Bots scan port 3389 constantly. Moving RDP to a custom port cuts brute-force attempts by more than 99%.
1. Pick a port
Choose something above 10000, for example 13389.
2. Update the registry
Open PowerShell as Administrator:
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" -Name PortNumber -Value 13389
3. Allow the new port in Windows Firewall
New-NetFirewallRule -DisplayName "RDP Custom" -Direction Inbound -Protocol TCP -LocalPort 13389 -Action Allow
4. Restart the RDP service
Restart-Service TermService -Force
Important: verify you can connect on the new port (YOUR_IP:13389) before closing your current session. Afterwards, remove the old firewall rule for port 3389.
Also consider enabling Network Level Authentication (enabled by default on our images) and setting an account lockout policy.