Windows Remote Desktop listens on port 3389. As is well known, this is the first port that automated tools scan when looking for exposed access points. On an internal network isolated behind proper NAT, the risk is limited. But as soon as a machine is accessible from the outside—or simply if you want an extra layer of security with minimal effort—moving RDP to a non-standard port is a simple and effective measure.
What this GPO does:
- Changes the RDP port from 3389 to a custom port (here
12345lol) - Opens this new port in the Windows firewall
- Explicitly blocks port 3389 — not just "don’t open," but actively block
The third step is often overlooked. Simply not opening port 3389 in the firewall isn’t enough if legacy or local rules allow it. Blocking it explicitly via the GPO overrides local rules and completely cuts off connection attempts on the old port.
The chosen port: 12345
The choice of port is arbitrary, as long as it’s in the 1024–65535 range and isn’t already used by another service. 12345 is just an example! Don’t use this in production.
In hexadecimal: 0x3039 — this is the value you enter in the registry.
Creating the GPO
In GPMC:
Right-click the target OU → Create a GPO in this domain and link it here
Name: RDP Custom Port
Link according to the desired scope: SERVERS, STATIONS, or both.
Step 1 — Enable RDP via ADMX
Computer Configuration → Policies → Administrative Templates
→ Windows Components → Remote Desktop Services
→ Remote Desktop Session Host → Connections
→ "Allow users to connect remotely by using Remote Desktop Services"
→ Enabled
Step 2 — Change the port via GPP Registry
Computer Configuration → Preferences → Windows Settings → Registry
→ New → Registry Item
| Field | Value |
|---|---|
| Action | Update |
| Hive | HKEY_LOCAL_MACHINE |
| Path | SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp |
| Value Name | PortNumber |
| Type | REG_DWORD |
| Data | 3039 (hexadecimal) |
> 0x3039 = 12345 in decimal. Verify with a calculator if necessary — an error here will make RDP inaccessible on all machines.
Step 3 — Firewall Rules
Computer Configuration → Policies → Windows Settings → Security Settings
→ Windows Firewall with Advanced Security → Inbound Rules
Rule 1 — Allow the new RDP port
New Rule → Port
Protocol: TCP
Local Port: 12345
Action: Allow the connection
Security: Require authentication
Name: Personal RDP
Rule 2 — Block TCP 3389
New Rule → Port
Protocol: TCP
Local Port: 3389
Action: Block the connection
Name: Block RDP TCP 3389
Rule 3 — Block UDP 3389
New Rule → Port
Protocol: UDP
Local Port: 3389
Action: Block the connection
Name: Block RDP UDP 3389
> Don’t forget the UDP rule. RDP uses UDP 3389 starting with Windows 8/Server 2012 to improve performance. A scanner that doesn’t find TCP 3389 will try UDP.
Post-deployment verification
After gpupdate /force and reboot:
# Check the configured port (should return 12345)
Get-ItemPropertyValue `
"HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" `
-Name PortNumber
# Verify that RDP is listening on the correct port
netstat -an | findstr 12345
# Verify firewall rules
Get-NetFirewallRule -DisplayName "RDP Perso" | Select-Object DisplayName, Enabled, Action
Get-NetFirewallRule -DisplayName "Block RDP*" | Select-Object DisplayName, Enabled, Action
To test the connection from another computer, in the RDP client:
mstsc /v:192.168.x.x:12345