How to Change RDP Port Number on Windows 10?

The Remote Desktop Protocol (RDP) is used to remotely access the desktop of a computer or a Windows server. By default, TCP 3389 is used for remote connection. If your computer/server is connected directly to the Internet (VDS/VPS) and has a public IP address, then from a security reasons, it is advisable to change the default RDP port number.

The fact is that most hacking tools can try to use the brute-force attack against you RDP infrastructure through the default RDP port number. There is also a high risk of exploitation of 0-day vulnerabilities against RDP. Over the past year Microsoft has fixed as many as 2 critical vulnerabilities in RDP (BlueKeep and BlueKeep-2) that could be exploited via Remote Code Execution.

How to Change Default RDP Port Number on Windows 10?

Let’s see how to change the default RDP port in Windows 10. The RDP port settings are set in the PortNumber parameter in the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp. To manually change the RDP port number:

  1. Run the Registry Editor (regedit.exe) with administrator permissions;
  2. Go to the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp;
  3. Change the DWORD value of the PortNumber parameter in decimal format. For example, specify the port number 41212;
    change rdp port
  4. Open the service management console (services.msc) and restart the Remote Desktop Services service.
    remote desktop port number
READ ALSO  How to Install and Configure DNS Server on Windows Server 2016/2012 R2?

Hint. You can also change the RDP port number from the command prompt:

reg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 41212 /f

or with PowerShell:

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-TCP\" -Name PortNumber -Value 41212

If you have Windows Defender Firewall with Advanced Security enabled on your computer, you need to allow incoming TCP traffic to the new RDP port number. You can create a new rule for incoming traffic to port 41212 through the wf.msc graphical console or from the command line:

netsh advfirewall firewall add rule name="RDP new port" dir=in action=allow protocol=TCP localport=41212

default rdp port

After that, you can connect to your Windows computer through a non-standard RDP port. For example, if you use the built-in Windows Remote Desktop Connection client (mstsc.exe), you need to specify a new RDP port number in the colon after the hostname (IP) address of the computer or use this command:

mstsc /v:192.168.10.10:41212

port number of rdp

Configuring Remote Desktop Port Forwarding

You can also change the RDP port number on which your computer is accessible externally using port forwarding technique. Those, when connecting to your computer from the Internet, you need to connect to your gateway to the specified port, and the gateway device will automatically forward this traffic to the RDP port 3389 of your intranet computer.

READ ALSO  How to Install phpMyAdmin on IIS in Windows 10 or Windows Server 2016?

The specific settings that you need to make depend on the device that acts as a gateway to the Internet. For example, the IP address of your Windows computer is 192.168.1.15 and you want to configure external port forwarding (PAT) 41212 to the standard RDP port 3389.

change remote desktop port

You can use the following configuration for different device types to crete RDP port forwarding rule.

For Linux Gateway with iptables firewall:

iptables -t nat -A PREROUTING -p tcp --dport 41212 -i eth0 -j DNAT --to-destination 192.168.1.15:3389

For Windows Gateway Server:

netsh interface portproxy add v4tov4 listenport=41212 listenaddress=88.88.88.88 connectport=3389 connectaddress=192.168.1.15

For Cisco routers:

Ip nat inside source static tcp 192.168.1.15 3389 88.88.88.88:41212

For Microtik devices:

add chain=dstnat action=dst-nat to-addresses=192.168.1.15 to-ports=3389 protocol=tcp in-interface=ether2 dst-port=41212
Cyril Kardashevsky
Latest posts by Cyril Kardashevsky (see all)

2 comments

  1. and after 1-2 weeks after you did this you will be *** brute forced

    is it really that hard? DONT OPEN RDP TO THE WORLD

  2. Not a good idea:
    1. Legitimate tools now need extra things to make them work
    2. Port scanners can identify what is on a port by its signature and these are routinely executed, so no safer

    You want to really secure RDP? Create a bastion host used to jump to other systems and have MFA as part of the authentication process to connect to it.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.