Alexander's Blog

Sharing knowledge with the global IT community since November 1, 2004

Secure Your Computer by Modifying the Default RDP Port Number

/
/
Security

By default, Remote Desktop (formerly known as Terminal Services) uses TCP port 3389. If you use Remote Desktop Protocol (RDP) to connect to your Windows computer, you might want to consider modifying the default port for security reasons. Because there are 65,535 ports on a computer, by changing the default port number for remote desktop access to your computer, you are making it difficult for a cyberattacker to guess your custom port number. The attacker usually needs three pieces of information to hack into your computer:

  1. IP address or domain name.
  2. Username.
  3. Password.

Because most people use the default port number (TCP 3389), the attacker does not need to specify the port number. By modifying the default port number, the attacker would need four pieces of information. For this fourth piece of information the attacker has to guess from one of the 65,535 possible ports. Because some of these port numbers are reserved for various services, technically the number will be less than 65,535, but you get the idea.

The information in this article applies to all versions of the following Windows clients and servers.

Windows Clients

  • Windows 2000
  • Windows XP
  • Windows Vista
  • Windows 7
  • Windows 8
  • Windows 8.1
  • Windows 10

Windows Servers

  • Windows Server 2000
  • Windows Server 2003
  • Windows Server 2008
  • Windows Server 2012
  • Windows Server 2016
  • Windows Server 2019

How to Change the Default Port

The default RDP port can be changed by modifying the registry. The procedure is identical for Windows clients and servers.

WARNING! The following procedure requires modification to the registry and should only be done by a trained professional who knows how to work with Windows Registry. Working with Windows Registry is like doing a brain surgery on your Windows computer. Modify the registry at your own risk.
  1. In the Windows Search box, type regedit.exe and press Enter. This will open the Registry Editor.
  2. As a precaution, you should first back up the registry. Highlight the Computer icon at the top of the registry.
  3. Right-click the Computer icon and select Export.
    Exporting Registry
  4. Enter a filename for the registry backup and click Save.
  5. Expand HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp.
  6. Double-click PortNumber in the right-hand pane.
  7. Click Decimal in the Base section and change the Value data to a different port number that is not in use, e.g. 56789, and then click OK.
    Custom Port Number
  8. Your screen should look something like this.
    Custom RDP Port Number
  9. Close the registry editor and reboot your computer.

There is one more thing that you need to do before you can connect to the computer remotely. You need to open this custom port in the firewall by adding a rule. Of course, if your firewall is disabled then you can skip this step.

WARNING! In general, you should never disable firewall on any Windows workstation or Windows server on your network. In the old days network administrators would disable the firewall on the workstations and even servers because they felt the network firewall makes it difficult for applications to communicate on their network and they believed all the internal computers are safe behind the corporate firewall. That may have been true in the 1980s and 1990s, but those days are long gone. Today every end point on the network needs to be protected so the firewall should never be turned off on any Windows computer (at home or at business). Microsoft has made many changes to the Windows operating systems in recent years and installing applications on the Windows automatically creates rules that allow the applications to communicate properly on the network. Therefore, it’s best that you do not turn off firewall.

Configure Firewall Rule

  1. Use the Windows Search box and type Control Panel.
  2. In the Control Panel click Windows Defender Firewall.
    Windows Control Panel
  3. Click Advanced settings in the left column.
    Windows Firewall Advanced Settings
  4. In the Windows Defender Firewall with Advanced Security window click Inbound Rules.
  5. In the right-hand Actions pane click New Rule.
  6. In the Rule Type window select the Port radio button.
    Firewall Rule Type - Port
  7. In the Protocols and Ports window make sure TCP is select and in the Special local ports box enter the port number you want to use for RDP, e.g. 56789.
    Firewall Protocols and Ports
  8. In the Action Window click Next to accept the option to Allow the connection.
    Windows Firewall - Allow Connection
  9. In the Profile window click Next so the rule applies to Domain, Private and Public profiles.
    Firewall - Profile
  10. In the Name window type a name for the rule, e.g. Custom RDP Port. You can also enter an optional description.
    Firewall Rule Name
  11. Click Finish.
  12. You can double-click the rule you created to verify the settings or make any changes if necessary.
    Custom RDP Port Properties
  13. You have successfully created the firewall rule to allow RDP on a custom port. There is no need to restart the computer. Close the Windows Firewall and Control Panel.

Connecting to a Remote Computer with Custom Port Number

  1. In the Windows Search box type mstsc.exe and start the Remote Desktop Connection app.
    Starting an RDP Session
  2. Type the computer’s IP address or the domain name, followed by the custom RDP port number, e.g. CONTOSO.COM:56789, and then click Connect.
    NOTE: If you were to use an IP address, you will still enter the port number at the end, e.g. 10.1.1.52:56789.
    Remote Desktop Connection (RDC)
  3. When prompted, enter the username and password to connect to the remote computer.

To determine which port number to use, visit TCP/IP port numbers. Port numbers 0 through 1023 are called well-known ports, while port numbers 1024 through 49151 are registered ports. It’s best to pick one of the port numbers between 49152 and 65535 because these are dynamic or private ports and are not likely to be used by any application or service that you are running. If you prefer a port number with four digits, just pick a random port number higher than 5000 and you should be in good shape.

Thanks for reading my article. If you are interested in IT training & consulting services, please reach out to me. Visit ZubairAlexander.com for information on my professional background.

Copyright © 2018 SeattlePro Enterprises, LLC. All rights reserved.

  • Facebook
  • Twitter
  • Linkedin

Leave a Comment

Your email address will not be published. Required fields are marked *

This div height required for enabling the sticky sidebar