RDPPortChanger: How to Change RDP Port Securely in Windows

Step-by-step guide to using RDPPortChanger for Remote Desktop port changes

1. What it does

RDPPortChanger is a tool that updates the Windows Remote Desktop (RDP) listening port (default 3389) so you can run RDP on a different TCP port to reduce opportunistic scanning and avoid port conflicts.

2. Pre-checks (assumed defaults)

• You’re on a Windows machine with administrative rights.
• You can access the machine locally or via an administrative remote session.
• You have a working backup or system restore point (recommended).

3. Steps (ordered)

1. Backup registry: Export the registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp to a .reg file.
2. Stop Remote Desktop services: Temporarily stop the Remote Desktop Services (TermService) to avoid conflicts.
3. Run RDPPortChanger: Launch the tool as Administrator and enter the new TCP port (choose an unused port >1024 and <65535).
4. Apply changes: Confirm the tool writes the new PortNumber value under the RDP-Tcp registry key and adjusts any firewall rules.
5. Update firewall: Ensure a matching incoming rule exists for the new TCP port (Windows Firewall or external appliance).
6. Restart services / reboot: Restart Remote Desktop Services or reboot the system so the change takes effect.
7. Test connection: From a client, connect using the new port (e.g., hostname:port or mstsc /v:host:port).
8. Rollback if needed: If connection fails, restore the registry .reg backup, revert firewall rules, and restart services.

4. Tips & best practices

• Use high-numbered ports (e.g., 49152–65535) to reduce accidental conflicts.
• Document the new port and update any monitoring or management tools.
• Check network devices (NAT, firewalls) for necessary forwarding or rule updates.
• Keep RDP secured: Require Network Level Authentication (NLA), strong passwords, and consider VPN or jump hosts rather than exposing RDP publicly.

5. Common issues & fixes

• Cannot connect after change: Verify firewall rule exists and service restarted; confirm port isn’t blocked upstream.
• Port already in use: Pick another port and check listening ports with netstat.
• Registry change not applied: Ensure tool ran with Administrator privileges and service was restarted.

6. Security note

Changing the port is a low-effort measure that reduces noisy scans but is not a replacement for proper hardening (NLA, strong accounts, patching, network isolation, VPN).