Enhancing Your Security: How to Change the Default RDP Port

In our previous article, “What is RDP Port?“, we discussed the fundamental role of port 3389 in establishing Remote Desktop Protocol (RDP) connections. While this default port is convenient, its widespread knowledge makes it a frequent target for malicious activities like brute-force attacks and port scanning. To bolster your system’s security, a crucial step is to change the RDP port to a less predictable number.

1. Why Change the Default RDP Port?

As highlighted in our introductory article, security is the primary reason for changing the default RDP port. Here’s a more detailed look:

• Reduced Risk of Automated Attacks: Attackers often scan networks for open port 3389 to identify potential targets for RDP-based exploits or brute-force password attempts. Using a non-standard port significantly reduces your system’s visibility to these automated scans.
• Obscurity as a Layer of Security: While changing the port isn’t a foolproof security measure, it adds an extra obscure layer that can deter less sophisticated attackers. It forces them to actively scan for your custom port, which requires more effort and can make your system less attractive as a target.
• Mitigating Port Scans: Malicious actors often perform port scans to identify open services on a system. Changing the RDP port can help your server appear less vulnerable during such scans.

Trusted Statistic: Cybersecurity reports consistently show that services running on non-standard ports experience fewer automated attack attempts than those using default ports. This simple change can decrease the number of malicious login attempts on your RDP service.

2. Step-by-Step Guide to Changing the RDP Port in Windows

Important Note: Creating a system restore point or backing up the registry is highly recommended before making any changes to the Windows Registry. Incorrect modifications can lead to system instability.

1: Access the Registry Editor

1. Press the Windows key + R on your keyboard to open the Run dialog box; then
2. Type regedit and press Enter (or click OK).
3. Click Yes if prompted by User Account Control.

2: Navigate to the RDP Port Configuration Key

1. In the Registry Editor window, use the left-hand navigation pane to expand the following path: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp
2. Carefully click on the RDP-Tcp folder.

3: Modify the PortNumber Entry

1. In the right-hand pane, look for an entry named PortNumber.
2. Double-click on PortNumber to open the Edit DWORD (32-bit) Value dialog box.
3. Under the Base section, select Decimal. This will allow you to enter the port number in a more familiar format.
4. In the Value data field, enter your desired new RDP port number.

Technical Hint: Choose a port number between 1025 and 65535. To prevent conflicts, avoid using well-known ports (0-1024) or ports already commonly used by other applications. Many administrators choose ports in the ephemeral port range (49152-65535). For example, you could use 50000, 55555, or any other number in that range that you can easily remember.

1. Click OK to save the changes.

4: Close Registry Editor and Restart the Remote Desktop Services

1. Close the Registry Editor window.
2. Press Windows key + R again to open the Run dialog box.
3. Type services.msc and press Enter or click OK. 1  
4. In the Services window, find the service named Remote Desktop Services.
5. Right-click on Remote Desktop Services and select Restart.

Practical Hint: Restarting the service is usually sufficient for the port change to take effect. In some cases, a full system reboot might be necessary.

5: Update Windows Firewall Rules

After changing the RDP port, you need to update your Windows Firewall settings to allow incoming connections on the new port. Skipping this step, may result in your inability to connect via RDP.

1. Search for “Windows Firewall with Advanced Security” in the Start Menu and open it.
2. Click on Inbound Rules in the left-hand pane.
3. Look for existing rules related to “Remote Desktop.” You might see multiple entries.
4. Modify Existing Rules (Recommended):
   • Find the rule(s) that specifically mention TCP and the old port 3389.
   • Right-click on each of these rules and select Properties.
   • Go to the Protocols and Ports tab.
   • In the Local Port field, change the value from 3389 to the new port number you chose in the Registry Editor.
   • Click Apply and then OK.
5. Alternatively, Create a New Rule:
   • Then, click on New Rule… in the right-hand pane, .
   • In the Rule Type window, select Port and click Next.
   • Select TCP in the Protocol and Ports window.
   • Under Specific local ports, enter the new port number you chose (e.g., 50000). Click Next.
   • In the Action window, select Allow the connection and click Next.
   • In the Profile window, choose the network profiles that apply (usually Domain, Private, and Public) and click Next.
   • In the Name window, enter a descriptive name for the rule (e.g., “RDP – New Port [Your Port Number]”). Click Finish.
   • To avoid confusion, you might want to disable or delete the old “Remote Desktop” rules for port 3389.

6: Connect Using the New RDP Port

When using the Remote Desktop Connection client, you need to specify the port number to connect to your computer using the new RDP port.

1. Open the Remote Desktop Connection application (search for it in the Start Menu).
2. In the Computer field, enter the remote computer’s IP address or hostname followed by a colon and the new port number. For example, if your IP address is 192.168.1.100 and your new port is 50000, you would enter 192.168.1.100:50000.
3. Click Connect and enter your credentials as usual.

3. Advanced Considerations about changing RDP port

3.1 Firewall Rules

Updating your firewall rules to allow incoming connections on the new port number is essential when changing the RDP port. This prevents the firewall from blocking RDP traffic and ensures connecting to the remote desktop.

Steps to update firewall rules:

1. Access your firewall settings: The process for accessing firewall settings varies depending on your operating system and firewall software. On Windows, you can typically access the firewall settings through the Control Panel.
2. Create a new rule: Create a new inbound rule for the incoming connections on the new RDP port number.
3. Specify the port number: In the rule’s settings, specify the exact port number you’ve configured for RDP.
4. Choose the action: Select “Allow the connection” as the action for this rule.
5. Configure other settings: You may need to configure additional settings, such as the scope (e.g., local network, Geo-IP blocking), protocol (TCP or UDP), and profile (e.g., domain, private, public).
6. Apply the rule: Save and apply the new firewall rule.

3.2 Network Address Translation (NAT)

To translate private IP addresses to public IP addresses using Network Address Translation (NAT), you may need to configure NAT rules to allow traffic on the new RDP port.

Steps to configure NAT rules:

1. Access your router or NAT device settings: Log in to the web interface of your router or NAT device.
2. Locate NAT settings: Find the section related to NAT or port forwarding.
3. Create a new rule: Create a new rule that specifies the new RDP port number on the external (public) interface and the corresponding port number on the internal (private) interface.
4. Configure other settings: Specify the IP address of the remote computer and any other necessary settings.
5. Save the rule: Apply the new NAT rule to allow traffic on the new RDP port.

Note: The exact steps for configuring NAT rules may vary depending on your router or NAT device. Consult the device’s documentation for detailed instructions.

Security Implications

Changing the RDP port can provide additional security by making it less vulnerable to automated attacks that target the default port. By the way, you must to note that changing the port alone is not sufficient to guarantee complete security. Other security measures, such as strong passwords, firewalls, and regular updates, are essential to protect your system from attacks.

Compatibility Issues

While changing the RDP port can provide security benefits, it may also introduce compatibility issues with certain software or network configurations. Some older or less-common RDP clients or servers may not support non-standard ports.

If you encounter compatibility issues, you may need to:

• Update your RDP client: Ensure you’re using the latest version of the RDP client.
• Check with your network administrator: If you’re in a corporate environment, consult with your network administrator to ensure that the new port is compatible with your network infrastructure.
• Try a different RDP client: If you’re unable to resolve compatibility issues with your current RDP client, consider using a different client application.

By carefully considering these factors and following the steps outlined above, you can successfully change your RDP port while maintaining security and compatibility.

4. Troubleshooting Common Issues

Unable to Connect After Changing the Port:

• Check Firewall: Double-check that you have correctly updated or created the inbound firewall rule for the new port.
• Verify Registry Change: Ensure that the PortNumber value in the registry is indeed set to the new port and that the Base is set to Decimal.
• Confirm Service Restart: Ensure the Remote Desktop Services service has been restarted successfully.
• Incorrect Port in Client: Double-check that you are using the correct syntax (IP Address:PortNumber) in the Remote Desktop Connection client.
• Router/Network Device Configuration: If you connect from outside your local network, ensure that your router or other network devices correctly forward the new port to the target computer’s internal IP address.

Practical Hint: Before attempting to connect from an external network, it’s a good idea to test the connection from a different computer on your network to ensure the new port is working correctly.

5. Best Practices and Recommendations for changing RDP port

5.1 Best time for Changing RDP Port

While changing the RDP port can provide additional security benefits, it’s not always necessary. Consider these factors when deciding whether to change your RDP port:

• Security concerns: If your system is frequently targeted by attacks or you’re handling highly sensitive data, changing the RDP port can help reduce your exposure.
• Performance issues: If you’re experiencing performance problems with RDP, changing the port might help alleviate congestion and improve responsiveness.
• Avoiding conflicts: If you have multiple services running on the same server and they’re conflicting with the default RDP port, changing the port can resolve the issue.

5.2 Best Practices for Security and Performance

• Choose a non-standard port number: Avoid using commonly known port numbers that could be easily guessed by attackers.
• Update firewall rules: Ensure that your firewall rules allow incoming and outgoing traffic on the new RDP port.
• Use strong passwords: Implement strong passwords for both the RDP account and the server itself.
• Enable two-factor authentication: Consider using two-factor authentication for added security.
• Monitor network traffic: Keep an eye on network traffic to identify any potential issues that could be affecting RDP performance.
• Optimize network settings: If necessary, adjust network settings such as MTU or QoS to improve performance.
• Regularly update software: Keep your RDP client, server operating system, and other software up-to-date with the latest security patches.

5.3 Recommendations for Specific Use Cases

• Home users: If you’re a home user and security is a primary concern, changing the RDP port can be a worthwhile measure. However, if you’re not experiencing any issues with the default port, it may not be necessary.
• Small businesses: If you have a small business and are concerned about security, consider changing the RDP port. However, weigh the benefits against the potential complexity and compatibility issues.
• Large enterprises: In large enterprises with complex network infrastructures, changing the RDP port may be necessary to avoid conflicts and improve security. Consult with your network administrator for guidance.

Conclusion

Changing the default RDP port may seem a relatively simple step, yet it effectively improve the security of your Windows system, especially when used for cloud rendering or other remote access scenarios. By making this change and ensuring your firewall is correctly configured, you can significantly reduce the risk of automated attacks targeting the well-known port 3389. As an additional crucial security measure, remember to choose a strong password for your RDP account.

Following these steps, you’ve taken a proactive approach to securing your remote access. This and other security best practices will contribute to a more robust and protected system.