Remote Desktop Protocol (RDP) is a proprietary protocol developed by Microsoft to remotely connect to a Windows system using a graphical user interface. RDP is built into Windows by default. RDP listens on TCP port 3389 and udp port 3389. Previously, the RDP software was called Terminal Services client but now it’s called Remote Desktop Connection.
Windows comes with a remote desktop client that can be used to access the complete Windows Desktop environment remotely. It’s very useful for people who use multiple computers for work. One of our readers has asked about the RDP port and how to tweak it for security.
You can open the Remote Desktop Connection client by going to Run –> mstsc.
Simply put, the default port for using the Remote Desktop Protocol is 3389. This port should be open through Windows Firewall to make it RDP accessible within the local area network. If you want to make it accessible over the Internet (which is not safe), the RDP port should be forwarded through the main Internet router to work properly.
Let’s talk about how to open port 3389 in Windows Firewall and the router.
Allow RDP port through Windows Firewall
- Go to Windows Settings (Windows key + i)
- Go to Update & Security –> Windows Security and click on Firewall & network protection from the right-hand listing. This will open a new window.
- Click the link Allow an app through firewall
- Click on Change settings
- Search for Remote Desktop from the list. It should be there by default. If it is not there, you should click on Allow another app button and navigate to the following:
- If you want to allow Remote Desktop on the local network only, check the checkbox labeled Private. If you want it publicly available, you should check the Public checkbox too.
- Press OK for the changes to take effect.
Allow RDP port through Router (using NAT Translation)
If you want to use Windows Remote Desktop over the Internet, you will need to do two steps:
- Allow RDP port through public network from Windows Firewall (or any other firewall) as we did in the previous step.
- Allow RDP port through the router which is giving you internet access and then translate the incoming port 3389 to the computer of our choice.
Please note that if you are connected to the Internet using a public IP, you don’t need the second step but normally people are connected to the Internet using routers, both home, and corporates.
The configuration for opening a port is different for each router. Since I’m using Kerio Control for my office network, I will walk you through the steps using Kerio Control. The terminology should be similar for most routers so it’ll be easy for you to follow the same steps for your specific router.
- Open your router’s configuration page. Normally it should be the same as your default gateway. For me, it is http://192.168.1.1
- After logging in, go to Traffic Rules –> Add a new rule
- Name your rules and keep them generic. Keep the action to Allow and press the Next button.
- Keep the source to Any. That means users will be able to connect to this specific port from anywhere.
- Add Firewall to the Destination. You can keep it unchanged if you want.
- Under Services, select Port and specify 3389.
- Under NAT Translation, enable destination NAT, specify the IP address of your computer and also specify the port translation to 3389.
Change the default port of RDP
If you are opening RDP over the Internet, keeping the RDP port to 3389 is a security threat. It is recommended that you change the default port from 3389 to something above 10000. I, normally, keep it between 30000 and 40000 which is relatively safe as the port scanners will start scanning from port 1.
If you want to change the RDP port, follow the steps below:
- Go to Run –> regedit to open the Registry Editor.
- Locate the following key:
- In the right-hand pane, double-click on PortNumber
- Change the value to Decimal and specify the port number between 1001 to 254535.
Check if port 3389 is open and listening
There are times when you successfully open the RDP port but you’re unable to connect to the computer remotely. In that case, make sure that you are able to access port 3389 (or any other port if you have changed it) remotely. Follow the steps below to check if port 3389 is open and listening.
- Open PowerShell by going to Run –> powershell
- Run the following command
tnc 192.168.1.2 -port 3389
Replace the IP address 192.168.1.2 with your computer’s IP. Replace it with your router’s public IP if you have allowed public access to your computer through the router. The value of TcpTestSucceeded should be True.
If you want to check the port using the command prompt, you can follow this guide.
I hope this guide is useful for you and now you can control your remote desktop the way you want. If you have any questions or if I have left any confusion in this article, let me know through the comments below. Your comments are highly appreciated!