Everybody uses RDP. Attackers and bots, curiously, also know that everybody uses RDP. If you are working with perimeter servers that are potentially connected to the Internet, having RDP enabled can be especially dangerous because it is quite easy to leave your server in a state where it is open from outside of your network. This gives anyone the ability to start guessing passwords or trying to brute force their way into your server, or just a way to give you some denial-of-service headaches by throwing thousands of login attempts at that server.
Even aside from the worries of potential access from the public Internet, you may want to ensure that regular users aren't trying to poke around where they shouldn't be by opening up RDP connections to servers within your network. There are a few ways that you could restrict this access. You could come up with some creative firewall rules that only allow RDP access from certain subnets, and try to contain your IT computers to those subnets. Or maybe you could configure RDP on your destination servers to require certificates as part of the authentication process, thus only allowing users with those certificates to have access. These are both fairly complicated. I like to employ a much simpler solution to keep unwanted eyes from seeing my RDP login screens.
Change the port that RDP runs on! What? Can you do that? Yes, RDP by default listens and connects on TCP port 3389. The Remote Desktop client that is installed on almost every client machine everywhere automatically assumes that the server they are connecting to is listening on 3389, and so you don't even have to specify a port when you try to connect. There isn't even a field for it in the client. So it's pretty rare that I talk to people (even IT people) who know that 3389 is the default. Given that, if we were able to change that 3389 to something different, something of our own choosing, I think that would do a grand job of keeping people out of our systems. Let's say we have a sensitive server and want to keep access to a minimum. Let's change the RDP port on that to something only we know, maybe port 4822. That'll keep 'em guessing for a while.
Any Windows Server 2016 machine will do for this task. We are going to set our custom RDP port on WEB1, and then we are going to test accessing it from a Windows 10 client machine.
Go through the following steps to change the RDP port to one of your liking:
- Open
Registry Editor. You can do this by going to either theStartscreen or Command Prompt and typingregedit. - Browse to:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp. - Find the value called
PortNumberand change it to4822:
- Restart the server.
- Now log into your client computer and open up
Remote Desktop Connectionby typing that name into yourStartscreen. You can also typemstscin Command Prompt to open this program. If you try to connect directly toWEB1, your connection will fail as the server is no longer listening on the standard port 3389.
Enter in WEB1:4822 and you connect successfully:
With a simple registry change, we can adjust the RDP listener port on servers. This will help keep unwanted RDP connections from being made, which can be useful both inside and outside the corporate network. After making this change, the only people who will be able to reach the RDP login screen would be those who know your new RDP port, and who know how to utilize that custom port within the remote desktop connection tool.