RDP Port: What It Is, How to Change It & Firewall Rules
Remote Desktop Protocol (RDP) uses a fixed default port that is well-known to attackers. Understanding how RDP ports work — and how to change or protect them — is essential for anyone running a Windows VPS.
What Is the Default RDP Port?
The default RDP port is TCP 3389.
Every Windows system with Remote Desktop enabled listens on this port by default. Because it is universally known, automated bots continuously scan the internet for open port 3389 and attempt brute-force logins. If you have a Windows VPS with a weak password and port 3389 exposed, it will see thousands of login attempts per day.
How to Connect via RDP
From Windows
- Press
Win + R, typemstsc, press Enter - Enter
YOUR_IP:3389(or justYOUR_IPsince 3389 is the default) - Enter your username and password
From macOS
Install Microsoft Remote Desktop from the Mac App Store (free). Add a new PC with your IP and credentials.
From Linux
apt install remmina -y
remmina
Add a new RDP connection with your server IP and credentials.
From iOS / Android
Install Microsoft Remote Desktop from the App Store or Play Store.
How to Change the RDP Port
Changing the default port from 3389 to something non-standard significantly reduces automated scan traffic hitting your server.
Step 1: Change the Port in the Windows Registry
- Press
Win + R, typeregedit, press Enter - Navigate to:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp - Find the value PortNumber
- Right-click → Modify → select Decimal
- Enter your new port number (e.g.
13389— choose any unused port between 1024–65535) - Click OK
Step 2: Open the New Port in Windows Firewall
# Run PowerShell as Administrator
New-NetFirewallRule -DisplayName "RDP Custom Port" -Direction Inbound -Protocol TCP -LocalPort 13389 -Action Allow
Step 3: Restart the Remote Desktop Service
Restart-Service -Name "TermService" -Force
Step 4: Connect Using the New Port
In the RDP client, specify the port explicitly:
YOUR_IP:13389
Important: Do not close your current RDP session until you have successfully connected on the new port from a second window. If you make a mistake, you will lock yourself out.
Opening RDP Port in UFW (Linux KVM Host / Firewall)
If you are managing firewall rules from a Linux host or using UFW on a Linux VPS that forwards RDP:
# Allow default RDP port
ufw allow 3389/tcp
# Or a custom port
ufw allow 13389/tcp
# Reload UFW
ufw reload
ufw status
Restricting RDP Access by IP
The best security practice is to only allow RDP from your own IP address:
Windows Firewall (GUI)
- Open Windows Defender Firewall with Advanced Security
- Find your RDP inbound rule
- Double-click → Scope tab
- Under "Remote IP address" → These IP addresses → add your IP
- Click OK
Windows Firewall (PowerShell)
# Allow RDP only from a specific IP
New-NetFirewallRule -DisplayName "RDP from home" `
-Direction Inbound -Protocol TCP -LocalPort 3389 `
-RemoteAddress 1.2.3.4 -Action Allow
# Block all other RDP
New-NetFirewallRule -DisplayName "Block RDP default" `
-Direction Inbound -Protocol TCP -LocalPort 3389 `
-Action Block
RDP Port Summary
| Scenario | Port |
|---|---|
| Default RDP port | 3389 |
| RDP over HTTPS (RD Gateway) | 443 |
| Custom port (recommended) | Any 1024–65535 |
Using an SSH Tunnel Instead of Exposing RDP
For maximum security, block RDP from the public internet entirely and tunnel it over SSH:
# From your local machine (Linux/macOS):
ssh -L 13389:localhost:3389 root@YOUR_VPS_IP -N
Then connect your RDP client to localhost:13389. The RDP traffic travels entirely inside the encrypted SSH connection — no RDP port is exposed to the internet at all.
On Windows, use PuTTY's tunnel feature (Connection → SSH → Tunnels) to achieve the same result.