Port 3389: What's Using It and Is It Safe to Close?

Port 3389 is the Remote Desktop Protocol (RDP) port, used to control Windows machines remotely. Seeing it on a Mac is unusual and almost always tied to virtualization or remote-desktop software.

What typically listens on port 3389

• Windows VMs: Parallels, VMware Fusion, or UTM running Windows often expose RDP on 3389.
• Microsoft Remote Desktop: The Mac client connects outbound to 3389 on the machine you’re controlling.
• RDP server tools: Some cross-platform remote-access apps listen here.

Stock macOS does not open 3389. Apple’s own Screen Sharing and Remote Management use VNC on port 5900 instead.

Is it safe to close?

For macOS itself, yes. Nothing in the OS needs 3389. If a VM or remote-desktop tool opened it, closing the port ends that capability and nothing more. The one caution is ending an active remote session, so check that no one, including you, is mid-connection.

Is it suspicious?

On a Mac where you don’t run Windows VMs or RDP tools, an open 3389 deserves a closer look. RDP is one of the most aggressively scanned and exploited services on the internet, and a listener you didn’t set up is a genuine red flag. Identify the owning process first. If it’s your virtualization software, it’s expected; if it’s something you don’t recognize, investigate.

Never expose 3389 directly to the internet. RDP is a leading ransomware entry point; use a VPN for remote access instead.

How to find what’s on port 3389 on macOS

lsof -i :3389

The COMMAND column tells you whether it’s your virtualization software or something unexpected. To free it:

kill -9 $(lsof -ti :3389)

Portie lists port 3389 with its owning app in real time, and its remote scanner can verify whether 3389 is exposed on another host.