Q&A Monday: Change Remote Desktop Port
Question:
Do you know if there is any way to change the port number of remote desktop? I am looking to make RDP more secure by changing the default port on our servers.
Answer:
There is a way to change the default port for all supported versions of Windows and it isn’t really that complicated. By default for those of you not aware, Remote Desktop works on port 53389. For jobs where I’ve used remote desktop as the primary means for connecting to servers (though not my ideal way of connecting to computers or servers) I generally recommended that we use the firewall to assign a different port and NAT the port number to the default one. Though in today’s world you have to be aware of both external and internal attempts to view data. So if RDP is used, it is smart to change the port that’s used. This also adds a step to connecting to computers and servers but makes just randomly connecting to a resource a little more difficult.
To make the quick change you need to modify the registry settings for this to occur. NOTE: As with every time you make changes to the registry, I recommend you make a backup of the registry prior to making the change. You need to browse to the following Key:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp]
In this Folder you want to find the “PortNumber” key and double click it or right-click and modify, it to get the edit screen to pop up. By default, this will give you the Hex value “d3d”, but if you click on the decimal radial, you’ll see the numbers in plain.
For this example I’ll pretend you want to turn the default 3389 to 13389 (you can choose whatever you want it to be), you just need to add the value in here, click back to the Hexadecimal value (which is automatically converted, in this example d3d becomes 344d). Click OK, and restart your computer or server. Once the computer/server comes back online, it should be listening on the new port. Of course, you will want to test it out, and get used to connect to the new port. One up the Remote Desktop Program and type in the server/computer name, a colon, and the new port. For my example, this:
This will make sure that you connect to the server/computer, otherwise, the Remote Desktop Program will try to connect to the old port and the computer/server will not respond to the old port.
If you are doing this to many computers, or you just want to be lazy (like I do sometimes), I’ve included a zip file with a batch script and a registry key. You could add these to your logon script and run them that way. Please make sure you back up the registry or thoroughly test the files before deploying. I can’t be responsible if this somehow messes up your system, every addition to your computer or network should be tested before you make changes. Please make sure you modify the files to meet your needs. The script as of now will make the change to port 13389.
[Batch Script Zip Available Here]
——————————————————————————————–
If you have any questions that you want Jim to answer, from business servers to home computers, drop him a line at me@jimguckin.com, and he’ll try to answer your question. Check back every Monday for a new Question and Answer session, and check back during the week for Jim’s other technical insights.