Change the default listening port for RDP

If you are wanting to enable an RDP pass through your firewall to a PC on your local lan, and want to use a non-standard port, instead of the default 3389, the following change on the PC has to be made, otherwise you will not be able to connect.

  1. Start Registry Editor.
  2. Locate and then click the following registry subkey:
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TerminalServer\WinStations\RDP-Tcp\PortNumber
  3. On the Edit menu, click Modify, and then click Decimal.
  4. Type the new custom port number, and then click OK.
  5. Quit Registry Editor.
  6. Restart the Remote Desktop services.

This is an old-school way to allow users to remote into their PC’s, however it is not very secure. I suggest setting up an SSL VPN to the network, then allow them to RDP to their machine. Just because you are using a non-standard RDP port, does not ensure that the port can not be scanned and attacked from the web.

I have only posted this for information, I believe it is bad practice, but there are a lot of IT admins that do this for their small business clients. Especially those with simple firewalls without the ability to use VPN or SSL VPN.

 

Basic setup would be to Open RDP to port 3666 (or whatever port you choose), in the firewall, NAT rule to allow traffic to WAN IP with port 3666 to internal IP of the computer. Basically it’s an IPSEC pass through allowing traffic on the WAN IP with that port number to the local machine. Then make the change on the PC using the steps above. Again, I do not condone this practice, as anyone with a free port scanner can find the port and attack the PC. You can use any non-standard port (excluding common ports like 80/443/8080/25/23 etc that are used for other services). If you go this route, use a port in the range of 3400-65535, and pray no one is scanning your WAN IP for open ports 🙂

I would also suggest if you are needing to give your users remote access to their PC’s from outside of the LAN, to use a service like Teamviewer or Join.me, as these are more secure.

 

Advertisements