What is the default port for RDP and how do you change it?
When an admin needs to change the RDP port from its default to a different one, they can perform this process and many others via Windows Registry Editor.
To maintain consistency, Remote Desktop Protocol relies on a specific port to establish a connection when administrators and users need to connect to servers and endpoints, and IT typically doesn't have to think much about this port.
However, sometimes, IT administrators need to view and alter the port, so it's important to know what the default RDP port is, why they might need to change it and how to complete that process.
What is the default port that RDP runs on?
The default port that RDP runs on is 3389. This means, if someone opens the Remote Desktop application and tries to connect to a server, it initiates the connection over port 3389. Out of the box, the RDP port is blocked by Windows Firewall, and you need to change firewall rules to initiate the connection.
Why would a desktop admin want to change the RDP port?
There are instances where you as a desktop administrator want to change the port that is used for RDP connections. This can be done directly on the computer or the server.
When RDP uses the default port -- 3389 -- it is easy to find the open port using automated scans. When hackers are looking for a way in, they use automated scans to look for open ports that they might be able to exploit. Changing the default port to a nonstandard RDP port makes it harder for malicious actors to find.
Before making changes to the registry, it is best practice to make a backup of the registry. This way, if you break something, you can easily revert the system back.
Please keep in mind: Changing the port does not protect you from attacks -- it just makes it a little bit harder to find. It's not a good idea to ever have an RDP port open to the internet without other security practices, such as VPNs, multifactor authentication and strong passwords.
How to change the default RDP port on Windows Server and desktops
To change the port that RDP is listing on, you must make changes in Windows Registry. The process to change the RDP port is the same for both Windows Server and Windows desktops:
Figure 1. The Run dialog box that pops up when you want to run Windows Registry Editor
Type in regedit, and click OK.
Before making changes to the registry, it is best practice to make a backup of the registry. This way, if you break something, you can easily revert the system back. Open the registry editor, go to File > Export and save a copy of the .reg file somewhere safe.
Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp, and then find the PortNumber key. This key displays the current port number, currently 3389.
Double-click on the PortNumber key to open the edit dialog box. This shows the value is hexadecimal format. If you click on the radio button that says Decimal, that then displays the port number in decimal format.
Change the Value Data to the port number that you want RDP to be listing on.
Click OK -- that saves the changes to the registry.
Restart the RDP service. To do this, open a command prompt, and run the following command: net stop termservice && net start termservice. Alternatively, if you don't want to restart the RDP service, you could always reboot the device.
Now that the RDP port has been changed in the registry, the next step is to verify that you can connect on the new RDP port. For testing, you need another computer that is on the same network. You should use this computer to initiate the connection to the server or computer that you have changed the port numbers on in the previous steps.
Open the Remote Desktop application, and type in the IP address of the computer you want to connect to, followed by a colon and the new port number. If you don't set the port number, it tries to connect using the default port number 3389.
The structure should look like this: <IP address>:<port number>. In Figure 2, the IP address of the computer is 192.168.10.1, and the port number is 63389. So, the structure should look like this: 192.168.10.1:63389.
Figure 2. The means of identifying a specific desktop's or server's Remote Desktop via the updated port.
There are a few additional best practices to keep in mind when changing the RDP port:
Avoid using a port that is already in use for another application. This avoids any conflicts that may arise from having two applications trying to listen on the same port.
For remote desktop applications to connect to the RDP port, you need a firewall rule to allow connections on the RDP port.
Changing the default RDP port makes it harder for people to find the port that RDP is running on.
Changing the default RDP port does not make RDP itself more secure, and it is not recommended to open RDP ports directly to the internet.
It bears repeating to create a backup whenever working with Windows Registry.
Jake Gardner works with regional organizations, helping them to leverage technology to provide practical, functional solutions.
Dig Deeper on Virtual and remote desktop strategies
