Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Free Learning
Arrow right icon
Arrow up icon
GO TO TOP
Windows Server 2016 Security, Certificates, and Remote Access Cookbook

You're reading from   Windows Server 2016 Security, Certificates, and Remote Access Cookbook Recipe-based guide for security, networking and PKI in Windows Server 2016

Arrow left icon
Product type Paperback
Published in Apr 2018
Publisher
ISBN-13 9781789137675
Length 138 pages
Edition 1st Edition
Concepts
Arrow right icon
Author (1):
Arrow left icon
Jordan Krause Jordan Krause
Author Profile Icon Jordan Krause
Jordan Krause
Arrow right icon
View More author details
Toc

Table of Contents (4) Chapters Close

1. Security and Networking FREE CHAPTER 2. Working with Certificates 3. Remote Access 4. Other Books You May Enjoy

Changing the RDP port on your server to hide access

Everybody uses RDP. Attackers and bots, curiously, also know that everybody uses RDP. If you are working with perimeter servers that are potentially connected to the Internet, having RDP enabled can be especially dangerous because it is quite easy to leave your server in a state where it is open from outside of your network. This gives anyone the ability to start guessing passwords or trying to brute force their way into your server, or just a way to give you some denial-of-service headaches by throwing thousands of login attempts at that server.

Even aside from the worries of potential access from the public Internet, you may want to ensure that regular users aren't trying to poke around where they shouldn't be by opening up RDP connections to servers within your network. There are a few ways that you could restrict this access. You could come up with some creative firewall rules that only allow RDP access from certain subnets, and try to contain your IT computers to those subnets. Or maybe you could configure RDP on your destination servers to require certificates as part of the authentication process, thus only allowing users with those certificates to have access. These are both fairly complicated. I like to employ a much simpler solution to keep unwanted eyes from seeing my RDP login screens.

Change the port that RDP runs on! What? Can you do that? Yes, RDP by default listens and connects on TCP port 3389. The Remote Desktop client that is installed on almost every client machine everywhere automatically assumes that the server they are connecting to is listening on 3389, and so you don't even have to specify a port when you try to connect. There isn't even a field for it in the client. So it's pretty rare that I talk to people (even IT people) who know that 3389 is the default. Given that, if we were able to change that 3389 to something different, something of our own choosing, I think that would do a grand job of keeping people out of our systems. Let's say we have a sensitive server and want to keep access to a minimum. Let's change the RDP port on that to something only we know, maybe port 4822. That'll keep 'em guessing for a while.

Getting ready

Any Windows Server 2016 machine will do for this task. We are going to set our custom RDP port on WEB1, and then we are going to test accessing it from a Windows 10 client machine.

How to do it...

Go through the following steps to change the RDP port to one of your liking:

  1. Open Registry Editor. You can do this by going to either the Start screen or Command Prompt and typing regedit.
  2. Browse to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp.
  3. Find the value called PortNumber and change it to 4822:
  1. Restart the server.
  2. Now log into your client computer and open up Remote Desktop Connection by typing that name into your Start screen. You can also type mstsc in Command Prompt to open this program. If you try to connect directly to WEB1, your connection will fail as the server is no longer listening on the standard port 3389.

Enter in WEB1:4822 and you connect successfully:

If at first you cannot connect, make sure to check your Windows Firewall settings. It is possible that you may need to add a rule to WFAS on the server to allow port 4822.

How it works...

With a simple registry change, we can adjust the RDP listener port on servers. This will help keep unwanted RDP connections from being made, which can be useful both inside and outside the corporate network. After making this change, the only people who will be able to reach the RDP login screen would be those who know your new RDP port, and who know how to utilize that custom port within the remote desktop connection tool.

You have been reading a chapter from
Windows Server 2016 Security, Certificates, and Remote Access Cookbook
Published in: Apr 2018
Publisher:
ISBN-13: 9781789137675
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Renews at $19.99/month. Cancel anytime
Banner background image