Changing RDP port on a Windows machine and create a new port allow rule in Windows firewall

From Notes_Wiki

Home > Windows > Windows Defender Firewall > Changing RDP port on a Windows machine and create a new port allow rule in Windows firewall


Changing the RDP Port

Changing the RDP (Remote Desktop Protocol) port means modifying the default port (3389) used for remote connections to a Windows machine.

Purpose

  • To enhance security by avoiding the commonly known default RDP port (3389).
  • To reduce exposure to automated port scanning and brute-force attacks.
  • To make unauthorized remote access attempts less likely.
  • It adds an extra layer of obscurity (security through obscurity).


Steps to Modify the RDP Port

  1. Open the Registry Editor
    1. Press Win + R, type regedit, and press Enter.
  2. Navigate to the RDP Port Key
    1. Go to: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp
  3. Modify the PortNumber Value
    1. Locate the key: PortNumber and double-click it.
    2. Set the Base to Decimal.
    3. Enter your desired port number (e.g., 443).
    4. Click OK and close the Registry Editor.


After changing the RDP port from the default (3389) to a custom port (e.g., 443), you must allow that new port through the Windows Firewall. This ensures that remote connections can reach the server. For added security, you can limit RDP access to only specific IP addresses. Finally, a system restart is required for the new settings to take effect.


Add a Firewall Rule for the New RDP Port

Purpose

After changing the RDP port in the registry, you must create a new inbound firewall rule to allow traffic through that port. This ensures that remote desktop connections can be established on the new port.

Steps to Allow the New RDP Port

  1. Open Windows Defender Firewall with Advanced Security (Press Win + R, type wf.msc, and press Enter).
  2. In the left pane, click on Inbound Rules.
  3. In the right pane, click New Rule.
  4. Select Port and click Next.
  5. Choose TCP and enter your new RDP port (e.g., 443), then click Next.
  6. Select Allow the connection, then click Next.
  7. Apply the rule to Domain and Private (uncheck Public if required), then click Next.
  8. Name the rule: Allow RDP 443, then click Finish.


Allow RDP for Specific IPs

Purpose

Limiting RDP access to specific IP addresses improves security by only allowing trusted systems to connect.

Steps to Restrict Access

  1. Open Windows Defender Firewall with Advanced Security.
  2. Locate and double-click the rule Allow RDP 443.
  3. Go to the Scope tab.
  4. Under Remote IP address, select These IP addresses.
  5. Click Add, enter the allowed IP addresses, and click OK.
  6. Apply the changes and close the window.

Restart the Server

  1. Restart the server for the changes to take effect.
  2. To connect via Remote Desktop from an allowed system, use:

Press Win + R, type \\Server-IP:443 – Connect using RDP over port 443

Replace IP with the actual IP address of the remote system.


Home > Windows > Windows Defender Firewall > Changing RDP port on a Windows machine and create a new port allow rule in Windows firewall

Retrieved from "http://www.sbarjatiya.com/notes_wiki/index.php?title=Changing_RDP_port_on_a_Windows_machine_and_create_a_new_port_allow_rule_in_Windows_firewall&oldid=8560"