In all Windows operation systems the default port assigned to RDP (Remote Desktop Protocol) is TCP 3389.
If your computer is connected to the Internet directly (e. g., a VDS/VPS server) or you have configured port forwarding of 3389/RDP port on your edge router to a Windows computer (server) in the local network, you can change the default 3389/RDP port to any other. By changing the RDP port number, you can hide your RDP server from port scanners, reduce the possibility of exploiting RDP vulnerabilities (the last known vulnerability in RDP BlueKeep is described in CVE-2019-0708), reduce the number of RDP brute force attacks (don’t forget to regularly analyze RDP connection logs), SYN and other attacks (especially, when NLA is disabled). You can change the default RDP port when a router with one white IP address is used by multiple computers running Windows to which you need to provide external RDP access. You can configure a unique RDP port on each computer and configure port forwarding (PAT) to local computers on your router (depending on the RDP port number, the remote session is forwarded to one of the internal computers).
When choosing a non-standard RDP port, please note that it is not recommended to use port 1-1023 (known ports) and dynamic RPC port range 49152-65535.
Let’s try to change the port of Remote Desktop service to 1350. To do so:
- Open the Registry Editor and go to the registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp;
- Find the DWORD parameter with the name PortNumber. This parameter shows the port, on which the Remote Desktop service is listening;
- Change the value of this parameter. I have changed the RDP port to 1350 (Decimal);
You can change the registry parameter using PowerShell: Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\" -Name PortNumber -Value 1350
- If Windows Firewall is enabled on your computer, you will have to create a new rule that allows inbound connection to your new RDP port. (If you reconfigure a remote server through RDP without creating the rule for your firewall, you will lose access to your server.) You can create an allowing inbound rule for your new TCP/UDP RDP port manually in Windows Defender Firewall console (firewall.cpl) or using PowerShell commands:
New-NetFirewallRule -DisplayName "New RDP Port 1350" -Direction Inbound -LocalPort 1350 -Protocol TCP -Action allowNew-NetFirewallRule -DisplayName "New RDP Port 1350" -Direction Inbound -LocalPort 1350 -Protocol UDP -Action allow
- Restart your computer or restart your Remote Desktop service with this command:
net stop termservice & net start termservice
- To connect to this Windows computer via RDP, you have to specify the new RDP connection port in your mstsc.exe client using the colon as follows:
RDPComputerName:1350
or by IP address:192.168.1.10:1350
or from the command prompt:mstsc.exe /v 192.168.1.100:1350
- Then you will successfully connect to the remote desktop of a computer using the new RDP port. You can use the
netstat –na | Find “LIST”
command to make sure that your RDS is listening on another port.
Note: If you change the default RDP listening port number, you may have some troubles with using Remote Assistance and shadow RDP connections in Windows 10, as well as RDS shadowing on Windows Server.
The full PowerShell script to change the RDP port number, create the firewall rule and restart the Remote Desktop service on the new port may look like this:
Write-host "Specify the number of your new RDP port: " -ForegroundColor Yellow -NoNewline;$RDPPort = Read-Host
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-TCP\" -Name PortNumber -Value $RDPPort
New-NetFirewallRule -DisplayName "New RDP Port $RDPPort" -Direction Inbound –LocalPort $RDPPort -Protocol TCP -Action Allow
New-NetFirewallRule -DisplayName "New RDP Port $RDPPort" -Direction Inbound –LocalPort $RDPPort -Protocol UDP -Action Allow
Restart-Service termservice -force
Write-host "The number of the RDP port has been changed to $RDPPort " -ForegroundColor Magenta
You can change the RDP number remotely on multiple computers in your AD domain (in the specific OU) using Invoke-Command and Get-ADComputer cmdlets:
Write-host "Specify the number of your new RDP port: " -ForegroundColor Yellow -NoNewline;$RDPPort = Read-Host
$PCs = Get-ADComputer -Filter * -SearchBase "CN=IT,CN=Computers,CN=NY,DC=contoso.com,DC=com"
Foreach ($PC in $PCs) {
Invoke-Command -ComputerName $PC.Name -ScriptBlock {
param ($RDPPort)
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-TCP\" -Name PortNumber -Value $RDPPort
New-NetFirewallRule -DisplayName "New RDP Port $RDPPort" -Direction Inbound –LocalPort $RDPPort -Protocol TCP -Action Allow
New-NetFirewallRule -DisplayName "New RDP Port $RDPPort" -Direction Inbound –LocalPort $RDPPort -Protocol TCP -Action Allow
Restart-Service termservice -force
}
This post to change the standard RDP port is suitable for any Windows version starting from Windows XP (Windows Server 2003) and up to modern Windows 10 / Windows Server 2019 builds.