RDP Network Port Configuration, Security, & Best Practices

Written by Sheena Ambarin on December 13, 2024

Share This Article

It’s alarming how so many businesses leave out open invitations for hackers without even realizing it. We’re talking about an open RDP port. For small IT teams, managing remote access securely while keeping things efficient is critical. Mistakes here can expose your network to attacks that no team can afford, or would ever want to afford.

For an IT manager, this guide unpacks everything about RDP ports. From understanding port 3389 and its risks to exploring alternatives and securing your access points, you’ll find practical steps to protect your network. Ready to learn how to enhance your organization’s security? Let’s head right in.

What Is an RDP Port?

An RDP port is the entry point for remote desktop connections. It creates a link between two computers and allows one to control the other. The most common RDP port is Port 3389, which comes as the default in Windows systems.

IT teams use RDP ports to troubleshoot issues and manage software. Employees rely on them to access office desktops when working remotely. 

RDP ports make it easier to manage and operate thin clients—lightweight computers designed to connect to a server for most of their processing power and data storage.

Port 3389: The Default RDP Port

Port 3389 is the go-to channel for the Remote Desktop Protocol. It’s like the highway IT teams rely on to access remote systems. It works well. But here’s the deal: because it’s the default, hackers know it too. Leaving it exposed is like putting up a neon sign for cyberattacks. Nobody wants that, except the hackers, of course!

Now, let’s break down TCP and UDP. TCP is the reliable one. It delivers every piece of data in the right order, no matter how long it takes. UDP is faster but skips the double-checking. Together, these protocols make RDP work smoothly by balancing speed with accuracy.

The risks tied to this default port can’t be ignored. Explore how IT teams can prevent RDP brute-force attacks and make these connections safer. 

Should You Change the Default RDP Port?

Leaving Port 3389 open is like painting a big target on your network. It’s a favorite entry point for criminal hackers. What does that entail? That it’s a risky choice for IT admins who want to keep their systems safe. Let’s take a look at whether this port is secure and whether closing it is a smart move.

Is Port 3389 Secure?

No, not by default. Because port 3389 is the default for Remote Desktop Protocol, it naturally becomes a prime target for criminal hackers. Brute-force attacks, phishing attempts, and other threats are common. It has some known vulnerabilities associated with it, and a connection over port 3389 is not encrypted. Leaving it open puts your system at unnecessary risk. 

Should Port 3389 Be Closed?

Absolutely! Keeping it open is a big risk. Closing it helps block a major entry point for attacks. Combine this step with proper firewall rules and other Zero Trust strategies to tighten security without adding complexity. It’s one of the easiest ways to protect your network and ensure peace of mind.

Alternatives and Configuration Changes

Sometimes, sticking to the default settings can leave your system vulnerable. Exploring alternatives and learning how to make configuration changes can strengthen your security stance without overcomplicating things.

Alternatives to Port 3389

Switching from Port 3389 is a good way to throw off attackers who target this well-known port. You can opt for alternative ports that are less predictable. For example, ports like 3390 or higher can be set up to handle remote desktop connections. Changing the port creates an extra layer of security and keeps your setup less obvious to threats. However, this isn’t a replacement for robust security measures like firewalls and encryption.

Many admins will simply establish an RDP connection over a secure SSH tunnel using port 80 instead. This works well in remote environments where systems are not on the same private network. 

How to Change the Listening Port from 3389

Changing the RDP listening port requires a few tweaks to the registry. Follow these steps to make the change safely:

Your steps are mostly correct! Here’s a refined version with a few additional considerations to ensure success and avoid potential issues:

  1. Open the Registry Editor
    • Press Win + R, type regedit, and hit Enter.
    • Accept the User Account Control (UAC) prompt if it appears.
  2. Navigate to the RDP Settings
    • Go to:
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp.
  3. Locate the Port Number
    • Find the PortNumber entry in the right pane.
  4. Modify the Port Number
    • Right-click on PortNumber, select Modify, and choose Decimal as the base.
    • Enter your desired port number (e.g., 3390), then click OK.
    • Note: Avoid using ports commonly associated with other services. For example, don’t use ports below 1024 unless you’re confident they’re unused.
  5. Close and Restart
    • Close the Registry Editor.
    • Restart your computer to apply the changes.
  6. Update Firewall Rules
    • Open your firewall settings (e.g., Windows Defender Firewall with Advanced Security).
    • Add a new Inbound Rule for the TCP protocol to allow traffic on your new port.
    • If using a third-party firewall or router, update its settings as well.
  7. Test the New Port
    • Use the new port to connect via RDP. For example, if the new port is 3390, you’d connect like this in the RDP client:
      hostname_or_IP:3390.

Additional Considerations:

  • Administrative privileges: Ensure you have administrator access to make these changes.
  • Reserved ports: Avoid common ports (like 80, 443, or 3389) to reduce conflicts and enhance security.
  • Backup: Back up the registry before making changes. To do so, right-click on RDP-Tcp and select Export.
  • Dynamic IPs: If your computer’s IP changes frequently, set a static IP or configure Dynamic DNS for easier remote access.

For advanced users, PowerShell can also be used to make these changes. This method simplifies the process, especially for IT admins managing multiple machines.

How to Check the Current Port

Yes, your steps will help confirm the new port configuration, but they only check the value set in the registry. This verifies that the port change was applied in the configuration but doesn’t confirm that the port is actively open and listening.

Here’s how your steps work, along with additional checks you might want to perform:

  1. Open PowerShell: Press Win + X and select Windows PowerShell (Admin).
  2. Run the command:

Get-ItemProperty -Path ‘HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp’ -name “PortNumber”

  • This will return the PortNumber value, confirming that the registry has been updated with your desired port.

You can also take these additional steps to confirm the port is open and listening:

  1. Check listening ports with netstat:
    • In PowerShell, run:

netstat -an | findstr LISTENING

  • Look for your new port (e.g., 0.0.0.0:3390 or similar). This confirms the system is actively listening on the new port.
  1. Test connectivity with Test-NetConnection:
    • In PowerShell, test the new port with this command:

Test-NetConnection -ComputerName localhost -Port <your_new_port>

  • Replace <your_new_port> with the actual port number (e.g., 3390). A successful test means the port is open and responding.
  1. Firewall rule check:
    • Ensure that the firewall allows incoming traffic on the new port. To view the active rules:

Get-NetFirewallRule | Where-Object { $_.Direction -eq “Inbound” -and $_.Enabled -eq $true }

These steps will help you verify the port is configured in the registry. To ensure the port is truly open and functional:

  • Use netstat to confirm the port is listening.
  • Use Test-NetConnection to confirm connectivity.
  • Verify that the firewall allows traffic on the new port.

For more information about RDP configuration and remote access security, JumpCloud’s Remote Access Guide offers in-depth resources and best practices.

Best Practices for Securing RDP Ports

Securing RDP isn’t just about one tool or technique. It’s about creating layers of protection that work together. Let’s break down the key steps to lock things down without overcomplicating them.

Configure Firewall Rules

Think of your firewall as the security guard at your network’s gate. By setting up specific rules, you decide who gets in and who stays out.

The best step forward is to limit access to trusted IP addresses only. How? By defining rules for both TCP and UDP protocols, especially if you’ve switched from the default port. 

This keeps the door open for those who need it while blocking unwanted visitors.

Restrict RDP Access

Not everyone should have access to your RDP setup. Limiting access strengthens security and makes your system harder to exploit.

  • Network Level Authentication (NLA): It’s like showing your ID at the door. Only verified users can get through.
  • TLS encryption: Encrypt every session to keep sensitive data safe from prying eyes.
  • Zero Trust Network Access (ZTNA): Take a no-trust stance and give users access only to what they need. This is especially effective for managing remote connections, as outlined in this ZTNA vs. VPN comparison.
  • Multi-factor authentication (MFA): It’s like adding a second lock to your door. Even if someone gets past the first, they’ll hit a dead end. MFA solutions make this step easy and secure.

Each step builds on the next and you get a setup that’s tough to crack and simple to manage.

Monitor Port Usage

Keeping an eye on how your RDP ports are being used is like checking security cameras. It helps you catch unusual activity before it becomes a problem. 

With a premier cloud directory, you can manage access and track usage from one place. This smoothens the entire process of monitoring login attempts and unexpected traffic. Plus, regular oversight keeps your system safe without extra complexity.

Close RDP Ports When Not in Use

If you don’t need a door open, shut it. 

Closing RDP ports when they’re not actively required is a straightforward way to reduce risk. Think of it as locking up when you leave the house. Combine this with Zero Trust principles to limit who can access what, and when. These small steps can make a big difference in keeping unwanted visitors out.

Audit RDP Access Logs

Logs are your record book of who’s been in and out. Regularly review access logs to spot patterns or suspicious activity. Conditional access simplifies this by offering dynamic policies based on risk factors. Regular audits aren’t just about reacting to issues anymore. They help you adjust your setup and close any gaps before problems arise.

Securing RDP ports might feel like a lot, but with the right steps, it’s simple. Make smarter choices, use trusted tools, and keep your system safe without extra hassle. You can explore Cloud RADIUS for secure connections to make the setup easier.

Secure RDP and Much More with JumpCloud

Securing RDP ports is a necessity for safeguarding your network from potential threats. From understanding the risks of Port 3389 to adopting the above-mentioned best practices, every step you take strengthens your organization’s security posture.

But why stop at just securing RDP? With JumpCloud, you can centralize and simplify remote access management, effectively monitor port usage, and implement robust Zero Trust principles. JumpCloud’s comprehensive platform empowers small IT teams to stay agile while maintaining top-tier security standards.

Are you looking to take a step toward stronger security and streamlined management? Sign up for JumpCloud and experience a better way to secure your network and remote access infrastructure.

Frequently Asked Questions Answered

Is RDP Port 3389 TCP or UDP?

Is RDP Port 3389 TCP or UDP?

It’s both. RDP uses TCP for most of its communication and UDP for tasks like streaming and quicker data transfers, ensuring smoother connections when latency is a concern.

How can I tell if Port 3389 is open?

How can I tell if Port 3389 is open?

Run the command netstat -an | find “3389” in the Command Prompt. It will display if the port is actively listening. For a deeper check, tools like conditional access make monitoring more intuitive.

What’s the difference between Port 3389 and Port 22?

What’s the difference between Port 3389 and Port 22?

Port 3389 is for RDP, focusing on remote access, while Port 22 is used for SSH, prioritizing secure shell access for command-line interactions. Each serves different security and access needs.

What should I do if RDP isn’t connecting after changing the port

What should I do if RDP isn’t connecting after changing the port?

Check the Windows Registry settings to ensure the new port is set correctly. Confirm your firewall rules allow connections on the new port and that external firewalls aren’t blocking it. Use tools like Remote Access for seamless troubleshooting.

Sheena Ambarin

Sheena is a content marketing specialist at JumpCloud. She loves everything about technology and startups. When she’s not in strategy mode, you’ll find her recharging with some rock and metal music.

Continue Learning with our Newsletter