Many organizations use Remote Desktop connections in their normal troubleshooting procedures or operations. However, some attacks have occurred that exploited the ports typically used by Remote Desktop. To provide flexibility for remote administration, the Windows Firewall: Allow Remote Desktop exception setting is available. Enabling this setting configures Windows Firewall to open TCP port 3389 for inbound connections. You must also specify the IP addresses or subnets from which these incoming messages are allowed. If you disable this policy setting, Windows Firewall blocks this port and prevents the computer from receiving Remote Desktop requests. If an administrator attempts to open this port by adding it to a local port exceptions list, Windows Firewall does not open the port. Some attacks can exploit an open port 3389. To maintain the enhanced management capabilities provided by Remote Desktop, you should configure this setting to Enabled and specify the IP addresses and subnets of the computers used for remote administration. Computers in your environment should accept Remote Desktop requests from as few computers as possible.