Remote Desktop Protocol (RDP) is a widely used protocol developed by Microsoft to allow remote access to computers and servers. By default, RDP uses port 3389, but there are several reasons why you might want to change this port or use alternative ports. In this blog post, we will explore what ports can I use for RDP, the reasons for modifying the default port, and how to do so safely.
Default RDP Port: 3389
Port 3389 is the official and default port for RDP connections. When you connect to a remote machine using RDP, the client communicates with the remote server over TCP and UDP using this port. While it is convenient to use the default port, it also presents security risks, as cyber attackers frequently target it for brute-force attacks, exploits, and unauthorized access attempts.
Why Change the Default RDP Port?
1. Enhanced Security
One of the primary reasons for changing the default RDP port is security. Attackers often scan networks for open port 3389, looking for vulnerable systems. Changing the RDP port makes it harder for attackers to find your system, adding a layer of security by obscurity.
2. Compliance with Network Policies
Some organizations or ISPs block traffic on port 3389 for security reasons. In such cases, changing the port may be necessary to comply with network policies and enable remote access without violating security protocols.
3. Avoiding Port Conflicts
If multiple devices on a network require RDP access, and port forwarding is in use, changing the port allows different machines to be accessible remotely without interfering with each other.
4. Preventing Automated Attacks
Many automated bots and malware scripts are programmed to target port 3389. Changing the port can reduce the risk of automated attacks and unauthorized access attempts.
Alternative Ports for RDP
Although port 3389 is the standard, you can configure RDP to use other ports. Here are some considerations when selecting an alternative port:
1. Choosing a Non-Standard Port
When selecting an alternative port, consider using a port number above 1024 (e.g., between 1025 and 65535) to avoid conflicts with well-known ports. Examples of alternative ports include:
- 5000 – Often used for various services but can be repurposed for RDP.
- 6001 – Used in some networking applications but can be used for RDP.
- 12345 – A commonly chosen high-range port for custom applications.
- 40000-50000 – Less commonly used, reducing the risk of conflicts and automated attacks.
2. Using Custom Ports
When choosing a custom port, ensure that it does not conflict with other critical services. Check your system’s network usage to confirm that the chosen port is available and not being used by another application.
How to Change the RDP Port on Windows
If you decide to use an alternative port for RDP, follow these steps to modify the RDP port in Windows:
Step 1: Modify the Windows Registry
- Press Win + R, type regedit, & hit Enter to open the Windows Registry Editor.
- Navigate to the following key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp
- Locate the PortNumber entry.
- Right-click PortNumber, select Modify, choose Decimal, and enter your new port number (e.g., 5000).
- Click OK and close the Registry Editor.
Step 2: Configure Windows Firewall
To allow traffic on the new port:
- Open the Windows Defender Firewall.
- Click Advanced Settings.
- Select Inbound Rules > New Rule.
- Choose Port and click Next.
- Select TCP, enter the new port number, and click Next.
- Choose Allow the connection, then select the network profiles (Domain, Private, Public).
- Name the rule (e.g., “Customs RDP Port”) & click Finish.
Step 3: Restart the Remote Desktop Services
To apply the changes:
- Open Command Prompt as an administrator.
- Run the following command to restart the RDP service:
net stop termservice && net start termservice
- Restart your computer for changes to take effect.
Step 4: Update Router Port Forwarding (If Necessary)
If you’re accessing the RDP session over the internet, update the port forwarding settings on your router:
- Log in to your router’s web interface.
- Navigate to Port Forwarding.
- Create a new rule forwarding your chosen port to the local IP address of the RDP server.
- Save and apply the changes.
Testing the New RDP Port
To test whether RDP is using the new port, use the following command in Command Prompt:
netstat -an | find "LISTENING" | find "5000"
Replace 5000 with your chosen port number. If the output shows that the port is listening, RDP is now configured on the new port.
Security Considerations When Changing RDP Ports
1. Enable Network Level Authentication (NLA)
To enhance security, enable Network Level Authentication (NLA) by going to:
- Control Panel > System and Security > System.
- Click Remote Settings.
- Under Remote Desktop Protocol, select “Permit connections only from computers running Remote Desktop with Network Level Authentication.”
2. Use a VPN for Remote Access
Rather than exposing RDP directly to the internet, consider using a VPN to securely connect to your network before using RDP.
3. Implement Two-Factor Authentication (2FA)
Use tools like Duo Security to add an extra layer of authentication before allowing an RDP session to start.
4. Monitor and Limit RDP Access
- Restrict RDP access to specific IP addresses.
- Use intrusion detection tools to monitor login attempts.
- Regularly update your operating system to patch vulnerabilities.
Conclusion
While port 3389 is the standard for RDP, changing it can enhance security, prevent automated attacks, and comply with network policies. However, modifying the port is only one part of securing remote access—additional steps such as enabling NLA, using a VPN, and implementing 2FA should be considered.
By following best practices, you can safely use RDP with a customized port while minimizing security risks and ensuring a seamless remote access experience.
