The Remote Desktop Protocol (RDP) is used to remotely access the desktop of a computer or a Windows server. By default, TCP 3389 is used for remote connection. If your computer/server is connected directly to the Internet (VDS/VPS) and has a public IP address, then from a security reasons, it is advisable to change the default RDP port number.
The fact is that most hacking tools can try to use the brute-force attack against you RDP infrastructure through the default RDP port number. There is also a high risk of exploitation of 0-day vulnerabilities against RDP. Over the past year Microsoft has fixed as many as 2 critical vulnerabilities in RDP (BlueKeep and BlueKeep-2) that could be exploited via Remote Code Execution.
How to Change Default RDP Port Number on Windows 10?
Let’s see how to change the default RDP port in Windows 10. The RDP port settings are set in the PortNumber parameter in the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp. To manually change the RDP port number:
- Run the Registry Editor (regedit.exe) with administrator permissions;
- Go to the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp;
- Change the DWORD value of the PortNumber parameter in decimal format. For example, specify the port number 41212;
- Open the service management console (services.msc) and restart the Remote Desktop Services service.
Hint. You can also change the RDP port number from the command prompt:
reg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 41212 /f
or with PowerShell:
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-TCP\" -Name PortNumber -Value 41212
If you have Windows Defender Firewall with Advanced Security enabled on your computer, you need to allow incoming TCP traffic to the new RDP port number. You can create a new rule for incoming traffic to port 41212 through the wf.msc graphical console or from the command line:
netsh advfirewall firewall add rule name="RDP new port" dir=in action=allow protocol=TCP localport=41212
After that, you can connect to your Windows computer through a non-standard RDP port. For example, if you use the built-in Windows Remote Desktop Connection client (mstsc.exe), you need to specify a new RDP port number in the colon after the hostname (IP) address of the computer or use this command:
Configuring Remote Desktop Port Forwarding
You can also change the RDP port number on which your computer is accessible externally using port forwarding technique. Those, when connecting to your computer from the Internet, you need to connect to your gateway to the specified port, and the gateway device will automatically forward this traffic to the RDP port 3389 of your intranet computer.
The specific settings that you need to make depend on the device that acts as a gateway to the Internet. For example, the IP address of your Windows computer is 192.168.1.15 and you want to configure external port forwarding (PAT) 41212 to the standard RDP port 3389.
You can use the following configuration for different device types to crete RDP port forwarding rule.
For Linux Gateway with iptables firewall:
iptables -t nat -A PREROUTING -p tcp --dport 41212 -i eth0 -j DNAT --to-destination 192.168.1.15:3389
For Windows Gateway Server:
netsh interface portproxy add v4tov4 listenport=41212 listenaddress=126.96.36.199 connectport=3389 connectaddress=192.168.1.15
For Cisco routers:
Ip nat inside source static tcp 192.168.1.15 3389 188.8.131.52:41212
For Microtik devices:
add chain=dstnat action=dst-nat to-addresses=192.168.1.15 to-ports=3389 protocol=tcp in-interface=ether2 dst-port=41212