This article describes how to change Remote Desktop (RDP) port with PowerShell.
Table of Contents
Introduction
As you already know that Remote Desktop Connection (RDC) for Windows listens on Port 3389 by default.
Microsoft claimed that the Remote Desktop Connection Client for the Mac supports only port 3389, however, this information is not correct. You can change the RDP port for any Windows machine as described in this article and then connect from your MAC machine to Windows (e.g. 10.10.10.10:3395).
This port is disabled in Windows Firewall by default. If you need to allow access to any server or client internally, you need to enable Remote Desktop on the desired machine, if you want to enable external access, then you need to enable Remote access on your edge Firewall and on the desired machine as well.
Changing the listening port will help to “hide” Remote Desktop from hackers who are constantly scanning the network for computers listening on the default Remote Desktop port (TCP 3389). This offers effective protection against the latest RDP worms and adds additional security to your environment.
Another scenario where changing the listening port is if you want to allow external access to internal resources and you have only one Public IP address, in this case, what you need to do, is to change the listening RDP default port number (TCP 3389) to different port number on each server.
Changing the listening port for Remote Desktop the manual way is officially documented and described by Microsoft.
In this post, we will show you how to change the port that Remote Desktop listens to on many servers with PowerShell.
Change RDP port using PowerShell
Assume you have installed the Active Directory module for the Windows PowerShell module on your management machine.
Open Windows PowerShell with Administrator privilege and run the following script:
$DCs = Get-ADComputer -Filter * -SearchBase "CN=Computers,DC=VIRT,DC=LAB"
Foreach ($DC in $DCs) {
Invoke-Command -ComputerName $DC.Name -ScriptBlock {
param ($DC)
Get-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\" -Name PortNumber | Select-Object PortNumber
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\" -Name PortNumber -Value 3395
New-NetFirewallRule -DisplayName “Remote Desktop - User Mode (TCP-In) 3395” -Direction Inbound –Protocol TCP -Profile Any –LocalPort 3395 -Action allow
New-NetFirewallRule -DisplayName “Remote Desktop - User Mode (UDP-In) 3395” -Direction Inbound –Protocol UDP -Profile Any –LocalPort 3395 -Action allow
[ValidateSet('Yes','No')]$Answer = Read-Host "`nAre you sure you want to restart $($DC.Name) ? Enter Yes/No"
If ($Answer -eq 'Yes') { Restart-Computer -Force }
} -ArgumentList $DC
}The above script will change the RDP listening port to 3395 for all servers in the OU named “Computers“, and finally it will create a new Firewall Rule to allow inbound remote access over TCP/UDP port 3395.
For the change to take effect, you need to restart the computer, thus I added a validate set variable to confirm if you want to restart the server now or later.
Connect using the custom RDP port
When the Remote Desktop service runs on the default port (3389), you do not need to specify it when connecting to the target computer using the Remote Desktop Connection client application.
However, once you customize the port, you need to specify the port number after the ComputerName or IPAddress format, as shown in the following example:
Example:
mstsc /v 172.16.20.13:3395
I hope this helps someone!
Conclusion
In this article, you learned how to change the remote desktop port number using PowerShell.
Please note that a custom RDP port doesn’t guarantee to make a Windows system fully secure, but it adds a layer of obscurity to offer protection to a certain degree. It is always good practice to disable Remote Desktop on public-facing Windows servers and client machines. If you really have to keep Remote Desktop enabled, it is highly recommended that you use VPN, Just-in-Time VM access, or Azure Bastion, for example.
Learn more on how to protect your organization’s valuable workloads by hardening Azure VMs.
Cheers,
-Charbel
When you first mention mac rdp ports (first 2 lines of introduction) you mention same port as windows port…3389 instead of 3395 what you use in script to change port.
Hello Tim, thanks for the comment. Yes, Microsoft claimed long time ago that “the Remote Desktop Connection Client for the Mac supports only port 3389″. However, this is not correct. You can change the RDP port on any Windows machine as described in this article and then connect from your MAC machine to Windows (e.g. 10.10.10.10:3395). Hope it’s clear now.