Wednesday, July 06, 2011

Windows 7: Changing Remote Desktop Listening Port

Note: This is an advanced tip and only applicable to certain situations.
The Remote Desktop by default uses TCP/IP port 3389, some people think that they can increase the security of the RDP protocol by changing it too different location. This is almost as effective as moving a lock on a door and hoping a thief won't be able to find it. This technique would only be effective against someone who knows absolutely nothing about TCP/IP.

If you still want to move the Remote Desktop default TCP/IP port, here is how you do it:
Warning: This tip requires modifying the registry proceed at your own risk.
  • Open the Windows Registry Editor, from the Start menu in the search field type REGEDIT.EXE
  • In the Windows Registry Editor navigate to the following registry key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TerminalServer\WinStations\RDP-Tcp\PortNumber
  • Click the Edit menu and select Modify... or right-click the registry value and select Modify...
  • In the properties dialog box, click Decimal, and type in the new port number that you want to use (make sure its not used by another protocol)
  • Press the OK button to close the dialog.
  • Close the registry editor and reboot the computer.
To access the computer via Remote Desktop over your local network or the Internet, when you enter the machines DNS name or IP address in the Remote Desktop Connection client (under All Programs > Accessories), add a colon and the port number that you used (e.g.: example.com:57619 or 192.168.1.2:57619).

11 comments:

Curtis said...

Simply changing the location of the remote desktop software default port does not increase the protocol security. These instructions for moving the port and modifying the the registry value are helpful for both software experts and beginners. The initial setup and installation of these services through remote connection and web browsers is essential to begin the remote access process.

McThePro said...

Thanks for the procudure.

Do not forget to open the new port in your firewall software !

Greg said...

McThePro,

Firewall comment was very timely. It saved the rest of the hair I was about to pull out of my head!

Greg said...

McThePro,

Thanks for the firewall comment. I overlooked this item and was getting very frustrated until I saw your suggestion!

Anonymous said...

Hi Jason.

What then do you recommend to increase RDP security? Thanks.

ubergeek316 said...

Use the latest version of Windows, RDP is much more secure in Windows 7/Server 2008 R2 and higher (if the option is enable). Also use a strong password, uncommon user names, and change the password regularly. Just basic stuff, if you want something more secure then try setting policies such as enforce a password lockout for too many attempts.

Anonymous said...

Changing port is not only "more" secure, it's practical if you wish to have more then 1 computer connected to the same IP/router.

Anonymous said...

I believe current best practices is to not expose RDP to the Internet directly at all. Rather you should have users connect to a secure VPN into the network first and then use RDP on standard ports. This simplifies management of workstations and firewalls and is more secure.

Anonymous said...

Changing the RDP port is more secure because most attacks are brute force scripts and they are usually looking for default ports. I know because one server went from 35,000 rdp logon failures in a couple days to zero after the port change.

Anonymous said...

Could I have multiple computers on a single network each using a different port by simply port forwarding on my router?

Anonymous said...

That's what you call security by obscurity. Not really security. It might help a tiny bit. I'm not familiar with a lot of hacker's tactics but with the port scans I see in our logs I'm certain that they can find out what ports are listening for what protocols.