Cart
Article overview

Help article

Securing your RDP port

When using a VPS with Windows Server, the most efficient way to work on it is to use the Remote Desktop Protocol (RDP).

Since most Windows Servers worldwide use Remote Desktop, it is a favored target for hacker / automated bots attacks: It is not uncommon for bots to run the RDP port of a Windows Server within minutes of a Windows Server running it. attack online first.

You can protect your Windows Server from such attacks by changing the Remote Desktop Port and / or limiting access to the Remote Desktop Services to specific IP addresses (for example, from a VPN connection). In this manual we explain how to do this.


Change the Remote Desktop Port

Most attacks targeting RDP are performed by automatic bots. These bots look for a response to port 3389 (the default RDP port) and then proceed to the actual attack, such as a brute force attack.

By changing your RDP port, such bots can no longer (easily) find your server. Such a security measure is known as 'security through obscurity'.

 

Step 1

Connect to your Windows Server via Remote Desktop or the VPS console.


 

Step 2

Click the Windows Start button, type 'regedit' and click 'Registry Editor' in the search results.

windows search - regedit


 

Step 3

At the top of the Registry Editor, enter the address 'Computer \ HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ Terminal Server \ WinStations \ RDP-Tcp', or click in the folder tree on the left until you reach this folder.

regedit change rcp tcp folder


 

Step 4

Then scroll down and double click on the REG_DWORD key 'PortNumber'. Then adjust 'Base' to 'Decimal', change the number to another (free) port number and then close Regedit.

regedit portnumber


 

Step 5

Now that you have adjusted the RDP port, it is important to also open the port in your firewall. Click the Windows Start button, type 'firewall' and click 'Windows Defender Firewall with Advanced Security' in the search results.

windows search firewall


 

Step 6

Click left on 'Inbound Rules' and scroll down to 'Remote Desktop'. Right-click one by one on 'Remote Desktop - User Mode (TCP-In)' and 'Remote Desktop - User Mode (UDP-In)' and select 'Disable Rule'.


Step 7

Right click on 'Inbound rules' and choose 'New Rule'.

windows firewall inbound new rule


 

Step 8

Select as rule type 'Port' and click on 'Next'.

windows firewall rule type


 

Step 9

Select 'TCP' and under 'Specific local ports' enter the port number you set in step 4.

windows firewall rdp protocol port


 

Step 10

Select 'Allow the connection' to allow connections over the selected port and click 'Next'.

windows firewall allow connection


Step 11

Optionally you can adjust to which domain the rule applies. Usually you do not need to change anything here, unless you use a private network and have created a private profile for it, see Microsoft's documentation for more information.

windows firewall profile


 

Step 12

Give the rule a name, for example 'RDP TCP' and click 'Finish'.

windows firewall rdp tcp name

Now repeat steps 7 to 12, but then select 'UDP' in step 9 and give another name in step 12, for example 'RDP UDP'.

Are you using the VPS firewall in the TransIP control panel? Do not forget to open the chosen gate there as well.

Your RDP port has now changed and your firewall configuration has been adapted to it. If you now set up a Remote Desktop connection with mstsc, use the new port by: behind your IP address, for example: 123.123.123.123:12345

If you also want to restrict access to specific IPs, continue the chapter below.


Restrict RDP access to specific IPs

 

An effective way to secure your RDP port is to limit RDP access to specific IPs. For example, you could use a VPN connection (Virtual Private Network) and only allow the IP address of your VPN connection to connect via RDP.

 

Step 1

Connect to your Windows Server via Remote Desktop or the VPS console.


 

Step 2

Click the Windows Start button, type 'firewall' and click 'Windows Defender Firewall with Advanced Security' in the search results.

windows search firewall


 

Step 3

Click left on 'Inbound Rules' and scroll down to 'Remote Desktop'. Then double click on the line 'Remote Desktop - User Mode (TCP-In)'. Have you changed the RDP port? Then double-click the name of the firewall rule you specified in step 11 above.

windows firewall advanced rdp


 

Step 4

Select the 'Scope' tab, 'These IP addresses' and click 'Add'.

windows firewall rule scope


 

Step 5

Enter the IP address from which you want to allow RDP connections (this can be a range that you define via a subnet) and click 'Ok'.

windows firewall rule scope ip's


 

Step 6

Finally click 'Apply' and 'Ok' to implement the changes. Repeat steps 3 through 6, but this time in step 3 open the line for 'Remote Desktop - User Mode (UDP-In)'.

windows firewall advanced apply save rule


 

This brings us to the end of this guide for securing the RDP service on a Windows Server.

If you have any further questions on the basis of this manual, do not hesitate to contact our support department. You can reach them via the button 'Contact us' at the bottom of this page.

If you want to discuss this article with other users, please leave a message under 'Comments'.

Do you have a good idea?

Give us your idea! If it's popular we'll add it to the wishlist!

Has this article been helpful?

Thanks for your feedback!

Feedback? Let us know in the discussion below.

Comments

You can use Markdown to format your response.
Logged in as: transipdemo

Are you stuck?

Ask one of our specialists to assist you

Contact us