Login
Menu

RDP Port Explained: Port 3389, Connecting, and How to Stay Secure

If you administer a Windows server, sooner or later you reach for Remote Desktop. You open the Remote Desktop Connection client, type in an address, and a full graphical Windows session appears on your screen as if you were sitting in front of the machine. That connection rides over a specific network port, and understanding which port, how to connect to it, and above all how to lock it down is one of the most consequential things you can learn as a Windows administrator.

The RDP port is TCP 3389 by default. That single number is responsible for an enormous amount of both convenience and risk. This guide walks through what RDP is, how port 3389 works, how to connect to a custom port, how to change the default port, and why exposing that port to the public internet is one of the most dangerous mistakes you can make on a server.

Key Takeaways
RDP (Remote Desktop Protocol) is Microsoft’s protocol for remote graphical access to a Windows machine.
• The default RDP port is 3389 over TCP (RDP also uses UDP 3389 for performance optimizations).
• You connect with `host:3389`, or specify a custom port as `host:port` when the default has been changed.
Changing the RDP port is done in the registry (`PortNumber`), after opening the new port in the firewall and restarting the service.
• Changing the port is security-through-obscurity. It reduces scan noise but is not real security.
Never expose port 3389 directly to the internet. It is a top brute-force and ransomware target. Use a VPN or RD Gateway, Network Level Authentication, MFA, strong passwords, and IP allow-lists.

What is RDP and why does it use a network port?

RDP stands for Remote Desktop Protocol, Microsoft’s proprietary protocol for accessing the graphical desktop of a remote Windows machine over a network. Unlike a command-line tool, RDP streams the actual Windows GUI: your mouse, keyboard, screen, clipboard, and even local printers and drives are tunneled to and from the remote host. It is the standard way administrators manage Windows Server instances, and the standard way users reach virtual desktops.

Like every network service, RDP needs a port so that incoming traffic knows which application on the server should handle it. A server might run a web service on port 443, a database on 1433, SSH on 22, and Remote Desktop on its own dedicated port. The port is the address-within-the-address that lets a single IP host many distinct services. If you want a deeper grounding in how ports, IP addresses, and traffic routing fit together, see our complete guide to networking and DNS for hosting.

What is the default RDP port?

The default RDP port is 3389, used over TCP. When you connect to a Windows machine with Remote Desktop and do not specify a port, the client automatically targets TCP 3389.

Modern versions of RDP also use UDP 3389. The UDP channel handles latency-sensitive data such as graphics and audio, while the TCP channel provides a reliable fallback and handles the core session. In practice, when people say “the RDP port,” they mean 3389, and both the TCP and UDP variants share that number.

So whenever you are configuring a firewall rule for Remote Desktop, you are almost always working with port 3389, and a complete rule covers both TCP and UDP 3389.

How do you connect to RDP with a specific port?

When the RDP port is the default 3389, you simply enter the server’s hostname or IP address into the Remote Desktop Connection client and it connects automatically. You do not need to type the port at all.

When the port has been changed, or when you want to be explicit, you append the port to the address using a colon. The format is `host:port`.

From the Windows Remote Desktop Connection (mstsc) “Computer” field:

“` 192.168.1.50:3389 server.example.com:3389 192.168.1.50:53389 “`

Launching mstsc from the command line with a custom port:

“`powershell mstsc /v:192.168.1.50:53389 “`

On macOS or Linux clients (for example the open-source FreeRDP client), the port is passed as its own flag:

“`bash xfreerdp /v:192.168.1.50 /port:53389 /u:Administrator “`

The pattern is consistent across clients: address, then port, separated by a colon, or supplied as an explicit port argument. If you omit the port entirely, the client falls back to 3389.

How do you change the RDP port?

Changing the listening port for Remote Desktop is a registry edit followed by a firewall change and a service restart. The order matters: open the new port in the firewall before you restart, or you risk locking yourself out of the very machine you are configuring.

Here is the overview of the process.

1. Change the port in the registry. The RDP listening port is stored in:

“` HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp “`

The value to edit is `PortNumber` (a DWORD). It holds the port in decimal. To change it via PowerShell:

“`powershell

$path = ‘HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp’ Set-ItemProperty -Path $path -Name ‘PortNumber’ -Value 53389 “`

2. Open the new port in Windows Firewall *before* doing anything else:

“`powershell New-NetFirewallRule -DisplayName “RDP Custom Port” -Direction Inbound ` -Protocol TCP -LocalPort 53389 -Action Allow New-NetFirewallRule -DisplayName “RDP Custom Port UDP” -Direction Inbound ` -Protocol UDP -LocalPort 53389 -Action Allow “`

3. Restart the Remote Desktop service (or reboot) so the new port takes effect:

“`powershell Restart-Service -Name TermService -Force “`

After the restart, you connect using the new port, for example `server.example.com:53389`. If the machine is behind a router or cloud firewall, you must also update any port-forwarding or security-group rules to match. And before you close the session, confirm you can reach the new port from a separate window, so you are not stranded if something went wrong.

Should you change the RDP port?

Changing the port from 3389 to something non-standard is a common piece of advice, and it does have a modest, real benefit: the constant background noise of automated bots hammering TCP 3389 will largely stop landing on your service. Your event logs get quieter, and the most basic, port-3389-only scanners move on.

But be clear-eyed about what this is. Moving the port is security through obscurity, exactly like changing the SSH port on a Linux box. It does not add a single layer of authentication or encryption. A determined attacker runs a full port scan, finds your RDP service on its new port within seconds, and resumes the attack. The port change defeats lazy, untargeted scanning. It does nothing against a targeted one.

So change the port if you like a quieter log and fewer trivial probes. Just never let a non-standard port number become the reason you feel safe. The actual security has to come from somewhere else.

Why is exposing RDP port 3389 to the internet so dangerous?

This is the single most important section in this article, so read it carefully.

Exposing RDP’s port 3389 directly to the public internet is one of the most common and most dangerous server misconfigurations there is. It is a leading entry point for ransomware. Bots continuously scan the entire IPv4 internet for open 3389, and the moment they find one they begin brute-forcing credentials, spraying leaked password lists, and probing for unpatched RDP vulnerabilities. An exposed Remote Desktop port is not a theoretical risk. It is a constant, active assault that runs around the clock against every reachable RDP service on earth.

Changing the port to something non-standard *feels* safer, but it barely helps, because scanners find the new port anyway. The real fix is architectural, not cosmetic: RDP should never be directly internet-facing. Put it behind a VPN or an RD Gateway so the remote-desktop port is only reachable after you have authenticated to a secure tunnel first. Layer on Network Level Authentication (NLA) so credentials are validated before a full session is established, add multi-factor authentication, and lock down access by source IP so only your known addresses can even reach the service.

Treat an open 3389 on the public internet as an emergency to close, not a convenience to enjoy. If you discover one on a server you manage, the correct response is to restrict it immediately.

Concretely, a hardened RDP setup looks like this:

  • No direct exposure. Port 3389 is closed at the perimeter firewall. Remote Desktop is reachable only over a VPN or through an RD Gateway.
  • Network Level Authentication enabled, so unauthenticated sessions are rejected before they consume server resources.
  • Strong, unique passwords and an account lockout policy to defeat brute-force attempts.
  • Multi-factor authentication on remote access, so a stolen password alone is not enough.
  • IP allow-listing, restricting the source addresses that can connect at all.
  • Up-to-date patching, because RDP has had serious wormable vulnerabilities in the past.

If you want a structured way to think about which ports should ever be open and how to manage them, our guide to common network ports and our firewall configuration guide cover the principles that apply directly here.

What is the difference between RDP and SSH?

RDP and SSH are both protocols for remote administration, but they serve different worlds. RDP gives you a graphical desktop on Windows; SSH gives you a command-line shell, most commonly on Linux. Administrators often work with both, so it helps to see them side by side.

Aspect RDP SSH
Full name Remote Desktop Protocol Secure Shell
Primary platform Windows Linux / Unix (and increasingly Windows)
Interface Graphical desktop (GUI) Command line (CLI)
Default port TCP/UDP 3389 TCP 22
Developed by Microsoft OpenSSH / IETF standard
Typical use Remote Windows desktops and servers Remote Linux administration, tunnels, file transfer
Bandwidth profile Higher (streams the screen) Very low (text)
Common hardening VPN/RD Gateway, NLA, MFA, IP lock Key-based auth, disable root login, change port

The security advice rhymes across both: do not leave the default port wide open to the internet, prefer key-based or tunnel-based access, and restrict who can connect. The mechanics differ, but the architectural principle, never directly expose your remote-access port, is identical. For the SSH side of this comparison, see our dedicated piece on securing SSH.

How does the firewall fit into RDP?

The firewall is where your RDP security policy is actually enforced. Whatever you decide about exposure, the firewall is the gate that makes the decision real.

For an internet-facing perimeter firewall or cloud security group, the correct rule for RDP is almost always deny for port 3389 from the public internet. You then permit Remote Desktop traffic only from your VPN subnet, your RD Gateway, or a small list of trusted office IP addresses. On the Windows host itself, the local firewall should allow inbound RDP only from those same trusted sources.

When you change the RDP port, remember that every firewall in the path must be updated: the Windows local firewall, the host’s cloud security group, and any router doing port forwarding. A port change that updates only one of them either fails to connect or, worse, leaves the old port open. Audit the whole chain.

Hosting with DarazHost? DarazHost servers ship with secure-by-default firewalls that keep high-risk ports like RDP’s 3389 closed to the public internet. On VPS and dedicated plans you control exactly what is exposed, so you can reach Remote Desktop safely over a VPN rather than across the open internet. Our team is available 24/7 to help you set up secure remote access the right way, so your Windows server stays reachable to you and invisible to the bots scanning for an open 3389.

Frequently asked questions

What port does RDP use by default? RDP uses port 3389 by default, over TCP. Modern RDP also uses UDP 3389 for latency-sensitive data such as graphics and audio. When you connect without specifying a port, the Remote Desktop client targets 3389 automatically.

How do I connect to RDP on a custom port? Append the port to the address with a colon. In the Remote Desktop Connection client’s Computer field, enter `host:port`, for example `server.example.com:53389`. From the command line you can run `mstsc /v:server.example.com:53389`, or with FreeRDP use `/v:host /port:53389`.

Is it safe to change the RDP port from 3389? Changing the port is safe to do and reduces noise from automated scanners, but it is not a real security measure. It is security through obscurity. Attackers can find the new port with a full scan. Use it as a minor convenience, never as your primary defense.

Should I expose RDP to the internet? No. Exposing RDP directly to the internet, on 3389 or any other port, is extremely dangerous and a leading cause of ransomware infections. Always place RDP behind a VPN or RD Gateway, enable Network Level Authentication and MFA, and restrict access by source IP.

What is the difference between the RDP port and the SSH port? The RDP port (3389) carries Microsoft’s graphical Remote Desktop Protocol for Windows. The SSH port (22) carries the Secure Shell command-line protocol, used mostly on Linux. Both should be protected and neither should be left openly exposed to the internet.

About the Author
Ravi Subramanian

Leave a Reply