Hayden

In this post, we’ll look at how to enhance Windows system security by changing the default Remote Desktop Protocol (RDP) port 3389 using GPO or the Registry.

Windows Remote Desktop Protocol uses TCP port 3389 by default. The problem is that this port number is so well-known that it has become a prime target for attackers. Monitoring internet-connected servers reveals dozens of brute-force attacks targeting port 3389 every minute.

Today, we’ll explore two comprehensive methods for changing the RDP port to protect systems from these security threats: direct registry modification for individual computers and GPO-based central management for enterprise environments.

 

 

1. Why Change the Default RDP Port 3389?

Real-World Security Threats

Anyone who has monitored logs from internet-exposed Windows servers will witness an alarming pattern: 2-3 connection attempts per second from unknown IP addresses targeting port 3389. These represent automated bots performing systematic attacks against the default port.

If the administrator account had used a simple password like ‘admin123’, the system would likely be compromised within hours. Servers breached through such methods frequently become victims of ransomware attacks or are exploited for cryptocurrency mining operations.

Benefits of Port Changes

Changing the port number from 3389 to an alternative blocks the majority of automated scanning attacks. While this doesn’t provide complete security, it offers significant protection through Security by Obscurity principles.

However, be cautious when selecting replacement ports. Sequential numbers like 3390 or 3391 may also be targeted by scanners. It’s recommended to choose less common ports in the 10000-65535 range.

 

 

2. Direct Registry Modification Method

The most straightforward approach involves directly modifying the Windows registry. This method is ideal for individual computers and small-scale environments where quick configuration is needed.

Prerequisites

Before changing the port, you must complete a critical preparatory step: configure Windows Firewall to allow the new port. Skipping this step will result in complete loss of remote access after the port change, requiring physical access for recovery.

Firewall Configuration Steps:

  1. Control Panel → System and Security → Windows Defender Firewall
  2. Click Advanced settings
  3. Inbound Rules → New Rule
  4. Select PortTCPSpecific local ports and enter the new port number
  5. Allow the connection → Select All profiles → Enter rule name

Registry Modification Steps

Now let’s modify the registry directly. Remember that you must change two separate registry locations for the modification to work properly.

Step 1: Launch Registry Editor

  • Windows + R → Type regeditOK
  • Click Yes if UAC prompt appears

Step 2: Modify First Registry Path

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp
  • Navigate to the above path
  • Double-click PortNumber value
  • Select Decimal and enter desired port number (e.g., 13389)

Step 3: Modify Second Registry Path

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp
  • Navigate to this path
  • Double-click PortNumber value
  • Select Decimal and enter the same port number

Service Restart

After registry changes, you must restart the Remote Desktop service to apply the modifications.

  • Windows + Rservices.mscOK
  • Locate Remote Desktop Services
  • Right-click → Restart

Alternatively, use an elevated command prompt:

net stop TermService
net start TermService

 

 

3. GPO (Group Policy) Centralized Management

In enterprise environments managing dozens or hundreds of computers, individual registry modifications are impractical. Active Directory Group Policy Objects (GPO) provide efficient centralized management capabilities.

GPO Creation and Configuration

Step 1: Launch Group Policy Management Console

  • On domain controller, run gpmc.msc
  • Or Server Manager → Tools → Group Policy Management

Step 2: Create New GPO

  • Right-click Group Policy Objects
  • Select New
  • Enter GPO name (e.g., “RDP Port Change Policy”)

Step 3: Edit GPO

  • Right-click created GPO → Edit
  • Computer Configuration → Preferences → Windows Settings → Registry

Step 4: Add Registry Entries

First registry entry:

  • Right-click RegistryNew → Registry Item
  • Action: Update
  • Hive: HKEY_LOCAL_MACHINE
  • Key Path: SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp
  • Value name: PortNumber
  • Value type: REG_DWORD
  • Value data: 13389 (desired port number)

Second registry entry:

  • Add using same method
  • Key Path: SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp
  • Other settings identical

GPO Linking and Application

Step 1: Link GPO to OU

  • Right-click target Organizational Unit (OU)
  • Select Link an Existing GPO
  • Choose created GPO

Step 2: Update Group Policy On client computers:

gpupdate /force

Group policies typically apply automatically every 90 minutes, but use the above command for immediate application.

Verify GPO Application

To confirm proper policy application:

gpresult /r

This command displays currently applied policy lists.

 

 

4. Automated Firewall Configuration

When using GPO, firewall settings can be automated simultaneously. This allows processing both port changes and firewall configuration in a single operation.

Adding Firewall Rules via GPO

Step 1: Navigate to Firewall Policy Location

  • In GPO editor: Computer Configuration → Policies → Windows Settings → Security Settings
  • Windows Defender Firewall with Advanced Security

Step 2: Create Inbound Rule

  • Right-click Inbound RulesNew Rule
  • PortTCPSpecific Local Ports: 13389
  • Allow the connection → Select All profiles

This configuration automatically applies both port changes and firewall settings simultaneously.

 

 

5. Connection Methods After Port Change

After changing the port, remote desktop connections must specify the new port number.

Connecting via mstsc

In Remote Desktop Connection application:

server_address:port_number

Examples:

192.168.1.100:13389
server01.company.com:13389

Command Line Connection

mstsc /v:192.168.1.100:13389

Creating RDP Files

For frequently used connections, save as RDP files:

full address:s:192.168.1.100:13389
username:s:administrator

 

 

6. Additional Security Hardening

Port changes alone don’t guarantee complete security. Implement these additional security measures:

Strong Password Policies

Minimum Requirements:

  • 14+ characters
  • Combination of uppercase, lowercase, numbers, special characters
  • Avoid dictionary words
  • Avoid keyboard patterns (qwerty123, 1q2w3e4r, etc.)

Network Level Authentication (NLA)

NLA requires user authentication before establishing remote connections:

Registry Method:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp
  • Set UserAuthentication value to 1

GPO Method:

  • Computer Configuration → Administrative Templates → Windows Components → Remote Desktop Services
  • Remote Desktop Session Host → Security
  • Enable “Require user authentication for remote connections by using Network Level Authentication”

IP Restriction Configuration

Configure firewall to allow RDP access only from specific IP ranges:

netsh advfirewall firewall add rule name="RDP-Custom" protocol=TCP dir=in localport=13389 remoteip=192.168.1.0/24 action=allow

Connection Attempt Limiting

Configure account lockout policies to defend against brute-force attacks:

  • Computer Configuration → Windows Settings → Security Settings → Account Policies → Account Lockout Policy
  • Account lockout threshold: 5 attempts
  • Account lockout duration: 30 minutes

 

 

7. Trouble-Shootings After Changing the Port

Connection Issues

1. Verify Firewall

netsh advfirewall firewall show rule name=all | findstr 13389

2. Check Service Status

sc query TermService

3. Confirm Port Listening

netstat -an | findstr 13389

GPO Application Issues

1. Check GPO Replication Status

repadmin /showrepl

2. Force Policy Application

gpupdate /force
secedit /refreshpolicy machine_policy /enforce

3. Review Event Logs

  • Check Windows Logs → System for Group Policy-related errors

 

 

8. Monitoring and Log Management

RDP Connection Log Review

Remote desktop connection attempts can be monitored at:

  • Event Viewer → Windows Logs → Security
  • Event ID 4624: Successful logons
  • Event ID 4625: Failed logon attempts

Automated Monitoring

Simple monitoring script using PowerShell:

Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4625} -MaxEvents 100 | 
Where-Object {$_.Message -like "*NTLMv2*"} |
Format-Table TimeCreated, Id, Message -AutoSize

 

 

RDP port modification represents the first step in Windows security hardening. Registry direct modification works well for individual computers, while GPO-based central management proves effective in enterprise environments. The key is not to rely solely on port changes but to implement comprehensive security measures including strong password policies, NLA activation, IP restrictions, and regular log monitoring. 🙂

 

Leave a Reply