Changing the RDP Port and Firewall Rules

By default, RDP listens for connections on port 3389. It might make sense to change the port, which means the server can still be reached by RDP. Of course, tools such as Nmap will also find the new port, but it still enhances security because malware and cybercriminals will initially try their luck on port 3389.

You can change the port in the registry. The settings are in HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp . The port is specified by the PortNumber DWORD value. Change the value to Decimal ; after making the change, save the setting, and restart the server, but also make sure you disable the old firewall rules for access to port 3389 and create new rules that allow access to the new port. In PowerShell, you can check the new port with the command:

Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" -name "PortNumber"

You can also change the port for RDP in PowerShell, which is useful, for example, if you want to script the change. For example, to use port 3390 for RDP, enter the command:

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" -name "PortNumber" -Value 3390

The firewall rules for TCP and UDP can be changed in PowerShell, as well. If you save the port as a variable up front (e.g., $RDPPort = 3390), you can script it all, which means you can pass in the port:

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" -name "PortNumber" -Value $RDPPort

Because you saved the port as a variable, you could also set matching firewall rules in the same script and use the variable to specify the port. Of course, you could enter the value directly, but a variable avoids errors and makes it easier to change the value:

New-NetFirewallRule -DisplayName "RDP-TCP-In" -Profile "Domain" -Direction Inbound -Action Allow -Protocol TCP -LocalPort $RDPPort
New-NetFirewallRule -DisplayName "RDP-UDP-In -Profile "Domain"-Direction Inbound -Action Allow -Protocol UDP -LocalPort $RDPPort

For Profile, specify the firewall profile in which the rule will apply. Besides the Domain value for the domain profile, you also have Public and Private. However, Domain is the right choice for networks. You will want to avoid public access to RDP if possible. If external access is necessary, routing with Azure Arc or a VPN is preferable.

TCP and UDP over RDP

RDP uses both TCP and UDP for data traffic and plays an important role for configuring firewall rules and in terms of performance. UDP can be faster than TCP data traffic in certain circumstances. The client and server negotiate which protocol to use for the current connection. Firewall rules for TCP and UDP therefore need to be enabled in parallel.

In general, group policy can be used to specify which protocol the server will use. If you only enable the use of TCP at this point, you do not need a firewall rule for UDP. The settings can be found in Select RDP transport protocols under Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections . If you select Use UDP or TCP , the client attempts primarily to communicate with UDP, which can improve the speed of the connections. TCP connections are only used in exceptional cases.

Conclusions

RDP is one of the most important protocols in the corporate landscape wherever remote access to Windows Server is required. Although it can be enabled in various ways, make sure you configure the connections as securely as possible. Also, change the port if you have this option to improve the server's security. If you do not need RDP, it makes sense to avoid enabling the protocol, which can ultimately create further attack vectors.

Be particularly careful if you make RDP available on the Internet. Many attacks on servers target this avenue. It might be preferable to avoid the server being directly accessible by RDP over the Internet; instead, use an RDP gateway or Azure Arc for the connection. If you do, remote management does not rely on the RDP port; instead, RDP is available through the Windows Admin Center on the Azure portal – and is even free of charge.