How to Check for Remote Desktop Protocol (RDP) Services

Blog Post created by mjc on Mar 13, 2012

2012-03-14_1011.pngThere are many organizations concerned with the critical Microsoft Security Bulletin MS12-020 Remote Desktop Protocol (RDP) vulnerability. Here is a quick way to check if you have Remote Desktop Protocol running on your system or network. I used NMAP to check my home network.


In the highlighted text below you can see that NMAP can check for the RDP service running. If you can't patch, this is important because attackers won't be able to exploit MS12-020 with the service closed. It's just basic information security hygiene to disable services that you don't need.


If you must run RDP, you'll have to patch this soon. To verify patches actually worked, you'll need a vulnerability scanner. You can download Nexpose Community Edition for free here:  Free Vulnerability Scanner Download | Rapid7


It is important to note that RDP can run on any port, but TCP Port 3389 is the default.


To check one system:


mjc@msfdev:~$ nmap -p 3389

Starting Nmap 5.21 ( http://nmap.org ) at 2012-03-13 16:59 CDT
Nmap scan report for
Host is up (0.00035s latency).
3389/tcp open  ms-term-serv

Nmap done: 1 IP address (1 host up) scanned in 0.10 seconds


To check a network range:


mjc@msfdev:~$ nmap -p 3389                                                
Starting Nmap 5.21 ( http://nmap.org ) at 2012-03-13 17:07 CDT  
Nmap scan report for
Host is up (0.0065s latency).
3389/tcp closed ms-term-serv


Nmap done: 256 IP addresses (10 hosts up) scanned in 10.75 seconds