Using Non-Standard Ports in Terminal Services/Remote Desktop
Why Use a Non-Standard Port?
All services, such as file and printer sharing, databases, email, web servers and so on use predefined “ports” — basically a slot through which traffic flows.
By default, Terminal Services uses port 3389. This is well known, and attackers will “probe” this port for the existence of a Terminal Services system, and, if found, continue an attack.
If Terminal Services is listening over a non-standard port, an attack against 3389 will fail and probing all possible ports looking for a Terminal Services host will take too long for any worms or casual hacking. (This is called Security by Obscurity.) So it is a very effective block against many types of attack.
The use of the default port simply means that connecting clients do not need to know the port. However, this is only a convenience, and since Terminal Services systems are almost always provided for employee use, who can be told the address to use, the use of the default port is not recommended. If a server is using the default port, the address the client connects to will be of the form “192.168.0.14”. If the server is using a non-standard port, such as 12890, the address will be of the form “192.168.0.14:12890”. So the requirements for the client are quite simple.
How to Choose a Port Number
See Choosing a TCP Port for a Network Service.
Configuring the Port
You can use the following commands to change the listening port:
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /V PortNumber /T REG_DWORD /F /D <port>
net stop TermService /yes
net start TermService
net start UmRdpService
And to check the service is now listening on the new port:
netstat -an | find "<port>"
In the above, <port> is the port required, in decimal (ie an integer number between 1-65535).
Note that if you are configuring the port from within a Remote Desktop session, you will be disconnected and must reconnect on the new port. Therefore ensure the firewall and edge router is configured before the change.
Terminal Services/Remote Desktop is much easier to connect to if the connection is through a fixed IP address supplied by your ISP. This is because the IP address will not change, even if your connection drops and reconnects.
However, it is still possible to use Terminal Services over dynamic addresses, either with ADSL or dial-up connections. If you have an ADSL device which supports it, you can use Dynamic DNS to map a static domain name to the dynamic address, or you can simply deduce your external IP address for each connection and advise the person trying to connect. This is less convenient, but it works perfectly well for casual, ad-hoc use.
By default, the firewalls in Windows XP and Windows 2003 treat Remote Desktop/Terminal Services as using 3389, so if you use a non-standard port you must manually configure the firewall to allow that traffic.
If you have a firewall on the external interface (such as an ADSL router), you must open the port there also, and forward the packets to the machine in question.
However, if the firewall on your external interface supports port forwarding from different ports, you do not need to configure the Windows machines to use non-standard ports. You can simply configure the firewall to use non-standard ports and send the packets to the standard ports on each system. So if you have a network of Windows XP machines and you want to connect to them remotely, you can leave each system running on the default port of 3389 and map new ports appropriately. So, assuming 150.101.x.y is the external fixed IP address and 192.168.0.z are the internal LAN addresses, the mappings could be:
|External Address||External Port||Local Address||Local Port|
… and so on.