Change Default RDP Port for Security

Change Default RDP Port for Security: Step-by-Step Guide

/ Knowledgebase, RDP Port 25, Remote Desktop Protocol (RDP)

Remote Desktop Protocol (RDP) by default uses port 3389, and changing this port can significantly improve security by reducing exposure to automated scans and brute-force attacks. By modifying the RDP listening port to a custom value, such as 3395 or 50000, you make it harder for attackers to locate and exploit your RDP service, thereby adding an extra layer of defense. While this isn’t a complete security solution on its own, it is a best practice when combined with firewalls, strong authentication, and multi-factor authentication (MFA). In this blog, we’ll explore why you should change default RDP port for security, step-by-step instructions on how to do it, and best practices for securing remote desktop connections.

Why Change the Default RDP Port?

RDP is one of the most targeted services by attackers worldwide. Since port 3389 is the default, malicious bots constantly scan networks for open instances of this port. If they find it, they attempt brute-force logins or exploit known vulnerabilities.

By changing the port:

  • Reduced Attack Surface: Automated bots scanning only port 3389 will fail to detect your service.
  • Lower Log Noise: Security logs won’t be cluttered with endless brute-force attempts on the default port.
  • Additional Security Layer: While not a substitute for strong authentication, port obfuscation reduces opportunistic attacks.

This practice is often referred to as “security through obscurity,” and while it’s not a replacement for proper hardening, it’s an effective supplementary measure.

Step-by-Step Guide to Change Default RDP Port for Security in Windows

1. Backup Your System and Registry

Before making changes, always back up your system and export your registry settings. Editing the registry incorrectly may cause issues.

  • Press Windows + R button, type regedit, & press Enter.
  • Navigate to File > Export and save a backup.

2. Open the RDP Port Registry Key

Navigate to:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp

Look for the entry named PortNumber.

3. Modify the PortNumber Value

  • Double-click PortNumber.
  • Change the Base to Decimal.
  • Enter a new port number (e.g., 3395, 50001, or another unused port between 1025 and 65535).
  • Click OK and close the registry editor.

4. Update Windows Firewall Rules

Since RDP is protected by Windows Firewall, you must add a new inbound rule for the port:

  1. Open Windows Defender Firewall with Advanced Security.
  2. Select Inbound Rules > New Rule.
  3. Choose Port and click Next.
  4. Select TCP, and enter your new port number.
  5. Allow the connection and give the rule a name like “Custom RDP Port.”

5. Restart the Computer

The change will not take effect until the method is restarted.

6. Connect with the New Port

To connect, specify the new port when using Remote Desktop Connection:

ComputerName:PortNumber

For example:

192.168.1.10:50001

Important Considerations

  • Don’t Choose Common Ports: Avoid ports like 80, 443, or 22, as these are typically used by other services.
  • Firewall Synchronization: If your system is behind an external firewall or router, update port forwarding rules accordingly.
  • Remote Management: Ensure you don’t lose remote access by testing the new port before closing your session.

Security Risks of Only Changing the Port

While changing the RDP port helps reduce exposure, it doesn’t make RDP inherently secure. Attackers using full port scans will still find it. That’s why it’s critical to combine this tactic with other security measures:

  • Strong Passwords: Use complex, non-dictionary passwords.
  • Account Lockout Policy: Limit the number of failed login attempts.
  • Network Level Authentication (NLA): Requires authentication before establishing an RDP session.
  • Multi-Factor Authentication (MFA): Add a second layer of identity verification.
  • IP Whitelisting: Restrict RDP access to trusted IP addresses.
  • VPN Access: Place RDP behind a VPN so it isn’t exposed to the internet at all.

Benefits of Changing the RDP Port

  1. Immediate Reduction in Automated Attacks: Hackers scanning for port 3389 won’t see your service.
  2. Better Log Management: Security teams can spot suspicious activity more easily without constant noise from bots.
  3. Quick and Easy Implementation: It only takes a few minutes to implement and adds an extra barrier.
  4. Custom Security Layer: Works well in combination with MFA and VPNs.

Advanced Tips for Securing RDP

  1. Use Remote Desktop Gateway: Instead of exposing RDP directly, route connections through an RD Gateway with SSL encryption.
  2. Monitor Logs: Regularly check Event Viewer for login attempts.
  3. Enable Encryption: Ensure that only secure protocols are allowed (TLS 1.2 or higher).
  4. Use Group Policy: Configure policies that enforce stronger security, such as limiting RDP users to administrators or specific groups.
  5. Regular Updates: Keep Windows updated to patch vulnerabilities in RDP services.

Frequently Asked Questions (FAQ)

1. What is the safest port to use for RDP?

  • There is no single “safe” port. Choose a random high-numbered port (e.g., 49152–65535) to reduce the chance of conflict with known services.

2. Can attackers still find RDP if I change the port?

  • Yes. A full port scan will still reveal it, but most automated scans only check the default port (3389). This reduces opportunistic attacks.

3. Do I need to change the RDP port on both client and server?

  • You only change it on the server. On the client, you just specify the new port when connecting.

4. Will this affect other applications?

  • Only if the port you select is already in use. Always test after applying changes.

5. Is changing the port enough to secure RDP?

  • No. It’s just one layer of security. Always combine it with strong authentication, MFA, and network restrictions.

Conclusion

Changing the default RDP port from 3389 to a custom value is a simple yet effective way to improve your Windows server’s security posture. While it won’t stop targeted attackers, it significantly reduces exposure to automated attacks and helps keep your system logs clean. However, you should never rely on this step alone. To truly secure RDP, combine port changes with robust firewalls, strong authentication, MFA, VPN access, and continuous monitoring.

By taking these layered precautions, you can enjoy the convenience of remote desktop while minimizing the risks.

Related Posts

Scroll to Top