Changing the RDP listening port on Windows Server

IT pro Rick Vanover shows how to change the default port that remote desktop listens on and make subsequent connections in order to make RDP more secure.

Remote desktop protocol (RDP) is the de facto administrative console access, and it may be necessary to make it even more secure by changing the TCP port used for the network access. RDP transports on TCP 3389 by default for all supported versions of Windows; if you want to change the port, it requires a quick change in the Windows registry.

(Note: Editing the registry is risky, so be sure you have a verified backup before saving any changes.)

The following hive has the specific TCP port used for RDP:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp]

In this hive, the PortNumber value contains the configured port that Windows will listen for RDP connections. The default port assignment is represented as D3D in hexadecimal or 3389 in binary. For this example, I will change the port to 53389. Figure A shows this change being made on a test server. Figure A

It may require a reboot to make the port assignment take effect (my Windows Server 2008 R2 test system did). Once the system is listening on the new port, connections need to specify the new port in the RDP client properties, as shown in Figure B. Figure B

The Windows Server system will now listen on the new port with the Svchost.exe process, visible in task manager by entering Netstat  -a -n -o to view the current processes and list the associated executable.

Have you had to change your RDP port to another port or possibly change it back? If so, share your thoughts about the experience in the discussion.

Stay on top of the latest Windows Server 2003 and Windows Server 2008 tips and tricks with our free Windows Server newsletter, delivered each Wednesday.

Automatically sign up today!