Port 3389/tcp is the IANA-assigned home of Microsoft's Remote Desktop Protocol and one of the most-attacked ports on the internet. RDP provides graphical remote access to and control of Windows desktops and servers, transmitting screen images, keystrokes, and mouse input between the client (mstsc.exe) and the Remote Desktop Services host; it is an extension of the ITU-T T.128 application-sharing protocol and supports Network Level Authentication (NLA), encryption, multi-monitor, and clipboard/printer/audio redirection. The IANA service name is ms-wbt-server ("MS WBT Server", contact Jordan Marchese, Microsoft; both 3389/tcp and 3389/udp are officially registered), but the registry cites no RFC — the protocol is documented in Microsoft's open MS-RDPBCGR specification series. Two security facts dominate the picture. First, BlueKeep (CVE-2019-0708) is a wormable, pre-authentication remote-code-execution flaw in Remote Desktop Services on legacy Windows, patched in May 2019 and the subject of CISA advisory AA19-168A and an NSA advisory. Second, exposed RDP is a relentless brute-force target and a leading ransomware initial-access vector — Sophos observed roughly two million failed logins across 999 source IPs over fifteen days in one study. For an analyst, an open 3389/tcp is RDP exposure and a high-risk finding when internet-facing: verify NLA is enforced, check the patch level for BlueKeep, review brute-force/lockout logs, and confirm whether the service should sit behind a VPN or RD Gateway rather than be public.
ms-wbt-server — "MS WBT Server"; reference (blank — no RFC cited in IANA registry); governing spec Microsoft MS-RDPBCGR (not the IANA-cited reference); contact Jordan Marchese (Microsoft), modified 2022-11-03 [IANA-assigned] — IANA Service Name and Transport Protocol Port Number Registryxrdp (open-source RDP server for Linux); registry-based port relocation (security-through-obscurity defeated by scanners) [Community-reported] — Microsoft docs