Remote Desktop Protocol (RDP) is a valuable feature that allows administrators and users to manage their Windows Server remotely. However, the default RDP port, TCP 3389, is a common target for automated attacks and port scans. For enhanced security, changing the default RDP port is a recommended best practice. In this article, we’ll walk you through the steps to change your RDP port safely on a Windows Server with minimal disruption.
Why Change the Default RDP Port?
Cyber attackers often scan the internet for open RDP ports using automated tools. By sticking with the default port, you increase your server’s visibility to such scans. Changing the RDP port doesn’t make your server invulnerable, but it adds an extra layer of security through obscurity.
Choosing a non-standard port makes it less likely that opportunistic attacks will notice your server. This tactic, when combined with additional security measures like firewalls and account lockout policies, can significantly improve your server’s chance of avoiding compromise.
Prerequisites
Before you continue, ensure:
- You have administrative privileges on the server.
- You have access to the server’s firewall settings.
- The new port you plan to use is not already in use and allowed through your network’s firewalls.
It’s also highly recommended to create a backup or restore point in case you encounter issues during or after the procedure.
How to Change the RDP Port Safely
- Open Registry Editor
Press Windows + R, typeregeditand press Enter. - Navigate to the RDP TCP Port Registry Key
Go to:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp
Look for the key named
PortNumber. - Edit the PortNumber
Double-click onPortNumber. Choose Decimal under Base and enter the new port number you wish to use (in the range 1025–65535). Click OK. - Configure Windows Firewall
Allow the new port in the firewall:- Open Windows Defender Firewall with Advanced Security.
- Add a new inbound rule that allows TCP traffic on your chosen port.
- Name the rule appropriately for easy identification.
- Modify Router or External Firewall (If Applicable)
If you’re accessing the server through a router or hardware firewall, make sure to forward the new port to the server’s IP address. - Restart the Server
After making all changes, restart the server for the changes to take effect.
Test the New Port
After rebooting the server, attempt to connect using Remote Desktop with the new port:
your-server-ip:new-port
For example, if your new port is 3390, type 192.168.1.100:3390 into the RDP client. If the connection succeeds, your setup has been successful.
Important Security Considerations
- Use Strong Passwords: Ensure accounts accessible via RDP have strong, complex passwords.
- Enable Network Level Authentication (NLA): This adds a layer of authentication before a full RDP session is established.
- Restrict RDP Access: Limit RDP access to specific IP addresses or VPN users only.
- Monitor RDP Logs: Regularly audit login attempts to detect suspicious activity.
Changing the RDP port should be just one component of a broader server security strategy.
Precautions and Rollback
If you lose connection after the change, it could be due to improper firewall configuration or a typo in the port number. In such cases, access the server via console or backup access method (such as IPMI or hypervisor interface) to revert the changes. Always plan for recovery access before making system-level changes.
Conclusion
Changing the RDP port on your Windows Server is a simple yet effective way to reduce the chance of brute-force attacks and unauthorized access. While it shouldn’t replace fundamental security practices, it enhances your defense in depth. By following the steps outlined above and taking necessary precautions, you can safely update your RDP port and harden your server against common threats.
