Remote Desktop Protocol (RDP) is a widely used feature in Windows servers, allowing administrators to manage their servers remotely. By default, RDP operates on port 3389. However, this default setting is well-known, making it a common target for unauthorized access attempts and brute-force attacks. Changing the RDP port is a simple yet effective step to enhance your server's security.
This article provides a detailed guide on how to change the RDP port on a Windows Server, along with important considerations and best practices to ensure a seamless transition and secure environment.
Why Change the Default RDP Port?
Changing the default RDP port offers several advantages:
Enhanced Security: Reduces the risk of automated attacks targeting the default port.
Compliance: Meets certain organizational or industry compliance requirements.
Conflict Avoidance: Prevents port conflicts if another application uses port 3389.
Prerequisites
Before proceeding, ensure the following:
Administrator Access: You need administrator rights on the Windows server.
Backup: Create a full backup of your system or snapshot of your server instance to restore in case of errors.
Firewall Access: Update firewall settings to allow traffic on the new RDP port.
Testing Environment: Test the procedure on a non-production server if possible.
Step-by-Step Guide to Change the RDP Port
Step 1: Check Current RDP Configuration
Verify Connectivity: Ensure you can connect to the server using the default port (3389).
Record Settings: Note down current configurations and ensure you have backup access options, such as console access via cloud providers like AWS, Azure, or Google Cloud.
Step 2: Modify the RDP Port in the Registry
Open the Registry Editor
Press Win + R, type regedit, and press Enter.
Confirm any prompts to open the Registry Editor.
Navigate to the RDP Port Setting
Go to the following path:
arduino
Copy code
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp
Locate the Port Number
Look for the PortNumber key.
Double-click PortNumber.
Change the Port Value
Select Decimal under the Base option.
Enter a new port number (e.g., 5000). Ensure it is not already in use by another application.
Save Changes
Click OK to save the new port number.
Step 3: Update the Firewall Rules
After modifying the registry, ensure your firewall allows traffic on the new port:
Windows Firewall
Open Windows Defender Firewall from the Control Panel.
Click Advanced Settings on the left sidebar.
Go to Inbound Rules > Locate the rule for Remote Desktop (TCP-In).
Edit the rule to allow the new port number.
Third-Party Firewalls
If using a third-party firewall or security software, add a rule to allow the new port.
Cloud Providers
For servers hosted on AWS, Azure, or other cloud platforms, update the corresponding security group or network rule to allow the new port.
Step 4: Restart the Remote Desktop Service
The changes will take effect after restarting the Remote Desktop Service:
Open Services (services.msc).
Locate Remote Desktop Services.
Right-click and select Restart.
Step 5: Test the Connection
Open your RDP client.
Specify the new port in the connection address:
php
Copy code
:
e.g., 192.168.1.10:5000
Verify that you can connect successfully.
Troubleshooting
If you encounter issues:
- Connection Fails Firewall Settings: Double-check that the new port is allowed through the firewall. Correct Port Entry: Ensure the RDP client specifies the correct port.
- Port Conflict Verify the chosen port is not used by another service using the netstat -ano command in Command Prompt.
- Locked Out of Server Access the server via an alternate method (e.g., cloud provider console) and revert changes. Best Practices for Changing the RDP Port Choose a Non-Standard Port
Select a port number between 1025 and 65535 to minimize conflicts and improve security.
Restrict Access
Limit RDP access to specific IP addresses or ranges in your firewall.
Monitor Server Logs
Regularly check server logs for unauthorized access attempts.
Combine with Other Security Measures
Use strong passwords, enable Network Level Authentication (NLA), and implement multi-factor authentication (MFA).
Bastion Host
For cloud environments, use a bastion host to manage RDP connections.
Reverting to the Default Port
If necessary, you can revert the RDP port to 3389:
Repeat the steps above to change the registry value back to 3389.
Update firewall rules to allow traffic on port 3389.
Restart the Remote Desktop Service.
Conclusion
Changing the default RDP port on a Windows server is a straightforward yet effective way to enhance security and avoid potential conflicts. While it won’t make your server invulnerable, it adds an extra layer of protection against automated attacks targeting the default configuration.
By following this guide and implementing best practices, you can manage your Windows server securely and efficiently.
Top comments (0)