Remote Desktop Protocol (RDP) is the backbone of remote access on Windows systems. It lets you connect to another computer and work as if you were sitting in front of it. But here’s the problem: the default RDP port—3389—is widely known and heavily targeted by attackers.
Leaving this port unchanged is like leaving your front door unlocked because the key is too common. In this guide, you’ll learn how to change the RDP port safely, reduce exposure, and add a layer of obscurity that can help secure your remote desktop access.
What Is the Default RDP Port Number and Why Should You Care?
When you use Remote Desktop to connect to another system, your connection request travels through a specific channel known as a port. For RDP, that channel is port 3389. It’s the default across all Windows devices.
That predictability is exactly what makes it vulnerable. Automated bots and malicious actors often scan networks for open port 3389. Once they find one, they launch brute-force attacks—repeated login attempts to gain unauthorized access.
Changing the port won’t stop a targeted attack, but it does lower your chances of being randomly hit. Think of it as moving the lock from the front door to a side entrance with fewer visitors. It’s not bulletproof security, but it’s practical defense.
When Should You Change the Remote Desktop Port?
You don’t need to change the RDP port every time you set up a Windows machine. But certain conditions make it a smart move.
If you’re managing a terminal server, especially one exposed to the internet, sticking with the default port leaves you wide open. Small to mid-sized businesses (SMBs) and academic IT teams often operate with limited cybersecurity resources, making basic preventive steps like this especially valuable.
Changing the port is also useful when dealing with Windows Server environments that support multiple users or allow external access. It’s not just about hiding—it’s about narrowing your attack surface in a world where every open port is a potential invitation.
How Do You Back Up the Windows Registry Before Making Changes?
Editing the Windows Registry can feel routine—but a small mistake can lead to serious issues. That’s why backing up the registry before making changes isn’t just a precaution. It’s essential.
To do this safely:
- Open the Start Menu, type regedit, and press Enter.
- In the Registry Editor, click File > Export.
- Choose a location and file name, then select “All” under Export range.
- Click Save.
This gives you a full backup of your registry, so if anything goes wrong, you can restore your system to its previous state quickly and without stress.
Where in the Registry Can You Find the RDP Port Setting?
The RDP port setting lives in a very specific place inside the Windows Registry. You’ll find it by navigating to:
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal ServerWinStationsRDP-TcpEach part of this path matters. The Control branch governs system behavior. Terminal Server manages remote access settings, and WinStations handles session-specific details. Finally, RDP-Tcp is the actual configuration point for RDP connections.
Inside this key, look for a value named PortNumber. That’s the setting controlling which port Windows uses for incoming remote desktop connections. Once you locate it, you’re ready to change it—but only after you’ve completed the backup.
How to Change the RDP Port Using Registry Editor
Once you’ve backed up your registry and found the correct path, you can safely update the RDP port:
- In Registry Editor, double-click the PortNumber entry in the RDP-Tcp key.
- A small dialog box appears—make sure to select the Decimal option.
- Enter your new port number. Choose something higher than 1024 and not already in use. For example, 4455 or 3390 are common alternatives.
- Click OK to save the value.
Avoid using ports assigned to other services or applications. Conflicting port numbers can block services or cause connection errors. After saving, close the Registry Editor. The port is now technically changed, but the system won’t recognize it until after a restart.
What Firewall Rules Should You Update for the New Port?
Changing the RDP port in the registry isn’t enough on its own. If Windows Firewall doesn’t know to allow traffic on the new port, your remote desktop connection will fail.
Here’s what to do:
- Open Windows Defender Firewall with Advanced Security.
- Go to Inbound Rules > New Rule.
- Select Port, then click Next.
- Choose TCP and enter your new RDP port number under Specific local ports.
- Select Allow the connection.
- Apply the rule to the appropriate profiles: Domain, Private, and/or Public, depending on your environment.
This ensures your connection request reaches the right destination. Without this step, Windows will continue blocking traffic—even if your registry setting is correct.
How Do You Connect with a Remote Desktop Client After the Change?
Once the new port is set and firewall rules are in place, update your connection format. Use the syntax:
IPaddress:NewPortFor example: 192.168.0.25:4455
This tells the Remote Desktop Connection tool which port to use when initiating the session. You can also save this configuration in the connection settings to avoid entering it manually each time.
What Should You Check Before Restarting the System?
Before rebooting, make sure all changes are complete:
- Verify that your inbound rule is active.
- Double-check the PortNumber entry in the registry.
- Run netstat -a or open Control Panel > Windows Defender Firewall > Advanced Settings to confirm port status.
Then restart the system. This allows the RDP service to pick up the new configuration and route traffic accordingly.
Can You Change the RDP Port Using PowerShell?
Yes, PowerShell is a fast alternative to manually editing the registry—especially useful when managing multiple Windows Server machines.
Here’s a simplified command:
Set-ItemProperty -Path "HKLM:SystemCurrentControlSetControlTerminal ServerWinStationsRDP-Tcp" -Name "PortNumber" -Value 4455This sets the new port directly. Just be sure to update your firewall rules and restart the server afterward.
What to Do If Your Remote Desktop Connection Fails After the Change
Connection issues are usually easy to resolve. Start with the basics:
- Confirm you’re entering the correct IP and new port number.
- Ensure your firewall rule wasn’t skipped or misconfigured.
- Verify that you made changes with administrator access.
- Open services.msc and check that the Remote Desktop Services are running.
One small oversight—like forgetting to switch from hexadecimal to decimal in the registry—can block access. Review each step carefully before troubleshooting deeper.
Why Apporto Is a Smarter Alternative to Traditional RDP
Manual RDP port changes, firewall configurations, and registry edits are manageable—but they’re also a burden. Apporto eliminates all of that.
With Apporto, there’s:
- No registry editing.
- No open ports to monitor.
- No firewall headaches.
It’s a browser-based virtual desktop platform built with Zero Trust security and seamless remote desktop access across any device. Whether you use Windows, Mac, or Linux, Apporto supports full performance—up to 4K @ 60fps, with support for multi-monitor setups and real-time collaboration.
It’s ideal for SMBs and educational institutions that want security, scalability, and simplicity—without the overhead of legacy setups.
Conclusion: Ready to Take Control of Your Remote Access?
Changing the RDP TCP port is a smart first step toward better remote access security. Just remember to back up your registry, update firewall rules, and test everything before going live.
If you’re looking for an easier, more secure alternative, explore Apporto—a cloud-first solution that removes the complexity of traditional remote desktop management.
Skip the registry edits and firewall tweaks. Try Apporto now for secure, hassle-free remote access.
