The most common tasks a Windows administrator has is to remotely access their server. This is simplified by Microsoft providing a couple RDP licenses. It’s so easy, but can just as easily open up vulnerabilities to your entire network. Here are a few things to consider:
There are automated systems always scanning for port 3389, you can expect your system to receive between 10 ever minute.
Leaving the administrator account enabled means that this automated services already know half of the equation
Firewalls and Anti-Virus systems will not protect against leaving these known ports and usernames defaulted
Okay, now that we know the reasons why, here are easy ways to circumvent default ports and usernames:
Disable the administrator account, this is commonly documented as the first thing to do as a Windows administrator. If you decide to make these changes after your network has been online for a while, please make sure you cover dependencies, you might have services that are using this account, so be cognitive of of broken services.
Create a NAT policy to forward port 9998 to port 3389. This will immediately impact these probes and locked down your server. While a port scan will reveal port 9998, the automated probes will not hit your server anymore.