Ports, Protocols, and Backdoors: How to Protect LDAP, RPC, RDP, and Beyond

More than 600 million cyberattacks occur globally each day, but not every breach is unavoidable. All too often, attackers prey upon well-known security weaknesses within operational norms.  

Lightweight Directory Access Protocol (LDAP), Remote Procedure Call (RPC), and Remote Desktop Protocol (RDP) are some of IT operations’ most important connective tissue, allowing users to connect, administrators to manage devices, and services to communicate across the environment. But at what cost?  

Insecure remote management protocols and sensitive ports introduce hidden network security vulnerabilities, creating a backdoor for attackers that defenders have long been forced to leave unlocked. We’ll take a closer look at how common ports and protocols like LDAP, RPC, and RDP leave organizations exposed – and what you can do to enhance security without disrupting operations.  

Connectivity, Control, and Lateral Movement: How Common Protocols Create Security Risks  

Enterprise networks typically rely on a set of key ports for authentication, remote access, and administrative activity. These include:  

• LDAP ports 389 or 636 for identity lookups and authentication 
• Port 135 and a dynamic range of high ports for RPC functions like management and service calls 
• RDP port 3389 for remote logins and system administration 

However, the same protocols that underpin modern connectivity often blaze lateral movement trails for attackers, making them a common vector in zero-day attacks. Because protocols like LDAP, RPC, and RDP offer legitimate functionality that’s vital for operations, risky ports often remain open by default. These always-on pathways make it easy for attackers to gain a foothold in the network, escalate privileges, and pivot to sensitive systems.  

LDAP Ports and Identity Security Vulnerabilities  

LDAP interacts with the Active Directory schema; it’s commonly used to query information about users and groups. LDAP ports (389, 636) must be left open on domain controllers for the environment to function. 

But reconnaissance is typically first on an attacker’s agenda after gaining network access – almost always, the domain controller is a recon target as it contains a wealth of information, including accounts, computers, services, groups, DNS data, GPO policies, CA data, and much more. 

With this understanding, it’s easy to see why attackers have increasingly leveraged attacks that rely on unexpected or overly permissive LDAP operations in recent years.  

Real-World Examples: LDAP Attacks   

The last few years have seen a surge in LDAP-based exploits, including:  

• LDAPNightmare (CVE-2024-49112 & CVE-2024-49113), a remote code execution vulnerability found in the LDAP protocol itself   
• Certified Pre-Owned attacks, where LDAP is used to modify certificate attributes for performing authentication bypass  
• DACL-based attacks, which manipulate AD objects over LDAP to gain persistence or escalate privileges  
• BadSuccessor, which leverages Directory Managed Service Accounts (DMSA) to escalate privileges  

In all of these examples, attackers use legitimate LDAP functionality to evade detection, leaving defenders scrambling to respond.  

RPC: Exposed Services, Expanded Attack Surface  

RPC drastically increases an organization’s attack surface by exposing services on sensitive servers like domain controllers. Because administrators don’t have granular control on the specific exposed RPC services, they often enable any RPC traffic – this effectively exposes all RPC services remotely over the network. 

In other words, any Windows host that is accessible over the network offers an attacker hundreds of RPC functions to exploit, either by using stolen credentials or a vulnerability. What’s more, RPC can be transported on top of multiple protocols and can be exposed over dynamic endpoints.  

How Attackers Use RPC 

RPC communication is happening constantly across various applications and services, both locally and remotely. This prevalence is why RPC features so commonly in the tactics and tools that attackers favor.  

Broadly speaking, some of the RPC functions often used in attacks include:  

• Remote Scheduled Task, remote Registry Modification, remote WMI via WMIC.exe, and Remote DCOM for lateral movement and remote code execution (RCE) 
• Remote Service Creation (used by PsExec.exe, for example) for lateral movement and RCE 
• SharpHound and CornerShot for internal reconnaissance 
• PrintNightmare vulnerability, which allows RCE 
• ZeroLogon vulnerability, which allows privilege elevation 
• PetitPotam attack, which can facilitate various relay attacks 

Importantly, this list isn’t exhaustive – in fact, many of the LDAP-based exploits identified in recent years have also relied on RPC.  

RDP Access and Lateral Movement Risks  

Because RDP allows interactive remote logins to Windows machines, it’s widely used by admins and hybrid workforces. While this tool is key to seamless operations, it can also leave organizations exposed.  

Adversaries often brute-force weak RDP passwords or buy compromised credentials on dark web marketplaces. In fact, brute-force attacks against RDP ports remain one of the top techniques for initial access – especially during ransomware attacks.   

Once connected, attackers can disable security software, exfiltrate data, or deploy ransomware manually. In other cases, adversaries use RDP to hop from one host to another while masquerading as legitimate admins, as seen in attacks like the SamSam and Conti ransomware campaigns.  

Despite these risks, statically closing RDP ports is a non-starter for most organizations, but traditional MFA solutions operate at layer 7, making it difficult to dynamically secure RDP.  

Best Practices for Securing RDP, RPC, LDAP, and Beyond 

To close some of the most common security gaps and broadly enhance cyber resilience, organizations should adopt a proactive approach designed to help defenders break free from the endless cycle of detection and response.   

Granularly Segment Assets and Identities 

Comprehensive microsegmentation allows organizations to contain threats before they spread, limiting the blast radius of any breach to the individual compromised asset. By applying this same granular approach to identities, defenders ensure hackers always hit a dead end – even when they’re wielding compromised credentials.  

Enforce Just-in-Time (JIT) MFA at the Network Layer 

Applying MFA to privileged ports, protocols, and accounts makes it much harder for attackers to exploit common network security weaknesses. With network-layer MFA, organizations can even secure ports like RDP, requiring just-in-time verification for access and otherwise closing them by default.  

Manage Outbound Traffic for Risky Protocols  

While network security strategies typically focus on protecting assets against incoming traffic, attackers have increasingly relied on communication to external servers in recent exploits. To ensure networks are effectively secured against zero days and other attacks, organizations can create outbound block rules for sensitive protocols like RDP and RPC using modern microsegmentation solutions. 

Safeguard Domain Controllers and RPC Operations  

Locking down RPC operations entirely isn’t viable, but that doesn’t mean it’s impossible to granularly control RPC with precise policies. RPC Firewall (RPCFW) functions at the application layer, allowing security teams to examine the full context of RPC calls and establish rules on which operations to allow or block, mitigating ~95% of the Domain Controller attack surface out of the box.  

Audit and Block Malicious LDAP Activity  

Because LDAP is integral to identity operations, it’s often left wide open internally. Attackers exploit that trust for reconnaissance, DACL manipulation, and more. To counter this, defenders need both visibility and robust control. 

Like RPCFW, LDAP firewall enables security teams to configure rules that allow or block LDAP requests by inspecting incoming LDAP operations. Configuring LDAP firewall to prevent these attacks can be achieved in four steps: filter out local LDAP activity, fingerprint remote malicious activity, capture normal activity to create a baseline, and combine these learnings into a single configuration file. 

Dynamically Adapt Security Posture 

Static rules can’t protect a dynamic network. New services, integrations, and devices constantly reshape network communication patterns, leaving the potential for new security gaps.  

By automating policy creation and enforcement, organizations can ensure network segmentation and identity-based controls evolve alongside network changes – without risking operational hiccups.

How Zero Networks Unlocks Proactive Breach Containment and Seamless Operations 

With Zero Networks, it’s finally possible to close the security gaps that organizations have long accepted as unavoidable. Zero’s automated, identity-aware microsegmentation makes it easy to isolate and neutralize threats in real time, maintain proactive security controls without disrupting operations, and apply just-in-time MFA to ensure privileged ports and protocols only open after verification.  

Learn more about how Zero Networks can help you address hidden vulnerabilities without adding manual effort or operational complexity – request a demo.