Windows 11 Remote Desktop Port Change and IP Access Control Configuration

IT
Page content

September 2025 Latest Update
(This method works for Windows 10 as well)

The default port 3389 is widely known among hackers and can easily become a target for attacks.
Using a different port number is an essential security practice to protect your system.

Choose a port number randomly from the registered port range (1024-49151) to make it hard to guess.
This guide uses port 49151 as an example.

1. Enable Remote Desktop Feature

(Based on Windows 11 24H2)

  1. Open Windows Settings.
  2. Go to [System][Remote Desktop].
  3. Turn Remote Desktop to On.

2. Change Remote Desktop Port

  1. Press Windows Key + R to open the Run dialog and type “regedit” to launch Registry Editor.

    • You can also click the Start button and type “regedit”.

  2. Navigate to this path in Registry Editor:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp

  3. Find the PortNumber entry and double-click it.

  4. Select Decimal and change the port number from 3389 to 49151.

  5. Restart your PC to apply the new port number.

3. Firewall Configuration

After changing the remote desktop port from the default 3389 to your custom port,
you need to create a new inbound rule in Windows Firewall to allow remote connections through the new port.

  1. Press Windows Key + R to open the Run dialog and type “wf.msc”.
    • You can also click the Start button and type “wf.msc”.
  2. Click Inbound Rules in the left tree and then click New Rule in the right panel.
  3. Configure the New Inbound Rule Wizard as follows:
    • Rule Type: Port
    • Protocol: TCP
    • Specific Local Ports: 49151
    • Action: Allow the connection
    • Profile: Select all three - Domain Private and Public
    • Name: RDP (or any name you prefer)
  4. Click Finish to complete the setup.

IP Access Control Configuration

Changing to a custom port alone cannot guarantee complete security.
Attackers can still detect open ports through port scanning and attempt brute force attacks.
To fundamentally block these risks you need to set up IP-based access control (ACL) so only pre-approved IP addresses can connect.
This is a core element of layered security strategy.

Setting Up IP Access Control (ACL)

  1. Press Windows Key + R to open the Run dialog and type “wf.msc”.
    • You can also click the Start button and type “wf.msc”.
  2. Click Inbound Rules in the left tree.
  3. Find the rule you just created (RDP or your custom name) and double-click it.
  4. When the Properties window opens click the Scope tab at the top.
  5. Under Remote IP address change the option to These IP addresses and click Add to enter the source IP.
  6. Click OK and close the window to apply IP access control.

Using VPN

If you want even stronger security than IP access control consider allowing remote desktop connections only through VPN (Virtual Private Network).

1. Basic Concepts of VPN Security

VPN creates an encrypted virtual tunnel over the internet allowing safe access to internal networks from outside. When you use VPN external users cannot directly access RDP ports and must first connect to VPN before accessing computers on the internal network via remote desktop.

2. Security Enhancement Benefits

  • Dual Authentication Structure: VPN login → RDP login for layered security
  • Encrypted Communication: All data transmission is encrypted for safety
  • IP Address Hiding: The actual RDP server IP address stays hidden from outside
  • Complete Access Blocking: Without VPN connection the RDP server cannot even be detected

3. Main VPN Implementation Methods

Using Home Router VPN Features

Most modern routers have built-in VPN server functions allowing you to set up VPN at no extra cost. You can activate the VPN server in the router management page and create user accounts.

Commercial VPN Services

Use commercial VPN services like ExpressVPN NordVPN or Surfshark to get a fixed IP and configure RDP access only from that IP.

Cloud VPN Setup

Use cloud service VPN solutions like AWS VPN Gateway or Azure VPN Gateway to build professional-level VPN environments.

Open Source VPN Server Setup

Install open source solutions like OpenVPN WireGuard or SoftEther VPN on separate servers to build custom VPN environments.

For personal users first check if your router has built-in VPN features.
For business environments consider cloud VPN solutions.
After setting up VPN completely block external direct access to RDP ports in the firewall and configure access only through VPN to achieve the highest level of remote desktop security.