How To Open RDP Port To Allow Remote Desktop Access To Your System

Connecting to devices via firewallConnecting to devices via firewall

Remote Desktop Protocol (RDP) is a proprietary protocol developed by Microsoft to remotely connect to a Windows system using a graphical user interface. RDP is built into Windows by default. RDP listens on TCP port 3389 and udp port 3389. Previously, the RDP software was called Terminal Services client but now it’s called Remote Desktop Connection.

Windows comes with a remote desktop client that can be used to access the complete Windows Desktop environment remotely. It’s very useful for people who use multiple computers for work. One of our readers has asked about the RDP port and how to tweak it for security.

You can open the Remote Desktop Connection client by going to Run –> mstsc.

Simply put, the default port for using the Remote Desktop Protocol is 3389. This port should be open through Windows Firewall to make it RDP accessible within the local area network. If you want to make it accessible over the Internet (which is not safe), the RDP port should be forwarded through the main Internet router to work properly.

Let’s talk about how to open port 3389 in Windows Firewall and the router.

Allow RDP port through Windows Firewall

  1. Go to Windows Settings (Windows key + i)
  2. Go to Update & Security –> Windows Security and click on Firewall & network protection from the right-hand listing. This will open a new window.

    Windows Firewall and network protection
    Windows Firewall and network protection
  3. Click the link Allow an app through firewall

    Allow an app through Firewall
    Allow an app through Firewall
  4. Click on Change settings

    Firewall change settings
    Firewall change settings
  5. Search for Remote Desktop from the list. It should be there by default. If it is not there, you should click on Allow another app button and navigate to the following:
    C:\Windows\System32\mstsc.exe

    Allow Remote Desktop through the firewall private or public
    Allow Remote Desktop through firewall private or public
  6. If you want to allow Remote Desktop on the local network only, check the checkbox labeled Private. If you want it publicly available, you should check the Public checkbox too.
  7. Press OK for the changes to take effect.

Allow RDP port through Router (using NAT Translation)

If you want to use Windows Remote Desktop over the Internet, you will need to do two steps:

  1. Allow RDP port through public network from Windows Firewall (or any other firewall) as we did in the previous step.
  2. Allow RDP port through the router which is giving you internet access and then translate the incoming port 3389 to the computer of our choice.

Please note that if you are connected to the Internet using a public IP, you don’t need the second step but normally people are connected to the Internet using routers, both home, and corporates.

The configuration for opening a port is different for each router. Since I’m using Kerio Control for my office network, I will walk you through the steps using Kerio Control. The terminology should be similar for most routers so it’ll be easy for you to follow the same steps for your specific router.

  1. Open your router’s configuration page. Normally it should be the same as your default gateway. For me, it is http://192.168.1.1
  2. After logging in, go to Traffic Rules –> Add a new rule

    Kerio create a new traffic rule
    Kerio create a new traffic rule
  3. Name your rules and keep them generic. Keep the action to Allow and press the Next button.
  4. Keep the source to Any. That means users will be able to connect to this specific port from anywhere.

    Kerio Control source rule
    Kerio Control source rule
  5. Add Firewall to the Destination. You can keep it unchanged if you want.
  6. Under Services, select Port and specify 3389.

    Kerio Control add port
    Kerio Control add port
  7. Under NAT Translation, enable destination NAT, specify the IP address of your computer and also specify the port translation to 3389.

    Kerio Control enable destination NAT
    Kerio Control enable destination NAT

Change the default port of RDP

If you are opening RDP over the Internet, keeping the RDP port to 3389 is a security threat. It is recommended that you change the default port from 3389 to something above 10000. I, normally, keep it between 30000 and 40000 which is relatively safe as the port scanners will start scanning from port 1.

If you want to change the RDP port, follow the steps below:

  1. Go to Run –> regedit to open the Registry Editor.
  2. Locate the following key:
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\
  3. In the right-hand pane, double-click on PortNumber
  4. Change the value to Decimal and specify the port number between 1001 to 254535.

    Steps to change default RDP port number
    Steps to change default RDP port number

Check if port 3389 is open and listening

There are times when you successfully open the RDP port but you’re unable to connect to the computer remotely. In that case, make sure that you are able to access port 3389 (or any other port if you have changed it) remotely. Follow the steps below to check if port 3389 is open and listening.

  1. Open PowerShell by going to Run –> powershell
  2. Run the following command
    tnc 192.168.1.2 -port 3389

Replace the IP address 192.168.1.2 with your computer’s IP. Replace it with your router’s public IP if you have allowed public access to your computer through the router. The value of TcpTestSucceeded should be True.

Check if a port is open and listening
Check if a port is open and listening

If you want to check the port using the command prompt, you can follow this guide.

I hope this guide is useful for you and now you can control your remote desktop the way you want. If you have any questions or if I have left any confusion in this article, let me know through the comments below. Your comments are highly appreciated!

If you liked this post, Share it on:
Usman Khurshid is a seasoned IT Pro with over 15 years of experience in the IT industry. He has experience in everything from IT support, helpdesk, sysadmin, network admin, and cloud computing. He is also certified in Microsoft Technologies (MCTS and MCSA) and also Cisco Certified Professional in Routing and Switching.

2 comments

  • AndrewM26

    Port 3389 was used for Microsoft Terminal Services which was renamed to Remote Desktop Protocol. It is not a good idea to open port 3389 at least externally because of security reasons. Any network scanner will be able to detect an open rdp port pretty quickly.

    I usually keep the internal port to the standard 3389 while on the firewall interface, change it to a non-standard port above 40000. This delays the working of network scanners and you can also set the firewall to block connections which are scanning many system ports.

  • Kelly

    Good guide. Thank you!

Get Updates in Your Inbox

Sign up for the regular updates and be the first to know about the latest tech information

Talk to us now

Talk to us straight and get your questions answered right away

Tell Us About Your Project