The default RDP port is TCP 3389. To check it, run Get-ItemProperty -Path ‘HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp’ -name ‘PortNumber’ in PowerShell. To change it, run Set-ItemProperty with a new value between 1024 and 65535, open the new port in Windows Firewall, then restart the Remote Desktop service.

Key Takeaways:

• RDP uses 2 ports by default: TCP 3389 carries the primary session, and UDP 3389 accelerates graphics and input transport. Both ports change when the listening port is reconfigured.
• Port 3389 is the most scanned RDP port on the internet. Automated bots probe exposed instances within minutes of them becoming reachable. Changing to a port in the 49152–65535 range removes the system from the majority of these scans.
• 3 steps are mandatory after every port change: update the registry value, create new inbound firewall rules for both TCP and UDP, and restart the TermService. Skipping any one of these 3 steps breaks remote access.
• PowerShell completes the full port change in 5 commands: reg export (backup), Set-ItemProperty (set port), 2× New-NetFirewallRule (TCP + UDP firewall rules), and Restart-Service (apply changes), with no reboot required.
• Changing the port is 1 layer of defense, not a complete solution. Network-level authentication, IP allowlisting at the perimeter firewall, and MFA provide the actual security guarantees.
• After changing the port, connect using the format IP:Port, for example, 192.168.1.100:49200. Remote Desktop Connection does not detect the new port automatically.

What port does RDP use?

Remote Desktop Protocol (RDP), developed by Microsoft, listens on TCP port 3389 by default on all versions of Windows, including Windows 10, Windows 11, and Windows Server 2022. RDP also uses UDP port 3389 for transport acceleration when available. Port 3389 is the IANA-assigned standard for RDP and has been the default since Windows XP.

Because port 3389 is universally known, automated scanners probe it millions of times per day. Microsoft’s own telemetry shows that exposed RDP instances receive brute-force login attempts within minutes of being reachable on the public internet.

Why change the RDP port?

Changing the listening port from 3389 to a non-standard value reduces automated attack exposure by removing the system from the vast majority of port-3389-targeted scans. It does not replace authentication controls; it reduces noise so that other defenses (Network Level Authentication, MFA, VPN) operate against fewer live threats.

3 concrete benefits of changing the default port:

1. Lower brute-force volume bots scanning specifically for port 3389 no longer hit the service.
2. Cleaner log authentication logs contain fewer failed attempts, making genuine intrusion attempts easier to spot.
3. Better multi-server management, assigning distinct ports across a server fleet, separates RDP traffic at the firewall level without additional tooling.

Security note: Port obfuscation is a single layer. Always combine it with NLA, strong passwords, IP allowlisting, and ideally an RD Gateway or VPN.

How to check the RDP port in Windows Server 2022 (PowerShell)

Run the following command in an elevated PowerShell session. The result appears instantly, no reboot required.

The output displays the active port number. A value of 3389 confirms the default is still in use.

How to change the RDP port using PowerShell (Windows 10, 11 & Server 2022)

The PowerShell method applies identically to Windows 10, Windows 11, Windows Server 2019, and Windows Server 2022. Complete all 5 steps in sequence, skipping the firewall step, locks you out of the system.

Step 1 — Back up the registry branch

Step 2 — Set the new port number

Replace <NewPort> with a value between 1024 and 65535 that no other service on the machine uses. Values in the 49152–65535 range (IANA dynamic/private range) carry the lowest collision risk.

Step 3 — Allow the new port through Windows Firewall

Both TCP and UDP rules are required. RDP falls back to TCP-only if the UDP rule is absent, but creating both rules preserves full performance.

Step 4 — Block the old port (optional but recommended)

Step 5 — Restart the Remote Desktop service

powershell

Restart-Service -Name TermService -Force

## How to change the RDP port using Registry Editor

The registry method produces the same result as PowerShell. Use it when PowerShell is unavailable or when working on a single machine interactively.

Step 1 — Press `Win + R`, type `regedit`, and press Enter. Accept the UAC prompt.

Step 2 — Navigate to:

“`

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp

Step 3 — Double-click the `PortNumber` value. Select **Decimal**, enter the new port number, and click OK.

Step 4 — Close Registry Editor.

Step 5 — Add a firewall inbound rule for the new port (TCP and UDP) using the PowerShell commands in Step 3 above, or manually through Windows Defender Firewall → Advanced Settings → Inbound Rules → New Rule.

Step 6 — Restart the system or run `Restart-Service -Name TermService -Force` in PowerShell.

—

## How to connect after changing the RDP port

Open Remote Desktop Connection and enter the target address in the format `IP:Port` or `hostname:Port`. For example:

“`

192.168.1.100:49200

Windows Remote Desktop Connection accepts the colon notation directly. No additional configuration is required on the client side.

4 common mistakes when changing the RDP port

1. Skipping the firewall rule, the new port is blocked by Windows Firewall by default. The service changes ports, but the connection fails at the firewall level. Always create the inbound rule before closing the current session.
2. Not restarting the service, the registry change does not take effect until the TermService restarts. Run Restart-Service -Name TermService -Force or reboot.
3. Forgetting to document the new port, store the port number in a password manager, runbook, or server inventory. Losing track of a non-standard port means reconfiguring the server from console access.
4. Not having a fallback access method on a cloud VM or co-located server, confirm that console access (Azure Serial Console, AWS EC2 Connect, IPKVM) is available before making changes. An incorrect firewall rule with no fallback requires a support ticket to resolve.

RDP port change: Best practices for 2026

• Choose a port in the 49152–65535 range to avoid conflicts with registered services.
• Enable Network Level Authentication (NLA), which forces credential verification before a full RDP session is established, blocking unauthenticated session initiation even if the port is discovered.
• Restrict the new port at the perimeter firewall to trusted IP ranges only. Port obscurity combined with IP allowlisting reduces the attack surface to near zero for automated threats.
• Use an RD Gateway to tunnel RDP over HTTPS (port 443) in enterprise environments. This eliminates the need to expose any RDP port directly to the internet.
• Audit port usage quarterly run netstat -ano | findstr :<NewPort> to confirm the port remains active and uncontested.

Frequently Asked Questions About Check & Change RDP Port

What port does RDP use by default?

RDP uses TCP port 3389 and UDP port 3389 by default on all Windows versions.

Does changing the RDP port protect the server?

Changing the port reduces automated scan exposure but does not replace authentication controls. NLA, MFA, and IP allowlisting provide the actual security guarantees.

How to change the RDP port without a restart?

Run Restart-Service -Name TermService -Force in PowerShell. This restarts only the Remote Desktop service without rebooting the OS, so other running services and sessions remain unaffected.

What is the safest port to use for RDP?

Ports in the IANA dynamic range (49152–65535) carry the lowest risk of conflicting with registered services. Avoid ports below 1024 (reserved) and well-known ports such as 80, 443, 8080, and 3306.

How to add a firewall rule for the new RDP port?

Run New-NetFirewallRule -DisplayName “RDP-Custom-TCP-In” -Profile Any -Direction Inbound -Action Allow -Protocol TCP -LocalPort <Port> in an elevated PowerShell session. Repeat the command with -Protocol UDP for the UDP rule.

Does RDP use TCP or UDP?

RDP uses both. TCP port 3389 carries the primary session. UDP port 3389 accelerates transport for graphics and input when the network supports it. Both ports change when the listening port is reconfigured.

How to change the RDP port on Windows 10?

The process is identical to Windows Server 2022. Use the PowerShell Set-ItemProperty command in Step 2 above, then add the firewall rule and restart the TermService.

How to verify the RDP port change worked?

Run Get-ItemProperty -Path

‘HKLM:\SYSTEM\CurrentControlSet\Control\Terminal

Server\WinStations\RDP-Tcp’ -name ‘PortNumber’ in PowerShell. The output reflects the active port immediately after the service restart.

Is port 3389 safe to leave open?

No. Leaving port 3389 open to the internet exposes your system to brute-force attacks. Always restrict access using firewall rules, VPN, or an RD Gateway.