By default, Windows uses TCP port 3389 to connect to the desktop of a remote computer via the RDP (Remote Desktop Protocol). This article describes how to change the default port number for the RDP service to a different port number for both desktop versions of Windows and Windows Server.
Once you have enabled RDP access in Windows, the TermService
(Remote Desktop Services) will start listening on port 3389.
Why might it be necessary to change the default RDP port 3389 to a different one?
- Most commonly, this is used to hide the RDP/RDS host from automatic port scanners that scan the Internet for Windows hosts with the default RDP port 3389 open.
- Changing the RDP port reduces the chance of RDP vulnerabilities being exploited and reduces the number of RDP brute force attacks, SYN, and other types of attacks (don’t forget to regularly analyze RDP connection logs).
- Changing the RDP port is typically done on computers with a direct Internet connection (such as VPS/VDS) or in networks where the edge router forwards port 3389/RDP to a Windows host inside the LAN.
When changing the RDP port number to a non-standard one, it is not recommended to use port numbers in the range 1 to 1023 (known ports). Select any unused port from the user ports range (1024 to 49151
) or from RPC (49152 to 65535
). Make sure the port you choose isn’t being used by another process or service (for example, 1350)
netstat -aon | findstr “:1350” | findstr “LISTENING”
How to Change the Remote Desktop Port on Windows
To quickly replace the default RDP port number with the specified one, simply run the following commands with administrator privileges (in this example, we will change the port number that the Remote Desktop Service listens on to 1350):
set p=1350
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d %p% /f
netsh advfirewall firewall add rule name="Custom-RDP-Port-TCP" protocol=TCP localport=%p% action=allow dir=IN
netsh advfirewall firewall add rule name="Custom-UDP-Port-UDP" protocol=UDP localport=%p% action=allow dir=IN
net stop TermService /y
net start TermService
These commands will change the RDP port number, create inbound rules for the new port in the Windows Firewall, and restart the TermService service.
Let’s break down what these commands do and how to manually change the default RDP port number in Windows
- Open the Registry Editor (
regedit.exe
) and go to the registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp; - Find the DWORD registry parameter with the name PortNumber. This parameter contains the port number on which the Remote Desktop Service listens for connections. The default is 3389 (decimal)
- Change the value of this parameter. I changed the RDP port to 1350 (Decimal) You can change the registry parameter by using PowerShell:
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\" -Name PortNumber -Value 1350
- Create new rules in Windows Firewall to allow incoming connections to the new RDP port number. if you’re reconfiguring a remote Windows host via RDP, be sure to create the necessary allow rules in the firewall before restarting the TermService. Otherwise, you may lose remote access to the host. You can manually create inbound rules for your new TCP/UDP RDP port in the Windows Defender Firewall console (
wf.msc
) or use PowerShell to create firewall rules: create rules by using the PowerShell cmdlets:
New-NetFirewallRule -DisplayName "NewRDPPort-TCP-In" -Direction Inbound -LocalPort 1350 -Protocol TCP -Action allow
New-NetFirewallRule -DisplayName "NewRDPPort-UDP-In" -Direction Inbound -LocalPort 1350 -Protocol UDP -Action allow - Restart Windows or restart the Remote Desktop Services with the command:
net stop termservice & net start termservice
- To connect to the Remote Desktop on this Windows computer using a custom RDP port, enter the port number in the mstsc.exe client after the IP address or hostname, separated by a colon, like this:
RDPComputerName:1350
or by IP address:192.168.1.10:1350
or from the command prompt:mstsc.exe /v 192.168.1.10:1350
If you are using the RDCMan manager for RDP connections, the new RDP connection port number is specified in the Connection Settings tab. - You should now be able to successfully connect to a remote desktop using the new RDP port number. To verify that the RDP service is now listening on a different port, use the
netstat –na | Find "LIST"
command.
Note that the UDP RDP port number has also changed to 1350 (use the TCPView tool to check this).
Use the Test-NetConnection command to check that the default RDP port 3389 is now closed (TcpTestSucceeded: False
):
Test-NetConnection 192.168.3.102 -port 3389 |select TcpTestSucceeded
To change the RDP port number on multiple domain computers, you can use Group Policies. Create a new GPO that deploys the PortNumber registry parameter with the new RDP port number to domain computers.
Change the Remote Desktop Listening Port with PowerShell
The complete PowerShell script code to change the RDP port number, create the firewall rules, and restart the RDP service might look like this
Write-host "Specify the number of your new RDP port: " -ForegroundColor Yellow -NoNewline;$RDPPort = Read-Host
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-TCP\" -Name PortNumber -Value $RDPPort
New-NetFirewallRule -DisplayName "NewRDPPort-TCP-In-$RDPPort" -Direction Inbound –LocalPort $RDPPort -Protocol TCP -Action Allow
New-NetFirewallRule -DisplayName "NewRDPPort-UDP-In-$RDPPort" -Direction Inbound –LocalPort $RDPPort -Protocol UDP -Action Allow
Restart-Service termservice -force
Write-host "The number of the RDP port has been changed to $RDPPort " -ForegroundColor Magenta
If WinRM is enabled on the remote computer, you can use the Invoke-Command cmdlet to change the RDP port number remotely.
Invoke-Command -ComputerName wksname112 -ScriptBlock {Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-TCP\" -Name PortNumber -Value 1350}