Managing secure access to production Windows EC2 instances is a common challenge in cloud environments. While AWS SSM Fleet Manager uses the default RDP port 3389, you might want to allow manual RDP access using a custom port (like 7339) β especially for Bastion jump host access, maintenance, or upgrade tasks.
This guide walks you through configuring both ports β with minimal risk and maximum control.
π― Use Case
β Port 3389 β Reserved only for AWS SSM Fleet Manager RDP
β Port 7339 β Used for manual RDP access via Bastion/admin tools
π οΈ Step-by-Step: Enable Dual RDP Ports on Windows Server
πΉ Step 1: Open Registry Editor
Press Win + R, type regedit, and press Enter.
Navigate to:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp
πΉ Step 2: Export the Original RDP Listener Key
- Right-click the RDP-Tcp key.
- Choose Export.
- Save two copies:
RDP-Tcp-Original.reg (backup)
RDP-Tcp-New.reg (which you'll edit)
πΉ Step 3: Edit the REG File (Clone and Modify Port)
Open RDP-Tcp-New.reg in Notepad.
Change this line:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp]
to:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp-7339]
Find the port setting:
"PortNumber"=dword:00000d3d
Replace it with your custom port (7339 in hex = 1CA3):
"PortNumber"=dword:00001ca3
πΉ Step 4: Import the Modified REG File
- Double-click the edited RDP-Tcp-New.reg file.
- Click Yes to allow registry merge.
- This creates a new listener: RDP-Tcp-7339
πΉ Step 5: Allow the Custom Port in Windows Firewall
- Open Windows Defender Firewall with Advanced Security.
- Navigate to Inbound Rules > New Rule.
- Choose:
Rule Type: Port
Protocol: TCP
Port: 7339
Action: Allow the connection
Profile: Domain, Private, Public
Name: RDP Port 7339 Allow
πΉ Step 6: (Optional) Block 3389 from External Access
To prevent public RDP via 3389 (while still allowing SSM Fleet Manager access):
- Go to Windows Firewall > Inbound Rules.
- Find the rule allowing RDP on 3389.
- Either:
Disable it (if not needed externally)
Or edit the scope to allow only AWS internal IPs
π Do NOT block 3389 entirely if you use SSM RDP β Fleet Manager needs it!
πΉ Step 7: Reboot the Server
Restart-Computer
πΉ Step 8: Test RDP Access
From your admin workstation or Bastion:
RDP > <your-ec2-ip>:7339
β You should now see a login prompt!
π Security Best Practices for Dual RDP Ports
| Port | Purpose | Security Recommendation |
|---|---|---|
| 3389 | AWS Fleet Manager (SSM RDP) | Keep it open only for AWS IP ranges |
| 7339 | Manual RDP via Bastion/Admin | Restrict using Security Groups + Firewall |
| Both | Registry listeners | Monitor with netstat or PowerShell |
β Bonus Checks:
- Ensure both ports are listening:
netstat -an | findstr LISTENING
- Keep Security Groups tight β only allow 7339 from:
Bastion host
Admin IPs (office VPN, specific jump host)
π§ Final Thoughts
This approach allows:
- Secure, automated access via SSM Fleet Manager
- Manual RDP control when needed β without exposing 3389 to the world
It's a great balance between automation and manual override, especially for production workloads during upgrades or incidents.
π¬ Have you tried this setup? Drop your experience or questions in the comments!
Top comments (0)