Step-by-Step: How to Safely Configure an RDP Changer Changing the default port of the Remote Desktop Protocol (RDP) from its standard 3389 is a common practice used to obscure the service from basic, automated network scans. However, altering critical system registries can lock you out of your machine if done incorrectly.
This guide provides a secure, step-by-step walkthrough to change your RDP port manually or via automated scripts while maintaining system accessibility. Step 1: Back Up Your Windows Registry
Before making any system modifications, always create a restore point or back up your registry. Press Win + R, type regedit, and hit Enter. Click on File in the top-left menu. Select Export.
Choose a secure save location, name the file, and ensure Export range is set to All. Step 2: Locate the RDP Port PortNumber Key
Windows stores the RDP port configuration deep within the system registry.
Navigate to the following path in the Registry Editor:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp
Scroll down the right-hand pane until you find the PortNumber subkey. Double-click PortNumber. Switch the base toggle from Hexadecimal to Decimal.
Enter your new port number (choose an ephemeral port between 49152 and 65535 to avoid conflicts with other services). Click OK. Step 3: Configure the Windows Defender Firewall
Your operating system will block incoming traffic on the new port unless you explicitly permit it. Do not restart your computer until this step is finished.
Press the Windows Key, type Windows Defender Firewall with Advanced Security, and open it. Click on Inbound Rules in the left sidebar. Click New Rule in the right sidebar. Select Port and click Next.
Choose TCP and enter your specific new port number in the Specific local ports field. Click Next. Select Allow the connection and click Next.
Apply the rule to Domain, Private, and Public networks, then click Next. Name the rule (e.g., “Custom RDP Port”) and click Finish. Step 4: Restart the Remote Desktop Service
For the changes to take effect, you must restart the underlying Windows service.
Press Win + X and select Task Manager (or open Services.msc). Navigate to the Services tab. Look for TermService (Remote Desktop Services).
Right-click TermService and select Restart. If it is grayed out, reboot your computer entirely. Step 5: Test and Establish the New Connection
When connecting to your machine moving forward, you must explicitly append the new port number to the IP address or hostname.
Launch the Remote Desktop Connection client (mstsc) on your client machine.
In the Computer field, input your target IP address followed by a colon and your new port. Example: 192.168.1.50:55000 Click Connect and verify that your credentials work. Alternative: Automated RDP Port Changer Script
If you prefer managing multiple machines using PowerShell, run the following commands as an Administrator to change the port and open the firewall automatically: powershell
\(portvalue = 55000 Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -name "PortNumber" -Value \)portvalue New-NetFirewallRule -DisplayName “Custom RDP Port” -Direction Inbound -LocalPort $portvalue -Protocol TCP -Action Allow Restart-Service -Name “TermService” -Force Use code with caution. Critical Security Reminder
Changing the default port only stops basic network background noise and automated scripts; it does not stop targeted attacks. True RDP security requires additional defensive layers:
Use a Virtual Private Network (VPN) or an RDP Gateway so the machine is never exposed directly to the public internet. Enable Network Level Authentication (NLA).
Enforce Account Lockout Policies to neutralize brute-force login attempts.
To help me tailor any adjustments to this article, let me know:
Leave a Reply