Changing the default RDP port (3389) on Windows Server 2022 is a straightforward way to reduce exposure to automated attacks targeting standard ports. This adjustment enhances security by making your server less visible to common scans. Here’s how you can do it:
- Backup First: Create a system restore point and export the registry key for safekeeping.
- Choose a New Port: Pick an unused port in the range 1024–49151, avoiding commonly scanned ones like 22, 80, or 443.
- Update the Registry: Modify the
PortNumbervalue underHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcpto your new port. - Adjust the Firewall: Create an inbound rule in Windows Firewall to allow traffic through the new port.
- Restart the RDP Service: Apply the changes by restarting the Remote Desktop Service (
TermService).
Testing Connection: Use the new port to connect (e.g., 192.168.1.100:12345) and verify functionality. If issues arise, check firewall rules, service status, or port conflicts.
While this change helps deter basic attacks, it’s not foolproof. Combine it with strong passwords, firewall rules, and regular monitoring to maintain a secure system. Always test thoroughly and document changes for future reference.
Windows Server Core 2022 Tips & Tricks – How to change RDP port number and Block old port
Preparing to Change the RDP Port
Making changes to your RDP port requires careful preparation. Rushing through the process without proper backups or thoughtful planning can lead to server lockouts or disruptions – especially critical if your server supports trading or other essential operations.
Backup the Registry and Server Configuration
Before making any changes, back up your registry. The Windows Registry is a vital part of your server’s configuration, and even a small mistake can make your system unstable or completely inaccessible.
Start by creating a System Restore Point. Go to Control Panel > System Properties > System Protection, and name the restore point something like "Before RDP Port Change – [current date]" for easy identification later.
Next, export the specific registry key you’ll be modifying. Open the Registry Editor and navigate to:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp
Right-click the key, select Export, and save it to a secure location with a name like "RDP_Registry_Backup_[date].reg".
For added security, consider performing a full server backup. This step is especially important if your server is running critical trading applications where downtime could impact operations. A full backup ensures you can restore your system quickly if something goes wrong.
Lastly, document your current settings. Make a note of the existing port number (usually 3389), your firewall rules, and any custom RDP configurations you’ve set up. This documentation will make it easier to revert to your original setup if needed.
With these safeguards in place, you’re ready to choose a new, secure port.
Choose a Secure and Unused Port
Once you’ve secured your backups, the next step is selecting a port that’s both secure and unused. The right choice reduces the risk of conflicts and makes your server less vulnerable to attacks.
Avoid commonly scanned ports such as 22 (SSH), 80 (HTTP), 443 (HTTPS), 21 (FTP), and 25 (SMTP). These are frequently targeted by attackers and should not be used for RDP.
Instead, focus on the registered port range, which spans 1024–49151. Ports in the higher range – like those above 10,000 – are generally safer since they’re less likely to be targeted or already in use.
Before finalizing your choice, confirm that the port isn’t currently in use on your server. Open Command Prompt as an administrator and run:
netstat -an | find "LISTENING"
This command shows all active ports. If your chosen port appears in the list, pick another one.
Additionally, check your trading software’s documentation to ensure the new port doesn’t interfere with any required port ranges for data feeds or order execution. Compatibility with your software is key to avoiding disruptions.
Finally, review your firewall and network settings. Make sure the new port complies with your security policies and is allowed through your firewall. To test, temporarily open the port in Windows Firewall and scan it from an external machine. This step ensures the port is accessible and ready for use without compromising security.
Step-by-Step Guide to Changing the RDP Port
To change the Remote Desktop Protocol (RDP) port, you’ll need to update the Registry entry for RDP-Tcp. Follow these steps carefully to avoid system issues.
Accessing the Windows Registry Editor
Start by opening the Windows Registry Editor:
- Press Win + R, type regedit, and hit Enter.
- If prompted by the User Account Control (UAC), ensure you’re logged in as an administrator and click Yes.
Once inside the Registry Editor, navigate to the following path:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp
You can either expand each folder manually or paste the path into the address bar at the top of the editor. When you reach the RDP-Tcp key, you’ll see various configuration values in the right pane. Locate the entry labeled PortNumber – this is where you’ll make the necessary change.
Editing the RDP Port Number
To update the port number:
- Double-click on PortNumber in the right pane.
- In the dialog box that appears, switch the Base option to Decimal.
- Enter your desired port number (e.g., 12345) into the Value Data field. Be sure to double-check the number, as entering an incorrect value can disrupt RDP functionality.
- Click OK to save your changes.
After saving, confirm that the PortNumber entry now reflects your new port. Once verified, close the Registry Editor.
Keep in mind that the new port number won’t take effect immediately. You’ll need to restart the RDP service and adjust your firewall settings to allow traffic through the updated port.
Important: Modifying the Windows Registry can impact your system’s behavior. Avoid making changes to other keys unless you’re certain of their purpose. If something goes wrong, use the backup you created earlier to restore your system.
Configuring the Firewall for the New RDP Port
Once you’ve set up the new RDP port in the registry, the next step is to configure your firewall to allow traffic through this port. Without proper firewall adjustments, RDP connections won’t work, even if the service is listening on the new port.
Create a New Inbound Rule
Windows Server 2022 includes Windows Defender Firewall with Advanced Security, offering precise control over network traffic. To enable RDP access on your custom port, you’ll need to create a new inbound rule.
Start by opening the firewall management console. Press Win + R, type wf.msc, and hit Enter. This opens the Firewall Advanced Security interface. Alternatively, you can navigate through Server Manager > Local Server > Microsoft Defender Firewall > Advanced Settings.
Here’s how to set up the rule:
- Click Inbound Rules in the left panel to view the existing rules.
- In the Actions panel on the right, select New Rule to launch the rule creation wizard.
Configure the following settings step-by-step:
- Rule Type: Choose Port, as you’re allowing traffic through a specific port.
- Protocol and Ports: Select TCP as the protocol. Then, choose Specific local ports and input your custom RDP port number (e.g., 12345). Ensure this matches the port you defined in the registry.
- Action: Select Allow the connection to permit traffic through the specified port.
- Profile: Check all three options – Domain, Private, and Public – to ensure the rule applies across all network profiles. This is especially important if the server’s network location changes.
- Name and Description: Assign a clear name like "Custom RDP Port 12345" and include a description, such as "Allows Remote Desktop connections through custom port 12345." This makes future rule management easier.
After completing these steps, click Finish. The new rule will now appear in the inbound rules list, marked with a green checkmark to indicate it’s active. This setup is crucial for ensuring secure and uninterrupted connections, particularly in VPS environments.
Verify Firewall Settings
Before testing remote connections, double-check that your firewall settings are correctly applied.
- Review the New Rule: Open the Inbound Rules section in the firewall console. Locate your newly created rule and verify its properties. Ensure the Action is set to Allow the connection, the rule is Enabled, and the Protocols and Ports tab lists TCP with your custom port number.
- Confirm the RDP Service: Open PowerShell as an administrator and run the command:
netstat -ano | findstr :12345Replace
12345with your specific port number. If everything is set up correctly, you should see an entry showing TCP, your port number, and a status of LISTENING. - Test Connectivity: Use a network tool like
pspingfrom another machine to check if the port is reachable. - Monitor Event Viewer: For additional confirmation, check Windows Logs > Security in the Event Viewer. Look for Event ID 4624, which indicates successful login attempts. This confirms that RDP connections are being established through the newly configured port.
If any issues come up, ensure the port number matches in both the registry and the firewall rule. Once verified, restart the RDP service and test your remote connection to confirm everything is working correctly.
Restarting the RDP Service and Testing the New Port
Once you’ve updated the registry and firewall settings, the next step is to restart the Remote Desktop Service. This is essential for the new port configuration to take effect, as the service needs to reload its settings.
Restart the RDP Service
The Remote Desktop Service, also known as TermService, must be restarted to apply the changes. Thankfully, you can do this without needing to reboot the entire server. Here are your options:
- Services Console: Open the Services Console by typing
services.mscin the Run dialog (Win + R). Locate TermService, right-click it, and select Restart. - PowerShell: Run the following command in PowerShell:
Restart-Service TermService -ForceThe
-Forceparameter ensures the service restarts immediately. - Task Manager: Open Task Manager (Ctrl + Shift + Esc), go to the Services tab, find TermService, right-click it, and choose Restart.
Pick whichever method aligns best with your workflow.
Test the RDP Connection
After restarting the service, it’s time to test the new port configuration. Start by ensuring your firewall allows traffic on the new port. Then, follow these steps to verify the connection:
- Open the Remote Desktop Connection tool by pressing Win + R and typing mstsc.
- In the connection dialog, enter the server’s IP address or hostname, followed by a colon and the new port number. For example, if your server’s IP is
192.168.1.100and your custom port is12345, input:
192.168.1.100:12345 - Click Connect, then enter your username and password when prompted. If Network Level Authentication is enabled, make sure your credentials meet the security requirements.
A successful connection will indicate that the new port is functioning correctly.
Check if the port is active by running this command in Command Prompt (as Administrator) on the server:
netstat -an | find "12345" Replace 12345 with your custom port number. If the output shows the port in a LISTENING state, it confirms that the RDP service is ready to accept connections on the new port.
Troubleshooting Connection Issues
If you’re unable to connect, here are some common areas to investigate:
- Firewall Rules: Double-check that your firewall rule is active and correctly configured to allow TCP traffic on the new port.
- Service Status: Ensure the Remote Desktop Service is running and has been restarted properly.
- Port Conflicts: Use the command
netstat -a -nto identify if another process is using the same port.
If the issue persists, test basic network connectivity by pinging the server from your client machine. A successful ping indicates the server is reachable, so the problem likely lies with the port configuration or firewall settings.
For those using VPS hosting, keep in mind that some providers apply additional network-level firewalls. You may need to configure port access via the provider’s control panel or contact their support team to ensure external connections to your custom RDP port are allowed.
Key Considerations and Best Practices
Changing your RDP port can enhance security, but it’s equally important to stay vigilant and keep your trading VPS updated regularly.
Monitor for Unauthorized Access
Once you’ve secured access through the new RDP port, it’s crucial to keep an eye on login attempts to catch any unusual activity.
Use Event Viewer on Windows Server 2022 to monitor RDP activity. Go to Windows Logs > Security to check for authentication events. Specifically, watch for Event ID 4625 (failed logon attempts) and Event ID 4624 (successful logons). These logs can help you spot suspicious patterns, such as repeated failed attempts from unknown IP addresses.
If you notice persistent failed logins from unfamiliar IPs, block these offenders through your firewall. For trading VPS environments, legitimate logins often align with predictable patterns, like market hours or your trading schedule.
Consider setting up automated alerts for critical security events. With Windows Task Scheduler, you can configure email notifications or scripts to trigger when specific event IDs are logged. This ensures you’re notified of potential issues immediately, even outside of regular hours.
If you’re using QuantVPS, take advantage of its built-in monitoring tools. These can complement Windows’ logs by flagging unusual resource usage, which might indicate unauthorized access or malicious behavior.
Regularly Update Server Software
Keeping your server software up to date is essential for maintaining security. While Windows Update is usually set to run automatically, it’s a good idea to double-check this setting. Go to Settings > Update & Security > Windows Update and confirm that automatic updates are enabled. Security patches often address vulnerabilities, including those related to RDP, so timely updates are critical.
To avoid interruptions, schedule updates outside of active trading sessions. Use the Active Hours feature in Windows Update to prevent restarts during market hours.
Don’t forget to update third-party trading platforms as well. These updates often include security fixes and performance improvements. If possible, test updates in a non-production environment before applying them to your live system.
Your antivirus and security software also need regular updates. While Windows Defender offers basic protection, many trading professionals prefer enterprise-grade solutions. Make sure your antivirus software doesn’t interfere with your trading platforms by setting exclusions for application folders and data directories.
It’s also wise to document your update schedule and have a rollback plan in place. Create system restore points before major updates, and keep offline backups of critical trading configurations. This preparation ensures you can recover quickly if an update causes compatibility issues.
Document and Share Configuration Changes
Keeping a detailed record of your configuration changes is just as important as making the changes themselves.
Log key details such as the new RDP port, updated firewall rules, the date of implementation, and the reasons behind these changes. Store information like server IPs, custom ports, and user accounts securely for quick access during emergencies.
Clear communication with your team is essential. Make sure all authorized users are informed about the new setup. Provide updated connection instructions, including the correct port syntax for RDP clients. If some team members are less tech-savvy, consider creating a simple guide with screenshots to help them connect.
Maintain a change log for all security modifications, and verify your backup procedures after making configuration changes. Test your backup and restore processes to ensure that your disaster recovery plan works as expected. For trading operations, rapid recovery is non-negotiable, so reliable backups are critical.
Store all documentation securely. Use encrypted cloud storage or local drives, and avoid saving sensitive details in plain text files or unencrypted emails. For added security, consider using enterprise password managers that allow team sharing with controlled access permissions.
Conclusion
Changing the RDP port on your Windows Server 2022 is a straightforward yet effective way to minimize exposure to automated attacks and unauthorized access attempts. By carefully following the steps outlined – backing up your registry, choosing a less common port, updating registry settings, configuring the firewall, and thoroughly testing the connection – you’ve added an important layer of security to your trading VPS setup.
While this adjustment won’t deter every attacker, it significantly reduces the risk posed by automated scans targeting the default port (3389). For trading environments where security and uptime are critical, this small but impactful change can help avoid costly disruptions and safeguard your sensitive trading data.
Of course, this is just one piece of the broader security puzzle. Regular monitoring, timely updates, and well-documented configurations are equally important for maintaining a secure system. Keeping your Windows Server 2022 updated ensures you’re protected by the latest security patches, fortifying your defenses even further.
For QuantVPS users, these measures work hand-in-hand with features like built-in DDoS protection and monitoring, offering multiple layers of security for your trading infrastructure. Whether you’re operating a single trading platform or managing complex algorithmic strategies across various markets, securing your RDP connection ensures reliable access while keeping unwanted intrusions at bay.
Once you’ve completed the setup, test everything thoroughly and share the new connection details with your team. This proactive step helps ensure your trading operations remain uninterrupted and secure, especially during those critical market hours.
FAQs
Why should I change the default RDP port on my Windows Server 2022?
Changing the default Remote Desktop Protocol (RDP) port on a Windows Server 2022 is a straightforward way to boost security. The default port, 3389, is well-known and often targeted by hackers using automated tools to scan for vulnerable systems.
Switching to a less common port makes it more difficult for attackers to find and exploit your server. This reduces the chances of brute-force attacks and unauthorized access. This extra measure is especially crucial for environments where uptime and data security are essential, like trading VPS setups.
What should I do to prepare before changing the RDP port on my Windows Server 2022?
Before you change the RDP port, ensure you have administrator privileges on the server. Double-check that Remote Desktop Protocol (RDP) is already enabled and functioning properly. It’s also a good idea to back up your registry and record the current settings, just in case you need to restore them later. Don’t forget to update your firewall rules to permit traffic on the new port – this step is crucial to avoid losing remote access.
How can I make sure my new RDP port doesn’t interfere with other services on my Windows Server 2022?
To confirm that your new RDP port is available, open the Command Prompt and run the command netstat -a -n. This will display all active ports on your system. Check the list for the port you intend to use. If it shows up as active or listening, it’s already in use, and you’ll need to select a different port.
You can also use tools like Task Manager or Process Explorer to pinpoint which processes are occupying specific ports. These tools make it easier to ensure your chosen RDP port won’t interfere with other services running on your server.
