How to Change the RDP Port on Windows Server and Secure Remote Access

Changing the default RDP (Remote Desktop Protocol) port from 3389 to a custom port is a simple but effective way to improve server security. This tutorial walks you through how to do it safely, including how to open the new port on the firewall and disable the default one after testing.

✅ Requirements

• Administrator access to your Windows Server
• Remote Desktop already enabled
• Access to Windows Firewall
• Console access (KVM, IPMI, iDRAC, etc.) is highly recommended

1. Open the Registry Editor

Press Win + R, type regedit, and press Enter.

Navigate to:

2. Modify the RDP port

1. On the right side, find PortNumber
2. Double-click it
3. Choose Decimal
4. Change the value from 3389 to your new custom port (Example: 49288)
5. Click OK to save

3. Create a new firewall rule for the custom port

Open Windows Defender Firewall with Advanced Security.

1. Click on Inbound Rules
2. On the right side, click New Rule…
3. Select Port, click Next
4. Choose TCP, and enter your new port (e.g., 49288)
5. Select Allow the connection, click Next
6. Choose the profiles where it applies (Domain, Private, Public)
7. Name the rule (e.g., Custom RDP Port 49288)
8. Click Finish

4. Restart the server and Test the new RDP connection

After creating the new firewall rule and changing the port in the registry, restart your server to apply the changes.

Once the server is back online, test the Remote Desktop connection using the new port from your computer

6. Disable the old RDP rule for port 3389

Once the new port is working, return to Windows Defender Firewall with Advanced Security, find the rule named:

Remote Desktop – User Mode (TCP-In)

Right-click it → Disable Rule

This will stop the system from listening on port 3389, reducing attack surface.