real VPN. Not a free PPTP mess from 2010. Use certificate-based authentication, enforce device compliance, use MFA.

Option 2: Remote Desktop Gateway

A proper RD Gateway can enforce policies, log access, and act as a broker between external users and internal desktops. It still needs MFA and proper configuration, but it is miles better than direct exposure.

Option 3: Azure Virtual Desktop / Windows 365

Desktops that exist in the cloud, with identity-based access, session isolation, policy enforcement, and real monitoring.

Option 4: Zero Trust Access Platforms

Solutions like Tailscale, Cloudflare Access, or any number of modern platforms that offer access without ports, tunnels, or public IP exposure.

If your IT provider isn’t talking to you about these options, get a new provider.

This Is Bigger Than “Just IT”

When your business gets encrypted because of exposed RDP, it doesn’t just affect the tech.

• You lose customer trust

• You lose contracts

• You might face regulatory fines

• You might trigger insurance exclusions

• You lose days or weeks to recovery

• You might never fully recover

This is a business issue. A board-level issue. And frankly, if you’re still using public RDP, you don’t have a cyber security strategy. You have a disaster plan — you just haven’t executed it yet.

You Think You’re Not a Target?

No one thinks they’re a target. Until they are.

You don’t need to be big. You don’t need to be valuable. You just need to be vulnerable.

Automated scripts don’t care who you are. They scan the entire internet. They find open ports. They brute force. They win.

RDP is how they get in. You’re letting them.

Final Words for the RDP Apologists

If you’re still running RDP exposed to the internet and think “we’ve never had a problem,” congratulations. Neither did the Titanic until it hit the iceberg.

Security is about minimising risk. You don’t have to be bulletproof. But you do need to stop putting a giant “shoot here” sticker on your network.

Close the fucking port. Install a VPN. Use MFA. Log your sessions. Act like your data matters.

Or just wait for the ransomware crew to do it for you. They’re very good at finding people like you.