Change RDP Listening Port

Change RDP Listening Port from default 3389

Changing the RDP listening port to a non-default port may not defeat a determined hacker but it should reduce attacks from automated bots.  **Remember to create new firewall rules to allow the new port number so you don’t accidently lock yourself out.  And remember that end-users will need to add the new port # to the IP address/computer name when logging in, such as 123.456.78.888:5555 where the new listening port is 5555.  If you have MAC users, you should verify if the RD Client for MACs support a port other than 3389.

  • Change port in Registry first – http://support.microsoft.com/kb/306759 (older link but still should apply)
  • Regedit, then locate and click the following registry subkey: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TerminalServer\WinStations\RDP-Tcp\PortNumber On the Edit menu, click Modify, and then click Decimal. Type the new port number, and then click OK. Quit Registry Editor.)
  • Create two new Windows Firewall rules (one for TCP and one for UDP) for the new port number. For example, in a administrative command prompt, type this to create two new inbound rules (tcp & upd) where 35000 is the new port you used in the registry change:

netsh advfirewall firewall add rule name=”Remote Desktop (TCP-In) 35000″ dir=in localport=35000 protocol=tcp action=allow

netsh advfirewall firewall add rule name=”Remote Desktop (UDP-In) 35000″ dir=in localport=35000 protocol=udp action=allow

You can compare these new rules to the existing rules in the firewall.

  • Reboot server
  • Then Login using new port number using :ZZZZ where ZZZZ is new RDP listening port – for example, 250.197.92.199:ZZZZ (and also test that 3389 to confirm it won’t work).
  • Disable previous RDP Firewall rules that allowed port 3389