IMPORTANT: Do not close your current RDP session until the new port is confirmed working. Ensure you have console access available in case of lockout before proceeding.
Overview
This article explains how to change the default Remote Desktop Protocol (RDP) listening port on Windows Server 2025. By default, Windows listens on TCP port 3389. Changing the port can reduce automated scanning and low-effort attacks, but it does not replace proper security controls.
Prerequisites
- Local administrator access to the server
- Console access available in case of lockout
- A chosen TCP port between 1025 and 65535 that is not already in use by another service
- Record your selected port for documentation before proceeding
Step 1 - Modify the Registry
- Press Windows + R, type
regedit, and press Enter - Navigate to the following registry path:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp- In the right pane, double-click PortNumber
- Select Decimal
- Enter your new port number (example:
3395) - Click OK
NOTE: The PortNumber value is a REG_DWORD. Always select Decimal before entering the port number or the value will be interpreted incorrectly.
Step 2 - Configure Windows Firewall
- Open Windows Defender Firewall with Advanced Security
- Click Inbound Rules
- Click New Rule
- Select Port and click Next
- Select TCP
- Choose Specific local ports and enter your new port number
- Select Allow the connection
- Choose the applicable profiles (Domain, Private, Public)
- Give the rule a descriptive name (example:
RDP - Custom Port 3395) - Click Finish
Step 3 - Apply the Change
Option A - Restart the Server
- Reboot the server to activate the new port
Option B - Restart Remote Desktop Services
- Open Services
- Locate and restart Remote Desktop Services
- Allow dependent services to restart if prompted
Step 4 - Connect Using the New Port
Use the following format in Remote Desktop Connection:
ServerNameOrIP:PortExample:
192.168.1.10:3395Step 5 - Verify the New Port Is Listening
Run the following command to confirm the new port is active:
netstat -an | find ":3395"Replace 3395 with your chosen port number.
Optional - Confirm Registry Value via PowerShell
Get-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp"Optional - Additional Hardening
- Disable inbound firewall rules allowing TCP 3389 after verifying the new port works
- Restrict access by source IP at the firewall level
- Use a VPN or secure tunnel solution for remote access
- Implement multi-factor authentication for RDP access
Rollback Procedure
- Set PortNumber back to
3389(Decimal) in the registry - Ensure firewall rules allow TCP 3389
- Restart the server or Remote Desktop Services
Notes
- Changing the RDP port is a basic security measure only - it does not replace proper hardening, MFA, or VPN solutions
- Always verify connectivity on the new port before ending your administrative session
- Document the new port in your internal records so other administrators are aware
