In today’s digital landscape, where security threats loom around every corner, safeguarding our online assets has become more critical.
One area that often falls prey to malicious attacks is the Remote Desktop Protocol (RDP).
As a default gateway for remote connections, RDP provides convenient access to remote systems but presents a potential vulnerability if not properly protected.
To combat this vulnerability and fortify your defenses against cyber threats, it’s crucial to take proactive measures.
This article will explore a simple yet effective solution to enhance your network security: change the RDP default port.
By altering the default port used by RDP, you can significantly reduce the risk of unauthorized access and thwart potential attacks.
We’ll guide you through making this change, empowering you to fortify your system’s defenses against intruders and ensuring a safer and more secure remote connection experience.
So, if you’re ready to elevate your security posture and shield your network from malicious actors, let’s dive into the step-by-step process of changing the RDP default port.
Prepare to take control of your remote access and embrace a more secure digital environment.
What is RDP (Remote Desktop Port)?🤷♂️
Before delving into how to change RDP default port, let me give a detailed explanation of RDP. If you are familiar with this, you can jump to the next session, where I take you on a step-by-step guide.
The Microsoft proprietary protocol known as RDP or Remote Desktop Port enables remote access or computer connections.
It does this using the default TCP 3389 port. The protocol makes use of an encrypted channel to provide network access.
This protocol is especially important to network admins who find it useful for login servers, diagnosing issues, and performing other remote operations.
Users would also find it beneficial for remotely access an organization’s network, using files and services remotely.
CTAs or Cyber threat actors/hackers also find this a very important tool and would use the protocol to gain access to devices and networks in cases where RDP ports are misconfigured.
Once in, they have access to the entire network and can escalate user privileges, access sensitive and confidential files, inject malware and gain access to vital credentials.
When CTAs use this protocol, they can keep a low profile especially since they use a trusted network service. Using a range of tools, they would be able to scan internet devices for open RDP ports.
Once these are located, with some brute force, they may gain access to a vulnerable organization’s network. Unfortunately, in the black market of the dark web, many compromised credentials for Remote Desktop Ports are on sale.
The MS-ISAC in 2018 documented a spike in ransomware variants. Most of these were seen to be strategically targeted at networks through poorly secured or misconfigured RDP ports and in some cases, password brute force attacks.
Recommendations For RDP
Examine the requirement for RDP, port 3389, to be open on workstations and, if necessary, do the following:
- Install a firewall before any machine with an active RDP port and demand users to connect through a VPN.
- To protect against brute-force attacks, use multi-factor authentication, strong passwords, and account lockout rules.
- Connections to certain trustworthy hosts should be whitelisted.
- If feasible, limit RDP logins to approved non-administrator accounts. Follow the principle of lowest privilege, making sure that users only have the access they need to do their tasks;
- Keep a journal and go over it afterward. RDP login attempts should be checked for unusual behavior and kept for at least 90 days. Ensure that this service is only accessible by authorized users.
If RDP isn’t needed, make sure the ports are protected frequently.
Make sure the cloud-based solutions follow your cloud service provider’s best practices. After you’ve set up your cloud infrastructure, make sure RDP ports aren’t activated unless it’s for special reasons.
Activate automatic updates on the operating system to ensure the client and server software is up to speed.
Change RDP Default Port: Step-By-Step
The first step of this process is changing the RDP port in the registry.
Here is the process for it:
Step 1:- Open your registry Editor (Regedit) – Use the keyboard hotkey Windows + R to open the run box where you should type in “Regedit” followed by hitting enter or clicking the OK button.
When the registry editor opens, navigate to the following location on your left pane:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp
After clicking on RDP-TCP, select the port number option at the right pane.
You should get a pop-up box. In the Value data textbox, edit the values for the new port number update it with 3489 or some other value you choose and click OK. You would have to select the Decimal radio bottom before doing this.
Step2:-
Now we are done with the “Change RDP Default Port” process on the registry, you could close the registry and proceed to the next stage of the process.
This next step would make sure that traffic can pass through the newly assigned Remote Desktop Port.
Here are the steps:
On your Windows 10, navigate Control Panel, All Control Panel Items, and Windows Firewall.
On the left pane, select the option for Advanced Setting.
On the left pane of the new window, select the option for inbound rules, then click on the new rule option.
On the first window that appears, select the port option and click the next bottom.
On the next window, select the “TCP” protocol option (this may be the default). Change the value of the “Specific local ports” option to the value of the updated RDP you created on the registry. After this, click on the Next button.
When the next window appears, leave all the settings in the defaults and click on the Next button.
After this, you would have the option to apply the rule to all your network profiles, click the Next button.
In the next screen that appears you would need to type a recognizable name in the name textbox. You should choose any name that you like for this section. Once it is done, click the Next button again.
Once this is done, you would have to start the steps all over from when you created a new inbound rule. When you get to the step where you selected TCP, this time, select the option for UDP.
Restart your PC after establishing the 2 (two) incoming rules, and you’ll be able to connect to your computer from a remote desktop using the newly created port number.
Suppose you are using the custom RDP port number 8888 then you need to put the port like Remote_IP_address:8888
📗Change RDP Default Port FAQ📗
Why should I change the RDP default port from 3389?
Changing the default port adds a layer of security through obscurity, making it harder for automated scanners and bots to detect your RDP service. While not foolproof, it reduces exposure to common brute-force attacks targeting the well-known port 3389, especially on public-facing systems.
Is changing the RDP port sufficient to secure my remote access?
No, it’s just one step in a multi-layered approach. Combine it with strong authentication methods like multi-factor authentication (MFA), VPN tunneling, regular patching, and network segmentation to create robust protection against sophisticated threats.
Can I change the RDP port on Windows Server editions, and does the process differ?
Yes, the process is similar across Windows Server versions (e.g., 2019, 2022). Use the Registry Editor to modify the PortNumber value under the same key (HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp), then update firewall rules. Always back up the registry first to avoid system instability.
What happens if I choose a port that’s already in use by another service?
Selecting a conflicting port (e.g., one used by HTTP on 80 or HTTPS on 443) can cause service disruptions or connection failures. Use tools like netstat or PowerShell commands (Get-NetTCPConnection) to check for open ports before assigning a new one, ideally in the range of 1024-65535.
How do I revert the RDP port back to the default 3389 if needed?
Reopen the Registry Editor, navigate to the RDP-Tcp key, and reset the PortNumber value to 3389 (in decimal). Then, delete or modify the custom firewall rules for the new port and recreate ones for 3389. Restart the system and test connectivity to ensure reversion.
Does changing the RDP port impact connection speed or performance?
Typically, no—port changes don’t affect bandwidth or latency since RDP operates over TCP/UDP regardless. However, if your firewall or router misconfigurations arise during the update, it could introduce minor delays; always verify rules post-change.
How can I test if the new RDP port is accessible after the change?
Use a remote client to connect via the format [IP_address]:[new_port] (e.g., 192.168.1.1:3489). Alternatively, run a port scan with tools like Nmap from an external network, or check Windows Event Viewer for RDP-related logs to confirm successful binds.
What are common mistakes to avoid when changing the RDP port?
Avoid forgetting to update both TCP and UDP firewall rules, which can block connections. Also, don’t use easily guessable ports like 3390, and ensure you’re not exposing RDP directly to the internet without additional safeguards like RD Gateway or Azure Bastion.
Is changing the RDP port compatible with third-party remote access tools?
It depends on the tool. Native Microsoft Remote Desktop clients support custom ports, but some alternatives (e.g., TeamViewer or AnyDesk integrations) may require reconfiguration. For RDP wrappers like Apache Guacamole, update the backend settings to match the new port.
How does changing the RDP port help with compliance standards like GDPR or HIPAA?
It demonstrates proactive risk mitigation by reducing attack surfaces, aligning with requirements for access controls and data protection. However, for full compliance, pair it with auditing, encryption, and incident response plans, as port obfuscation alone doesn’t meet all regulatory checkboxes.
What port range should I select for the new RDP port, and why?
Opt for a port in the registered range (1024-49151) to avoid conflicts with well-known ports (1-1023) used by system services or dynamic ports (49152-65535) assigned temporarily by the OS. This minimizes disruptions while keeping the port non-standard for added obscurity.
Does changing the RDP port require a system reboot to take effect?
Yes, in most cases, a reboot is necessary for the changes to fully apply, especially after registry modifications. However, you can sometimes restart the Remote Desktop Services via services.msc or PowerShell without a full reboot, though testing is advised to confirm.
Can I use PowerShell to change the RDP port instead of the Registry Editor?
Absolutely—PowerShell offers a safer, scriptable alternative. Use commands like Set-ItemProperty to update the PortNumber in the registry path, then configure firewall rules with New-NetFirewallRule. This method reduces manual errors and is ideal for automation in enterprise setups.
How does changing the RDP port affect multiple users or sessions on a server?
It applies globally to all RDP connections on the system, so all users must use the new port for access. In multi-session environments like Windows Server, notify users in advance and update any load balancers or connection brokers to prevent session interruptions.
Should I also update outbound firewall rules when changing the RDP port?
While inbound rules are critical for incoming connections, outbound rules may need adjustment if your setup involves reverse connections or specific egress policies. In standard scenarios, focus on inbound, but check for symmetry in restricted networks like those with custom security groups.
What alternatives to port changing can enhance RDP security more effectively?
Consider using Remote Desktop Gateway (RD Gateway) for encapsulation, Azure Bastion for cloud-managed access, or switching to protocols like SSH with port knocking. These provide stronger defenses than port obfuscation alone, especially against advanced persistent threats.
How do I recover if I lose RDP access after changing the port?
If locked out, access the machine physically or via console (e.g., through a hypervisor like Hyper-V or cloud portal) to revert the registry and firewall changes. Always test from a local session before applying, and maintain alternative access methods like SSH or KVM.
Is changing the RDP port advisable in cloud environments like AWS or Azure?
Yes, but follow provider-specific guidelines—use security groups in AWS EC2 or network security rules in Azure VMs to allow the new port. Avoid exposing RDP directly; instead, pair with VPNs or bastion hosts for compliance with cloud security best practices.
What other ongoing RDP risks should I monitor after changing the port?
Watch for credential stuffing, unpatched vulnerabilities (e.g., BlueKeep), session hijacking, and insider threats. Regularly audit logs for failed logins, enable Network Level Authentication (NLA), and use endpoint detection tools to catch post-exploitation activities.
Has the effectiveness of changing the RDP port evolved with 2025 security trends?
While still useful for basic obscurity, modern threats like AI-driven scans make it less impactful alone. Experts now emphasize zero-trust models, MFA everywhere, and automated patching over port changes, as per updated Microsoft guidelines emphasizing layered defenses.
How do I change the RDP port on non-Windows systems, such as Linux distributions using XRDP?
For Linux setups like Ubuntu with XRDP (an open-source RDP server), edit the configuration file at /etc/xrdp/xrdp.ini to update the port=3389 line to your desired port, then restart the XRDP service using sudo systemctl restart xrdp. This differs from Windows registry methods and requires ensuring the new port is open in tools like UFW or firewalld.
Should I implement certificate-based encryption alongside changing the RDP port?
Yes, for enhanced security, replace the self-signed certificate with a publicly trusted one from a certificate authority. This encrypts RDP sessions more robustly and addresses vulnerabilities in default setups, often flagged in PCI compliance scans—configure it via Remote Desktop Session Host settings in Server Manager.
What if I decide to disable RDP entirely instead of changing the port?
If RDP isn’t essential, disable it through System Properties (uncheck “Allow remote connections”) or via PowerShell with Set-ItemProperty -Path ‘HKLM:\System\CurrentControlSet\Control\Terminal Server’ -Name ‘fDenyTSConnections’ -Value 1. This eliminates port-related risks but may require alternatives like SSH for remote access.
How does changing the RDP port work in domain environments or with Group Policy?
In Active Directory domains, use Group Policy to enforce port changes across multiple machines: Create a GPO, navigate to Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Connections, and set “Set RD TCP listening port.” Link the GPO and apply it, ensuring consistency without manual registry edits per device.
What common passwords are hackers targeting RDP ports with in 2025, and how can I defend against them?
Recent analyses show attackers frequently using weak passwords like “password123,” “admin,” or seasonal variants (e.g., “Summer2025”). Enforce complex password policies via Group Policy, block common weak passwords with tools like Specops Password Policy, and monitor for credential stuffing attempts through event logs.
Final Words on Change RDP Default Port
In conclusion, changing the default port for Remote Desktop Protocol (RDP) is a vital step in enhancing the security of your system.
Implementing this simple adjustment can significantly reduce the risk of unauthorized access and potential attacks on your network.
Remember, the default RDP port is well-known to hackers, making it an easy target for malicious activities. Following the steps outlined in this article, you can safeguard your system and protect sensitive information from potential threats.
Changing the RDP default port involves a straightforward process, requiring you to modify the registry settings and update your firewall rules.
While it may seem like a minor adjustment, its impact on your system’s security is substantial. Choosing a unique and less predictable port makes it much harder for potential attackers to locate and exploit your RDP services.
Take proactive measures to ensure the safety of your system by following the guidelines in this article. Protecting your network from unauthorized access is crucial in today’s interconnected world, where cyber threats continue to evolve.
By making the necessary changes to your RDP default port, you fortify your system’s defenses and reduce the likelihood of falling victim to malicious activities.
Don’t wait until it’s too late. Implement the change today and enjoy the peace of mind of knowing your system is protected. Security is an ongoing process; staying ahead of potential threats is key.
By being proactive and securing your RDP connection, you are taking an important step toward safeguarding your digital environment.
Embrace the power of change and prioritize the security of your system by changing the RDP default port now.
