The Remote Desktop Protocol (RDP) provides a convenient way to access Windows computers and servers remotely. By default, RDP listens on port 3389. This well-known port number can potentially attract attention from malicious actors scanning for vulnerabilities.
Changing the default RDP port number is a recommended security best practice. By configuring RDP to listen on an alternate, non-standard port, you reduce the perceived attack surface of your system. This makes it less conspicuous to automated port scans and potential attackers attempting to exploit the service remotely.
To change the default RDP port, follow these steps:
- On your local PC, press the “win key + R” keys on your keyboard, a small window called “Run” will come up.
- In this window in the search bar, write down: “regedit” and press OK.
- The registry windows will show up. Go to Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\
- Double click on PortNumber key
- Change to Decimal
- Change the number 3389 to a chosen value between 1025-65535. For example: 25456
- Click OK
To test the new port configuration, follow these steps:
Now that you’ve made these configuration changes, it’s crucial to test and confirm that the Remote Desktop service is now listening on the new custom port as intended. Follow these steps to validate the new port setup:
- Test the Remote Desktop Connection
Initiate a Remote Desktop Connection attempt to the target machine, specifying the new port number you configured. The address should follow the format: TargetIPAddress:NewPortNumber (e.g. 192.168.1.100:33091). If the connection is successful, it confirms the new port is operational for RDP access.
- Confirm the Port is Listening
To check that the new port is active and ready for remote desktop connections, use the command ‘netstat -an | find “33091”‘ in the command prompt, which should indicate if the port is listening.