If you can use Remote Desktop without opening the port in the firewall, that suggests that you have UPnP (Universal Plug and Play) enabled. UPnP will automatically open certain ports if the local computer makes a request. While it's convenient, it's obvious that it's also a security risk. That means if you had a virus or something, the virus would be free to use whatever port it wanted. It's often considered a major security risk.
Here at Luthra Tech, we often recommend against using port 3389 for Remote Desktop. It's often better to use non-standard ports to protect your network against threats. Ever heard of the saying anonymity deflects more bullets than body armor? It's the same principle when using nonstandard ports. Even the best firewalls allow a few ports to be scanned. The best thing you can do is use to avoid standard ports like 3389 for Remote Desktop or 22 for SFTP. In most router interfaces, you have a public port and private port option. You can keep the private ports standard, but the public port, the one facing the Internet, should be a random one. In addition to security benefits, you don't have to worry about messing with the registry to get Windows working and all you have to do is keep changing the public port. E.g. Desktop 1 is port 15000, Desktop 2 is port 15001, Desktop 3, etc. If you make the registry change, you'll have to use that port on the LAN too and you will have to configure each computer one-by-one. Changing the registry will also mess up Remote Web Access for your Small Business Server/RD Gateway users.
- External Port = 15482-15482
- Internal Port =3389-3389
- Protocol = TCP
- LAN Address = 192.168.x.x (The local IP of the computer you want to remote into)