Should you change your Windows RDP port?

This is the Windows equivalent to “should you change your SSH port?”

The answer is somewhat philosophical but I’d argue it is common sense.  It’s true that changing your Windows RDP port is “security by obscurity” in the sense that if someone is trying to get into your server, they’ll find your Windows RDP port.  That’s what port scanning is all about.

But while it wasn’t stop someone targeting your server, it will stop people broadcast targeting.  There are script kiddies who’ll scan entire IP ranges for port 3389 (the default Windows RDP port).  If they find the port open on an IP, they dive in with deeper attacks.  If the port isn’t open, they move on to the next IP.

So while changing your port won’t protect your VPS from a determined attacker, it’ll make it less visible as a target.  Make sense?

How to Change Your Windows RDP Port

Start by logging into your Windows VPS using the Remote Desktop Connection client, or whatever remote access method you use.

Start the Registry Editor (regedit.exe).  You can do this by typing “regedit” in the search area.

Navigate to this key:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp

Find PortNumber, then click Edit->Modify.  Click Decimal.

Type the new port number.  What should it be?  Really anything that works for you, but above 1024.  Below 1024, most ports are reserved for well-known services.  Don’t select something like port 6000, which is the X Window system port, because that is also scanned.  Something above 10,000 is good.

Click OK.

If you’re using Windows Firewall, you need to update that.  You can do it graphically, with a couple commands.  Let’s be command line.

First, allow the new port through:

netsh advfirewall firewall add rule name="RDP Port 15320" protocol=TCP dir=in localport=15320 action=allow

Now make sure you can connect by closing your connection and reconnecting, specifying your new port.  This is to make sure you don’t lock yourself out.

Assuming it works, issue another command to remove port 3389:

netsh advfirewall firewall delete rule name="Remote Desktop (TCP-In)"

And that’s it!

raindog308

Raindog308 is a longtime LowEndTalk community administrator, technical writer, and self-described techno polymath. With deep roots in the *nix world, he has a passion for systems both modern and vintage, ranging from Unix, Perl, Python, and Golang to shell scripting and mainframe-era operating systems like MVS. He’s equally comfortable with relational database systems, having spent years working with Oracle, PostgreSQL, and MySQL.

As an avid user of LowEndBox providers, Raindog runs an empire of LEBs, from tiny boxes for VPNs, to mid-sized instances for application hosting, and heavyweight servers for data storage and complex databases. He brings both technical rigor and real-world experience to every piece he writes.

Beyond the command line, Raindog is a lover of German Shepherds, high-quality knives, target shooting, theology, tabletop RPGs, and hiking in deep, quiet forests.

His goal with every article is to help users, from beginners to seasoned sysadmins, get more value, performance, and enjoyment out of their infrastructure.

You can find him daily in the forums at LowEndTalk under the handle @raindog308.