The default RDP (Remote desktop protocol) listening port number is 3389, which is utilized when connecting to any computer using the Remote Desktop Protocol. If there’s no organizational requirement to use this port, consider disabling it or changing the port number to enhance security and make it more challenging for potential attackers to exploit the default RDP port.
To know more about Remote desktop protocol, please refer to Microsoft documentation: Understanding the Remote Desktop Protocol (RDP).
In this blog post, we will learn how to change the RDP port from the default port, 3389, to any other available port number, for example, 3391. You can make this change manually via the registry or simple Powershell commands.
Table of Contents
Changing RDP Port number via Windows Registry Editor
I will execute this command on a Windows 11 computer called Techpress-W-28 to change the RDP port number. Before executing any command, it’s essential to know the current configuration. The RDP port number is stored in the Windows Registry. Follow these steps to locate and modify it manually:
- Press the Windows key + R to open the Run dialog box.
- Navigate to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp registry key.
- On the right-hand side, locate a registry entry called PortNumber. It is typically set to 3389, which is the default port number.
- Double-click on the PortNumber and change the Base to Decimal. Provide the new port number and press OK to save.
- The new RDP port number has been set. Please restart your computer to apply this change.
Change RDP Port number using Powershell
Not only can you change the RDP port number using the Windows Registry Editor, as we saw in the previous section, but you can also use PowerShell commands for this purpose. Let’s go through the steps:
1. Check the Current RDP Port configured on the Device
Let’s first check the currently configured RDP Port on the device.
- Login on a Windows 10 or Windows 11 device as an administrator.
- Launch the Powershell console as an administrator and execute the following commands.
Get Currently Configured RDP Port
(Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -name "PortNumber").portnumber
As evident from the previous screenshot, executing the PowerShell command returns the default port number 3389. This command queries the registry to retrieve this information, which we explored in the previous section while learning to modify the RDP port number using the registry.
2. Change RDP Port Number
Utilize the following PowerShell commands to update the RDP port number. Begin by adjusting the value of the variable $newport with the desired port number. Then, execute the commands as listed.
For example, I changed the RDP port number on my PC to 3391 using the following commands. You can also copy these commands into Notepad and save the file as ‘ChangeRDPPort.ps1‘ to convert it into a PowerShell script.
ChangeRDPPort.ps1
$newport = 3391
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -name "PortNumber" -Value $newportYou can execute the script on an individual device, or if the requirement is to change the RDP port across all devices in your organization, leverage the use of Active Directory Group Policy or the Intune admin center, depending on how you manage your devices.
If the devices are managed by Intune, you can create a Powershell script deployment to change the RDP port number, or you may use Intune Remediations.
Note
3. Adding Firewall Rules for Custom RDP Port
Simply changing the RDP port number may not suffice. You must create the required Inbound rules in the Windows firewall to allow access to the new RDP port number. Let’s review the steps to configure this.
Add Firewall Rules to allow RDP on the custom port
$newport = 3391
New-NetFirewallRule -DisplayName 'Custom RDP PORT TCP-In' -Profile 'Public' -Direction Inbound -Action Allow -Protocol TCP -LocalPort $newport
New-NetFirewallRule -DisplayName 'Custom RDP PORT UDP-In' -Profile 'Public' -Direction Inbound -Action Allow -Protocol UDP -LocalPort $newport
When you open Windows Defender Firewall with Advanced Security, you will find the two new Inbound rules we created using PowerShell commands. These rules allow users to connect to this PC using the new custom RDP port we configured.
4. Restart Remote Desktop Services
To apply the changes to the RDP port number on your device, you have two options: restart the Remote Desktop Services service or reboot the computer. If you prefer using a PowerShell command for restarting the service, you can use the following:
Restart RDP Sevice
Restart-Service TermService -Force
Verify Custom RDP Port Number
Now that we’ve restarted the RDP service let’s verify if the RDP port is configured and ready for use. You can use either the Windows Registry Editor or PowerShell to check and confirm this.
1. Using Windows Registry Editor
- Press the Windows key + R to open the Run dialog box.
- Navigate to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp registry key.
- On the right-hand side, locate a registry entry called PortNumber. The decimal value of this port should be set to 3391, which is our custom RDP port number on this device.
2. Using Powershell Commands
You can use the following PowerShell command to confirm the new custom RDP port number on your device. Since we changed the RDP port to 3391, executing this command will output 3391 on the PowerShell console.
Confirm Custom RDP Port number
(Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -name "PortNumber").portnumberConnect using a Custom RDP Port number
When connecting to a remote computer using Remote Desktop Connection (mstsc), there is no need to specify the port number. The default port used by Remote Desktop Connection is 3389.
However, after changing the default RDP port number on the device, when attempting to connect using the RDP protocol, you must specify the port number. To specify the port number, you can use the format: ComputerName:RDPPortnumber or IPAddress:RDPPortNumber.
- Press Windows + R to open the Run dialog box.
- Type
mstscand press Enter to open Remote Desktop Connection.
- This will open the Remote Desktop Connection. Type the computer name and the new custom RDP port number, separated by a colon, and click the Connect button.
Conclusion
In this blog post, we discussed the Remote Desktop Protocol default port and learned how to enhance security by changing it to a custom port number. This practice is crucial for fortifying your device against attacks that target default ports.
If you have an Internet-facing server accessed via RDP, it is highly recommended that you change the default port number for an added layer of security. Moreover, consider allowing RDP only through the organization-provided and configured Virtual Private Network (VPN) while blocking access for other devices. This additional measure further safeguards your remote server.
