Open rdp port windows 10. RDP port: change default and basic configuration steps

Windows setup

Quite often, many users who use remote access sessions wonder how to change the RDP port. Now let's look at the simplest solutions, and also indicate several main stages in the setup process.

What is RDP for?

First, a few words about RDP. If you look at the decryption of the abbreviation, you can understand that remote access

Speaking simple language, this means to the terminal server, or workstation. Windows settings (and any of the versions of the system) use the default parameters that are suitable for most users. Nevertheless, sometimes it becomes necessary to change them.

Standard RDP Port: Should I Change It?

So, regardless of the modification of Windows, all protocols have a predefined value. This is the RDP port 3389, which is used to carry out a communication session (connecting one terminal to a remote one).

What is the reason for the situation when the standard value needs to be changed? First of all, only with the security of the local computer. After all, if you figure it out, with a standard port installed, in principle, any attacker can easily penetrate the system. So now let's see how to change the default RDP port.

Changing settings in the system registry

Immediately, we note that the change procedure is carried out exclusively in manual mode, and in the remote access client itself, any reset or setting of new parameters is not provided.

To begin with, we call the standard registry editor with the regedit command in the Run menu (Win + R). Here we are interested in the HKLM branch, in which we need to go down the partition tree through the directory terminal server to the RDP-Tcp directory. In the window on the right, we find the PortNumber key. We need to change its meaning.

We go into editing and see 00000D3D there. Many people are at once perplexed about what it is. And this is just the hexadecimal representation of the decimal number 3389. To specify the port in decimal form, we use the corresponding display string for the value representation, and then specify the parameter we need.

After that, we reboot the system, and when we try to connect, we specify a new RDP port. Another way to connect is to use the special command mstsc / v: ip_address: XXXXX, where XXXXX is the new port number. But that's not all.

Windows Firewall Rules

Alas, but built-in windows firewall may block the new port. This means that you need to make changes to the settings of the firewall itself.

We call the firewall settings with advanced security settings. Here you should first select incoming connections and click on the line for creating a new rule. Now we select the item for creating a rule for the port, then enter its value for TCP, then allow the connection, leave the profiles section unchanged, and finally assign a name to the new rule, after which we press the button to complete the configuration. It remains to reboot the server and, when connecting, specify the new RDP port separated by a colon in the corresponding line. In theory, there should be no problems.

RDP port forwarding on a router

In some cases, when used wireless connection, and not cable, you may need to do port forwarding on the router (router). There is nothing complicated about it.

First, in the properties of the system, we allow and indicate the users who have this right. Then go to the router settings menu through the browser (192.168.1.1 or at the end of 0.1 - it all depends on the router model). In the field (if our main address is 1.1), it is desirable to indicate the address, starting with the third (1.3), and the rule for issuing the address to register for the second (1.2).

Then in network connections we use the detail view, where you should view the details, copy the physical MAC address from there and paste it into the router parameters.

Now, in the NAT settings section on the modem, enable the connection to the server, add a rule and specify the XXXXX port that needs to be forwarded to standard port RDP 3389. Save the changes and reload the router (the new port will not be accepted without restarting). You can check the connection on some specialized site like ping.eu in the port testing section. As you can see, everything is simple.

Finally, note that the port values \u200b\u200bare allocated as follows:

  • 0 - 1023 - ports for low-level system programs;
  • 1024 - 49151 - ports allocated for private purposes;
  • 49152 - 65535 - dynamic private ports.

In general, many users usually choose RDP ports from the third range of the list to avoid problems. However, both specialists and experts recommend using these values \u200b\u200bin the configuration, since they are suitable for most of the tasks.

As for this particular procedure, it is mainly used only in cases of Wi-Fi connection. As you can see, with a normal wired connection, it is not required: just change the values \u200b\u200bof the registry keys and add rules for the port in the firewall.

Remote Desktop Protocol (RDP) is an application layer protocol used in the Windows operating system for remote connection to computers, servers and workstations running on this OS. Regardless of Windows modifications, TCP 3389 protocol is used for standard remote access; it should be changed in such cases when it threatens communication sessions and is due to the security policy of the local computer. In the article below, we will analyze in detail the process of changing the default RDP port for the OS. Windows Server 2012.

Changes are made in manual mode. To successfully make changes and select a different port for the remote connection protocol, you need to enter the OS edit mode. Windows has a special standard registry editor. It is started by entering the regedit command in the PowerShell box. After turning on the program, you need to find the RDP-Tcp item.

The RDP-Tcp folder contains the element we need with the name PortNumber. To change the DWORD parameter, you need to specify the following data:

  • Enter the required port number in the "Parameter" line;
  • In the line "Value" - 60,000;
  • Select the decimal number system.

When choosing a new port for connection, it is important to know the three main categories of numbers:

  • 0 through 10213 are port numbers assigned and controlled by the IANA (Internet Address Space Administration). Used in various applications operating system;
  • From 1024 to 49151 - port numbers are also assigned and controlled by the administration. Used when performing private tasks;
  • From 49152 to 65535 - numbers of private ports used in solving work tasks by any applications and processors.

To save the changes made, you need to restart your computer.

The built-in firewall of the operating system can start blocking the new port after all the necessary changes have been made. So that when a new port is selected, the firewall does not start blocking attempts external connection, you need to perform a number of simple steps. In settings firewall you need to enter the OS enhanced security mode. This is done by opening the "Tools" tab located in the service manager. Inside it is necessary to select the item "Rules for incoming connections", click on it right click mouse and select the action to create a new rule.

A new window will open where you will need to set the type of firewall rule for the new port and enter the data that was specified earlier in the process of changing the parameter.

After completing these procedures, the next thing to do is to indicate the profile on which the rule will apply.

The next step is to enable connection for the newly created port.

The necessary areas are selected, depending on where the server will work.

Then you need to set a name for this rule by selecting unique data.

The last step is to reboot the system. If the changes are made correctly, there should be no operational problems. Next, you will connect to the remote server through the new specified port using the RDP protocol. To log in correctly, you must specify the port name separated by a colon after specifying the server's IP address.

Common task: configure remote access to a computer that is connected to the Internet through a router.

Solution: do port forwarding on the router. Port forwarding is also called port publication or port forwarding... In English terminology, the terms are used Port forwarding and Port Publishing.

What is port forwarding

Port forwarding is the mapping of a specific external port of the gateway (router, modem) to the desired port of the target device in local network (server, workstation, network storage, camera, recorder, etc.)

But which port to forward depends on how you want to access the computer.

How to set up remote access via RDP (remote desktop, terminal)

RDP connections are made to the target computer port 3389. What should be done:

Step 1 Allow incoming RDP connections on the computer

Attention! It is possible to carry out INCOMING connections via Remote Desktop to the following editions of Windows OS:
Windows XP Professional
Windows 7 / 8.1 Professional;
Windows 7 / 8.1 Ultimate;
Windows 7 / 8.1 Corporate.

In Windows XP Starter, Home Edition, in Windows Vista / 7/8 / 8.1 Starter, Home Basic, Home Premium, there is no possibility of incoming connections.

To do this, open System properties(WIN + Break), click on the link Extra options systems:

Go to the tab Remote access, put the switch in position Allow connections to this computer, uncheck the box Allow connections only from computers running remote desktop with authentication at the network level (recommended) and click OK to apply the setting:

Step 2 Create on computer account, under which the remote desktop user will connect.

Requirement # 1. This the account must have a password... According to default settings local policy security, accounts without a password, RDP connection is prohibited. It is not recommended to allow remote access to non-password-protected accounts in security policies. This will create a threat of unauthorized access by intruders.

Requirement # 2. If the user is NOT an administrator on local computer, it must be added to the group. This can be done in two ways.

How to allow a user without administrative privileges to connect to a remote desktop

Method one.

Right click on the system shortcut This computer and select Control:

In the window Computer management choose Local users and groups => Users:

Find the required user in the list and double-click to call its properties:

Go to the tab Group memberships and press the button Add to:

Click the button Additionally:

Then, the button Search:

Select a group in the list Remote Desktop Users and press OK:

In the windows Group selection and Properties:<пользователь> click OK:

Method two.

Call system properties (Win + Break), press Extra options:

Go to the tab Remote access and press the button Select users:

Click the button Add to:

Click Additionally:

and Search:

In the list, select the user account to whom you want to grant rights for remote access, and press OK:

Now press OK in the next two windows:

Step 3 Create a forwarding rule on the router, according to which, when requested for a specified port, the connection will be redirected to port 3389 of the desired computer.

IN d-Link routers the section you want may be called Virtual Serveras in D-Link DIR-615:

Also, it can be called Port forwarding, as, for example, in the DIR-300:

The essence is the same:

  1. Give an arbitrary name to the rule;
  2. Open a non-standard port on the router that is not busy (field Public Port);
  3. We indicate the IP address of the target computer on the network, where the remote user should go (field IP-Address);
  4. We indicate the port number through which the application or service runs on the computer. In our case, for the Remote Desktop Server service, this is port 3389 (field Private port).

If your provider gives your router dynamic address, you are comfortable using the Dynamic DNS service. D-Link has its own service where you can register an Internet address (i.e. domain) for free and configure access to your router and local network through it.

To configure Dynamic DNS go to the section MAINTENANCE, select subsection DDNS Settings and click on the link Sign up... to go to the site and register a domain. Then set up the domain synchronization with the router's IP address in the DYNAMIC DNS SETTINGS and save the settings with Save Settings:

After that it will be possible to connect not by the IP address, but by the address of the form vash-adres.dlinkddns.com:port

Checking connection to a computer via remote desktop

Start the Remote Desktop Server client:

In field A computer enter address and port separated by colon. In field User enter your username and click To plug:

This remote connection can harm the local or remote computer. Before connecting, make sure remote computer reliable.

Check the box and click the button To plug:

Now enter the user password, check the box Remember credentialsif you don't want to enter your password every time, and press OK:

After that, a message may appear:

Unable to verify the authenticity of the remote computer. Do you want to connect anyway?

Here you can check the box Do not display any more prompts for connections to this computer and press Yes:

RDP is a Remote Desktop Protocol. From English, this abbreviation stands for Remote Desktop protocol. It is needed to connect one computer to another via the Internet. For example, if a user is at home, and he urgently needs to fill out documents in the office, he can do it using this protocol.

How RDP works

The other computer is accessed through TCP port 3389 by default. On each personal device it preinstalled automatically... In this case, there are two types of connection:

  • for administration;
  • to work with programs on the server.

Servers on which Windows Server is installed support two remote RDP connections at once (this is if the RDP role is not activated). Non-server computers have only one input.

The connection between computers is made in several stages:

  • a protocol based on TCP, requests access;
  • defines a Remote Desktop Protocol session. During this session instructions are approved data transmission;
  • when the definition phase is completed, the server will transfer to another device graphical output... At the same moment, he receives data from the mouse and keyboard. Graphical output is an exactly copied image or commands for drawing various shapes, line types, circles. Such commands are key tasks for this kind of protocol. They greatly save traffic consumption;
  • the client computer turns these commands into graphics and displays them on the screen.

Also, this protocol has virtual channels that allow you to connect to a printer, work with the clipboard, use an audio system, etc.

Connection security

There are two types of secure connections via RDP:

  • built-in system (Standard RDP Security);
  • external system (Enchanced RDP Security).

They differ in that the first type uses encryption, ensuring integrity is created using standard toolsthat are in the protocol. And in the second type, the TLS module is used to establish a secure connection. Let's take a closer look at the work process.


Built-in protection it is carried out like this - at the beginning authentication takes place, then:

  • when turned on, there will be generatedRSA the keys;
  • manufactured public key;
  • signed by RSA, which is wired into the system. It is available on any device with Remote Desktop Protocol installed;
  • the client device receives a certificate upon connection;
  • is checked and this key is received.

Then encryption happens:

  • the RC4 algorithm is used as standard;
  • for Windows 2003 servers, 128 bit protection is used, where 128 bit is the key length;
  • for servers Wndows 2008 - 168 bits.

Integrity is controlled by generating mac codes based on the MD5 and SHA1 algorithm.

The external security system works with TLS 1.0, CredSSP modules. The latter combines the functionality of TLS, Kerberos, NTLM.

End of connection:

  • a computer checks permission at the entrance;
  • the cipher is signed using the TLS protocol. it the best option protection;
  • admission is allowed once. Each session is encrypted separately.

Replacing the old port value with the new one

In order to register a different value, you must do the following (relevant for any windows versions, including Windows Server 2008):





Now when connecting to remote table it is necessary to specify a new value after the IP address separated by a colon, for example 192.161.11.2:3381 .

Replacing with PowerShell Utility

PowerShell also allows you to make the necessary changes:

  • reboot is recommended;
  • after the device turns on, enter the "regedit" command in the "start" menu. Go to the directory: HKEY_ LOCAL_ MACHINE, find the CurrentControlSet folder, then the Control folder, go to Terminal Server and open WinStations. Click on the RDP-Tcp file. A new value should be set here.
  • Now you need to open the RDP port on the firewall. Enter Powershell, type in the command: netsh advfirewall firewall add rule name \u003d "NewRDP" dir \u003d in action \u003d allow protocol \u003d TCP localport \u003d 49089 ... The numbers should mean the port to which the old one was interrupted.

Could not open connection file default.rdp

Most often, this error occurs when problems withDNS server... The client computer cannot find the name of the specified server.

In order to get rid of the error, you must first check if the host address is entered correctly.

Otherwise, if a bug occurs, you need to take the following steps:

  • go to " My documents»;
  • find the default.rdp file. If you don’t find, check the box “ Folders settings»To show hidden files and folders;
  • now delete this file and try to reconnect.

Good afternoon, dear readers and guests of the blog, today we have the following task: change the incoming port of the RDP service (terminal server) from the standard 3389 to some other one. Let me remind you that the RDP service is a functionality of Windows operating systems, thanks to which you can open a session over the network to the computer or server you need using the RDP protocol, and be able to work with it, as if you were sitting at it locally.

What is RDP protocol

Before you change something, it would be good to understand what it is and how it works, I will not stop repeating this to you. RDP or Remote Desktop Protocol is a remote desktop protocol in operating systems Microsoft Windows, although its origins come from PictureTel (Polycom). Microsoft just bought it. Used for remote work of an employee or user with a remote server. Most often, such servers carry the role of a terminal server, on which special licenses are allocated, either for the user or for devices, CALs. Here the idea was this, there is a very powerful server, why not use its resources together, for example, for a 1C application. This is especially true with the advent of thin clients.

The world saw the terminal server itself, already in 1998 in the Windows NT 4.0 Terminal Server operating system, to be honest then I did not know what it was, and in Russia we all played dandy or sega at that time. Clients RDP connections, currently available in all windows versions, Linux, MacOS, Android. The most modern version of the RDP protocol at the moment is 8.1.

Default rdp port

Immediately write the default rdp port 3389, I think that's all system administrators they know him.

How the rdp protocol works

And so you and I understood why we came up with the Remote Desktop Protocol, now it is logical that you need to understand the principles of its operation. Microsoft distinguishes two modes of the RDP protocol:

  • Remote administration mode\u003e for administration, you go to the remote server and configure and administer it
  • Terminal Server mode\u003e to access Application Server, Remote App, or share it for work.

In general, if you install Windows Server 2008 R2 - 2016 without a terminal server, then by default it will have two licenses, and two users will be able to connect to it at the same time, the third will have to kick someone out to work. In client versions of Windows, there is only one license, but this can also be circumvented, I talked about this in the article Terminal Server on Windows 7. Also Remote administration mode, you can cluster and balance the load, thanks to NLB technology and the server connection server Session Directory Service. It is used to index user sessions, thanks to this server, the user will be able to log into the remote desktop of terminal servers in a distributed environment. The licensing server is also required components.

RDP protocol works over TCP connection and is an application protocol. When the client establishes a connection to the server, an RDP session is created at the transport level, where encryption and data transfer methods are negotiated. When all negotiations are determined and initialization is complete, the terminal server sends graphic output to the client and waits for input from the keyboard and mouse.

Remote Desktop Protocol supports several virtual channels within one connection, thanks to which additional functionality can be used

  • Send your printer or COM port to the server
  • Redirect your local drives to the server
  • Clipboard
  • Audio and video

RDP connection stages

  • Establishing a connection
  • Encryption parameters negotiation
  • Server authentication
  • Negotiating RDP Session Parameters
  • Client Authentication
  • RDP session data
  • RDP session break

Security in the RDP protocol

Remote Desktop Protocol has two authentication methods Standard RDP Security and Enhanced RDP Security, below we will look at both in more detail.

Standard RDP Security

RDP protocol for this method authentication, encrypts the connection by means of the RDP protocol itself, which is in it, in this way:

  • When your operating system starts up, a pair of RSA keys is generated
  • Proprietary Certificate is being generated
  • Then the Proprietary Certificate is signed by the RSA key created earlier.
  • Now RDP client connecting to the terminal server will receive a Proprietary Certificate
  • The client looks at it and verifies it, then receives the server's public key, which is used at the stage of negotiating encryption parameters.

If we consider the algorithm with which everything is encrypted, then this is the RC4 stream cipher. Keys of different lengths from 40 to 168 bits, it all depends on the edition of the operating room windows systems, for example in Windows 2008 Server - 168 bits. Once the server and client have decided on the key length, two new different keys are generated to encrypt the data.

If you ask about data integrity, then here it is achieved through the MAC (Message Authentication Code) algorithm based on SHA1 and MD5

Enhanced RDP Security

The RDP protocol for this authentication method uses two external security modules:

  • CredSSP
  • TLS 1.0

TLS has been supported since RDP version 6. When you use TLS, the encryption certificate can be created using a terminal server, a self-signed certificate, or selected from the store.

When you use the CredSSP protocol, it is a symbiosis of Kerberos, NTLM and TLS technologies. When this protocol the check itself, in which permission to enter the terminal server is checked, is carried out in advance, and not after a full-fledged RDP connection, and thereby you save the resources of the terminal server, plus there is more reliable encryption and you can do a single sign-on to the system (Single Sign On), thanks to NTLM and Kerberos. CredSSP is only available in OS Vista and Windows Server 2008. This checkbox in the system properties

allow connections only from computers that are running Remote Desktop with network-level authentication.

Change rdp port

In order to change the rdp port, you need:

  1. Open the registry editor (Start -\u003e Run -\u003e regedit.exe)
  2. Moving on to the next section:

HKEY_LOCAL_MACHINE \\ System \\ CurrentControlSet \\ Control \\ Terminal Server \\ WinStations \\ RDP-Tcp

Find the PortNumber key and change its value to the port number you need.

Select a decimal value, I will put port 12345 for example.

Once you have done this, then restart the Remote Desktop Service, through command line, with these commands:

And create a new inbound rule for the new rdp port. As a reminder, the default rdp port is 3389.

We choose that the rule will be for the port

Leave the protocol as TCP and specify the new RDP port number.

The rule we will have will allow RDP connections on a non-standard port

If necessary, set the required network profiles.

Well, let's call the rule a language you can understand.

To connect from client windows computers write the address indicating the port. For example, if you changed the port to 12345, and the server address (or just the computer you are connecting to) is myserver, then the MSTSC connection will look like this:
mstsc -v: myserver: 12345

Did you like the article? To share with friends:
You may also be interested in