How to change the default RDP port on a Windows server
RDP, or Remote Desktop Protocol, is one of the most common ways to administer Windows servers remotely. By default it listens on port 3389, which also makes it one of the most heavily scanned ports on the internet. In practice that means even a small Windows server with a public IP address starts receiving automated scans, login attempts, and background noise in logs very quickly. Changing the default RDP port is not a complete security solution by itself, but it is still a useful additional layer that reduces automated noise and makes remote administration a little cleaner and more controlled.
This is especially relevant on Virtual Servers, where the administrator controls Windows Firewall, network exposure, and remote access policy directly. In heavier Windows environments or business-specific deployments, the same practice is often applied on Dedicated Servers. If the environment needs a custom access model, additional routing, or multiple Windows instances behind a broader security design, that is typically handled through Individual Solutions.
One point needs to be clear from the start: changing the RDP port is not the same as securing RDP. If the server still uses weak passwords, a widely exposed administrator account, no IP restrictions, no account lockout policy, and poor update hygiene, a new port alone will not solve the real risk. The correct way to think about port changing is as a small hardening step inside a larger security model that includes strong passwords, VPN or IP allowlists, regular updates, and proper audit logging.
Before you make any change, make sure you have a fallback access method. Ideally that means a hosting control panel console, KVM access, Hyper-V or VMware console access, or another out-of-band administrative channel. If your only access path is the current RDP session, a bad firewall rule or a wrong port value can lock you out of the server entirely. That is why the sequence matters as much as the technical change itself.
The RDP listener port is stored in the Windows registry. The change itself is simple, but it must be done carefully. First choose the new port. Avoid common service ports such as 80, 443, 25, 21, or database ports already used elsewhere on the system. A better approach is to choose a non-standard TCP port in a higher range, for example above 10000, where the chance of conflict is lower and operational clarity is better.
regedit
Open Registry Editor and go to: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp. There you will find the PortNumber value. By default it is 3389. Edit it and switch to Decimal mode before entering the new port. For example, if you want to use 33901, enter 33901 in decimal form. This detail matters because administrators sometimes enter the intended number in the wrong format and then end up troubleshooting the wrong problem later.
PowerShell: Set-ItemProperty -Path 'HKLM:SystemCurrentControlSetControlTerminal ServerWinStationsRDP-Tcp' -Name PortNumber -Value 33901
After changing the registry, do not immediately close port 3389. First create a firewall rule for the new port. The safest order is this: allow the new port, restart the service or the server, test access through the new port, and only then disable or block the old port. This order prevents the classic mistake where the administrator closes 3389 first and locks themselves out before confirming the new port works.
PowerShell: New-NetFirewallRule -DisplayName "RDP Custom Port 33901" -Direction Inbound -Protocol TCP -LocalPort 33901 -Action Allow
If your infrastructure also uses a provider-side firewall, cloud security group, router ACL, or external firewall appliance, open the new port there as well. This is a very common source of confusion: the local Windows configuration is correct, but the service is still unreachable externally because another network layer is blocking it. Always think about the full path from the client to the server, not only the Windows side.
After the port change, the service must pick up the new configuration. In many cases the safest operational choice is a controlled reboot during a maintenance window. In less sensitive situations you can restart the relevant service, but in production environments a full reboot often provides a cleaner and more predictable result, especially when the server has had multiple remote access or policy changes over time.
PowerShell: Restart-Service -Name TermService -Force
Once the server has restarted or the service has reloaded, do not close your current session immediately. Instead, open a second RDP client and connect using the host and the new port in this format: server-ip:33901 or server-name:33901. Only after you have successfully established a second session should you consider the migration complete. That simple test is the difference between a safe change and an avoidable outage.
When the new port is confirmed working, you can disable the old 3389 allowance. Depending on your policy, that may mean disabling the standard Windows Firewall rule or creating an explicit block rule. From a security standpoint, this step only makes sense after verification. Blocking the old port too early is one of the most common mistakes in this procedure.
PowerShell: Disable-NetFirewallRule -DisplayName "Remote Desktop - User Mode (TCP-In)"
At this point, it is worth improving the wider RDP posture as well. If you know the source IP addresses from which administrators connect, restrict RDP to those addresses. If possible, place RDP behind a VPN so it is not exposed broadly to the public internet. It is also a good idea to rename the default administrator account, enable account lockout after repeated failures, and make sure Network Level Authentication is enabled.
Troubleshooting after the change should be systematic. If the new RDP connection fails, verify four things first: that the registry value was entered in decimal form, that the Windows Firewall rule for the new port is active, that any upstream firewall also allows the port, and that the RDP client is explicitly connecting to the right port. In practice, most failures after an RDP port change are caused by sequence errors or missing firewall updates rather than by the registry edit itself.
PowerShell: Get-NetTCPConnection -LocalPort 33901 Test-NetConnection -ComputerName 127.0.0.1 -Port 33901
Logs are also useful here. Event Viewer can show whether the service started normally, while firewall and security logs help you see whether automated attempts are still hitting 3389 or whether legitimate traffic is now arriving only on the custom port. From an operational perspective, that is one of the tangible benefits of changing the port: less noise on the default listener and cleaner visibility into real administrative access attempts.
Verification and recommended practice after the change
After a successful port change, use a small checklist: document the new port, verify access from at least one external network, confirm that the old 3389 port is no longer exposed, and make sure your fallback console access still works. This is especially important in environments with multiple administrators, where undocumented changes tend to become future incidents.
The best practice is to treat an RDP port change as a minor hardening step, not as the main line of defense. Combined with VPN, IP allowlists, strong passwords, current Windows updates, and audited admin accounts, it becomes a useful and practical improvement. It does not make the service invisible, but it does reduce automated attacks against the default port, lowers background log noise, and helps keep remote administration more orderly.
How to change default RDP port
For safety reasons we suggest changing Your servers default RDP port to a different one of Your choosing.
1. Start the “Registry Editor”
2. Find the following registry subkey:
HKEY_LOCAL_MACHINE
System
CurrentControlSet
Control
TerminalServer
WinStations
RDP-Tcp
PortNumber
3. Open the “PortNumber” and in the menu select “Decimal”
4. Enter the new port number and click OK
5. Close the “Registry Editor”
Now that we have changed the default RDP port, we have to allow in firewall to access this port.
1. Open “Control panel” and open “Firewall”
2. Open “Advanced settings”
3. Open “Inbound rules” and create “New Rule…”
4. In the menu choose “Port”
5. Specify “TCP” port type and in the lower window type Your earlyer specified port number
6. Choose “Allow the connection”
7. Choose when this rule applies
8. Enter a name for Your rule and an optional Description (These are mainly informational for You)
9. Click “Finish”
10. You have created a new rule for Your “Firewall”
11. Restart Your server to apply the changes
The change only goes into effect once the server is restarted. After the restart, the RDP is only accessible via the new port number.