Configuring Firewall Ports for Remote Desktop Protocol (RDP) Access


2 views

For standard Remote Desktop Protocol (RDP) connections, you need to open TCP port 3389 on both the host machine and any intervening firewalls. This port is assigned by IANA specifically for RDP services.

Here's how to configure port forwarding on different platforms:

Windows Firewall Command

netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=TCP localport=3389 action=allow

Linux iptables Example

iptables -A INPUT -p tcp --dport 3389 -j ACCEPT
service iptables save

For enhanced security or custom setups:

  • Change the default RDP port in Windows Registry: 
    Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp]
"PortNumber"=dword:00000D3D

    (hex value for port 3389, change to desired port)

  • Configure NAT on your router to forward alternative ports to internal 3389

When exposing RDP to the internet:

  • Always use Network Level Authentication (NLA)
  • Implement account lockout policies
  • Consider using a VPN instead of direct RDP exposure
  • Enable Windows Defender Remote Credential Guard when available

Test your configuration with:

Test-NetConnection -ComputerName [IP] -Port 3389  # PowerShell
telnet [IP] 3389                                  # Command Prompt
nc -zv [IP] 3389                                  # Linux/Mac

When configuring Remote Desktop access, the default port used by Microsoft's RDP is TCP 3389. This is the standard port that needs to be opened on your firewall and forwarded through NAT if you're accessing a machine behind a router.

Here's a typical NAT rule you might configure on your router:


# Sample iptables rule for Linux-based routers
iptables -A FORWARD -p tcp --dport 3389 -j ACCEPT

While port 3389 is standard, exposing it directly to the internet is risky. Consider these alternatives:

  • Change the default RDP port in Windows Registry
  • Implement VPN access instead of direct RDP exposure
  • Use Network Level Authentication (NLA)

To modify the default RDP port (requires admin privileges):


Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp]
"PortNumber"=dword:00000d3d  ; Hex for 3389 (default), change to your desired port

For Linux servers or more secure access, SSH tunneling is preferred:


# Local port forwarding example
ssh -L 33389:localhost:3389 user@remote-server -N

Then connect to localhost:33389 via your RDP client.

Major cloud platforms have specific requirements:

  • AWS: Configure Security Groups to allow TCP 3389
  • Azure: Set up Network Security Groups (NSGs)
  • GCP: Create firewall rules for the target VM

Common diagnostic commands:


# Check if port is listening
netstat -ano | findstr 3389

# Test port connectivity
Test-NetConnection -ComputerName remote-pc -Port 3389  # PowerShell
telnet remote-pc 3389                                  # CMD