Remote Desktop Protocol uses port 3389 by default. This is the TCP and UDP port that every Windows machine listens on when Remote Desktop is enabled. When you connect to a Windows VPS or remote server using an RDP client, your connection goes to port 3389 unless you or your hosting provider have changed it. Knowing this port number, understanding why it matters, and learning how to change it are essential for anyone managing remote Windows servers.
What Is the Default RDP Port Number
The default RDP port is 3389. Microsoft assigned this port to the Remote Desktop Protocol when it was first introduced in Windows NT 4.0 Terminal Server Edition. Every version of Windows since then has used the same default port, including Windows 10, Windows 11, Windows Server 2019, and Windows Server 2022.
Port 3389 handles both TCP and UDP traffic for RDP connections. TCP provides the reliable connection for transmitting desktop data, keyboard and mouse input, and file transfers. UDP is used for improved graphics performance and smoother video playback over RDP connections. Both protocols use the same port number by default.
When you open the Remote Desktop Connection application on Windows and type in a server IP address without specifying a port, the client automatically connects to port 3389. If you need to connect to a server running RDP on a different port, you append the port number after a colon, like 192.168.1.100:3390.
Why You Should Change the Default RDP Port
Leaving RDP on port 3389 is one of the most common security mistakes on Windows servers. Automated bots continuously scan the entire internet for servers with port 3389 open. Once they find an open RDP port, they launch brute force attacks, attempting thousands of username and password combinations per hour. These attacks consume server resources, fill up event logs, and can eventually succeed if passwords are weak.
Changing the RDP port does not make your server invulnerable. A determined attacker can still find your new port through a full port scan. However, it eliminates the vast majority of automated attacks that only target the default port. Think of it as removing your server from the list that bots check first. Combined with strong passwords, account lockout policies, and network-level authentication, changing the port significantly reduces your attack surface.
Security researchers consistently report that servers running RDP on port 3389 receive thousands of unauthorized connection attempts daily. Servers running RDP on non-standard ports see a fraction of that traffic. The reduction in brute force attempts alone justifies the few minutes it takes to change the port.
How to Change the RDP Port on Windows
Changing the RDP port requires editing the Windows Registry. Before making any registry changes, ensure you have an alternative way to access the server in case something goes wrong. If you are on a VPS, your hosting provider likely offers a console or VNC connection that does not depend on RDP.
Step 1: Open the Registry Editor
Press Windows Key plus R to open the Run dialog. Type regedit and press Enter. If prompted by User Account Control, click Yes. The Registry Editor window will open.
Step 2: Navigate to the RDP Port Key
In the Registry Editor, navigate to HKEY_LOCAL_MACHINE, then SYSTEM, then CurrentControlSet, then Control, then Terminal Server, then WinStations, then RDP-Tcp. In the right pane, find the value named PortNumber. Double-click it to open the edit dialog.
Step 3: Set the New Port Number
In the Edit DWORD dialog, select Decimal as the base. Enter your new port number. Choose a port between 1025 and 65535 that is not already in use by another service. Common choices include 3390, 4489, 33389, or any random high port number. Avoid well-known ports like 80, 443, 22, or 21 as these are used by other services. Click OK to save the change.
Step 4: Update the Windows Firewall
Before restarting the RDP service, you must create a firewall rule allowing traffic on your new port. Open Windows Defender Firewall with Advanced Security. Create a new Inbound Rule. Select Port as the rule type. Choose TCP and enter your new port number. Select Allow the connection. Apply the rule to Domain, Private, and Public profiles. Name the rule something descriptive like RDP Custom Port. Repeat this process for UDP on the same port number.
Step 5: Restart the Remote Desktop Service
Open a Command Prompt as Administrator and run net stop termservice followed by net start termservice. Alternatively, you can restart the server entirely. After the service restarts, RDP will listen on your new port. To connect, use your RDP client with the new port appended to the IP address, such as your.server.ip:newport.
How to Change the RDP Port Using PowerShell
If you prefer a faster method, you can change the RDP port entirely through PowerShell. Open PowerShell as Administrator and run the following command, replacing 33389 with your desired port number: Set-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Control\Terminal*Server\WinStations\RDP-Tcp -Name PortNumber -Value 33389. Then create the firewall rules with New-NetFirewallRule -DisplayName RDP-Custom -Direction Inbound -Protocol TCP -LocalPort 33389 -Action Allow and the same command again with UDP instead of TCP. Finally restart the service with Restart-Service -Name TermService -Force.
How to Check Which Port RDP Is Using
If you are unsure which port RDP is currently configured to use, there are several ways to check. In PowerShell, run Get-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Control\Terminal*Server\WinStations\RDP-Tcp -Name PortNumber and look at the PortNumber value. You can also run netstat -an | findstr LISTENING in Command Prompt and look for the port associated with the TermService process. On a remote machine, you can use a port scanner like nmap to check which port responds to RDP connections.
RDP Port Forwarding on a Router
If you are running RDP on a computer behind a home or office router, you need to configure port forwarding to make it accessible from the internet. Log into your router admin panel, find the port forwarding section, and create a rule that forwards your chosen external port to the internal IP address of your computer on the RDP port. For example, you might forward external port 33389 to internal IP 192.168.1.50 on port 33389.
This is not necessary for VPS hosting since your VPS has a public IP address and is directly accessible. Port forwarding is only relevant for computers behind NAT on a local network.
Additional RDP Security Best Practices
Changing the port is just one layer of RDP security. For comprehensive protection, implement these additional measures. Enable Network Level Authentication, which requires users to authenticate before establishing a full RDP session. This prevents many types of pre-authentication attacks. Set account lockout policies to lock accounts after a small number of failed login attempts. Use strong, unique passwords with at least 16 characters including uppercase, lowercase, numbers, and symbols.
Consider restricting RDP access to specific IP addresses through Windows Firewall if you connect from a fixed location. Enable two-factor authentication using tools like Duo Security or Azure MFA for an additional layer of protection. Keep your Windows installation updated with the latest security patches, as Microsoft regularly fixes RDP vulnerabilities. If you do not need RDP access, disable it entirely to eliminate the attack vector.
Common RDP Port Issues and Troubleshooting
If you cannot connect after changing the RDP port, the most common cause is a missing firewall rule. Verify that both TCP and UDP rules exist for your new port in Windows Firewall. If your VPS provider has an external firewall or security group, you need to allow the new port there as well. Check that the registry change was saved correctly by reading back the PortNumber value. Ensure the TermService was restarted after making the change.
If you locked yourself out by changing the port without adding a firewall rule first, use your VPS provider console or VNC access to connect and fix the firewall configuration. On a BlastVPS server, you can access the emergency console through the client panel to regain access without RDP.
RDP Port for Different Windows Versions
The default RDP port is 3389 across all Windows versions that support Remote Desktop. This includes Windows 10 Pro and Enterprise, Windows 11 Pro and Enterprise, Windows Server 2016, Windows Server 2019, and Windows Server 2022. Windows Home editions do not include the RDP server component, so they cannot accept incoming RDP connections regardless of port configuration. The process for changing the port is identical across all supported Windows versions since they all use the same registry key.
Summary
The default RDP port is 3389 for both TCP and UDP. Changing it to a non-standard port is a simple but effective security measure that eliminates most automated brute force attacks. The change requires editing a single registry value, updating your firewall rules, and restarting the Remote Desktop service. Combined with strong passwords, network level authentication, and account lockout policies, a non-standard RDP port significantly hardens your Windows server against unauthorized access. Whether you are managing a Windows VPS for business applications, trading, or remote work, taking five minutes to change your RDP port is one of the easiest security improvements you can make.
Ready to Deploy?
Get a high performance VPS with instant setup, full root access, and 24/7 support.