Change RDP port number 3389 of remote desktop in Windows

By default, all Windows operating systems TCP 3389 RDP (Remote Desktop Protocol) . After you have enabled RDP access in Windows, the TermService (Remote Desktop Services) service starts listening on port 3389. In this article we will show how to change the default RDP port number in desktop editions of Windows (7/8/10/11) and Windows Server.

Please note that in modern versions of Windows, Remote Desktop also uses UDP
with the same port number 3389.

You can change the standard RDP port number in Windows from 3389 to any other. This is most often used when you need to hide your RDP/RDS host from automatic port scanners that look for Windows hosts on the network with an open standard RDP port 3389. Changing the RDP port will reduce the likelihood of exploitation of RDP vulnerabilities (the latest critical vulnerability in RDP BlueKeep is described in CVE -2019-0708), reduce the number of attempts to remotely guess passwords via RDP (do not forget to periodically analyze RDP connection logs), SYN and other types of attacks (especially when NLA is disabled). Most often, the RDP port is changed on computers with a direct connection to the Internet (VPS/VDS), or in networks where the edge router redirects port 3389/RDP to the local network to a computer/server running Windows.

Despite changing the port, it is not advisable to expose an open RDP port to the Internet. Port scanners allow you to understand from the signature that there is an RDP Listener on the new port. If you want to open RDP access to a computer on your network, it is better to use connection technologies such as VPN, RD Web Access, RD Gateway and others

If you decide to use a non-standard port number for RDP, please note that it is not recommended to use port numbers in the range 1 to 1023 (known ports). Use a dynamic port from the RPC range (49152 to 65535), or any port in the range 1024 to 49151 that is not used by another service or application.

What is RDP protocol

Before changing something, it would be good to understand what it is and how it works, I keep telling you about this. RDP or Remote Desktop Protocol is a remote desktop protocol in Microsoft Windows operating systems, although its origins come from PictureTel (Polycom). Microsoft just bought it. Used for remote work of an employee or user with a remote server. Most often, such servers play the role of a terminal server on which special licenses are allocated, either for the user or for devices, CAL. The idea here was this: there is a very powerful server, then why not use its resources together, for example, for a 1C application. This becomes especially relevant with the advent of thin clients.

The world saw the terminal server itself, already in 1998 in the Windows NT 4.0 Terminal Server operating system, to be honest, I didn’t even know that such a thing existed, and in Russia at that time we all played dandy or sega. RDP connection clients are currently available in all versions of Windows, Linux, MacOS, Android. The most modern version of the RDP protocol at the moment is 8.1.

Default rdp port

I’ll immediately write the default rdp port 3389, I think all system administrators know it.

Connection on macOS

For macOS, Microsoft has released an official client for connecting to a server via RDP. It's called Microsoft Remote Desktop and is available for download on the App Store.

The connection is set up as easily as on Windows.

  1. Launch the program and click on the New button to create a new connection.
  2. Enter a custom name in the Connection name field.
  3. In the PC name field, enter the server IP address.
  4. Enter your username and password to connect.

Once the setup is complete, the new connection will be saved in the list. To launch it, double-click the left button. After launch, a notification about an untrusted certificate will appear. It's not scary. Click on the “Show certificate” button and o.

After accepting the self-signed certificate, you will see the desktop of the remote computer in a separate window.

How the rdp protocol works

And so you and I understand why we came up with the Remote Desktop Protocol, now it’s logical that you need to understand the principles of its operation. Microsoft distinguishes two modes of the RDP protocol:

  • Remote administration mode > for administration, you go to the remote server and configure and administer it
  • Terminal Server mode > to access the application server, Remote App or share it for work.

In general, if you install Windows Server 2008 R2 - 2016 without a terminal server, then by default it will have two licenses, and two users will be able to connect to it at the same time, the third will have to kick someone out to work. In client versions of Windows, there is only one license, but this can be bypassed, I talked about this in the article Terminal Server on Windows 7. Also, Remote administration mode, you can cluster and load balance, thanks to NLB technology and the Session Directory Service connection server server. It is used to index user sessions, thanks to this server the user can log into the remote desktop of terminal servers in a distributed environment. A licensing server is also a required component.

The RDP protocol operates over a TCP connection and is an application protocol. When a client establishes a connection with the server, an RDP session is created at the transport level, where encryption and data transmission methods are negotiated. When all negotiations are determined and initialization is complete, the terminal server sends graphical output to the client and waits for keyboard and mouse input.

Remote Desktop Protocol supports multiple virtual channels within a single connection, allowing you to use additional functionality

  • Transfer your printer or COM port to the server
  • Redirect your local drives to the server
  • Clipboard
  • Audio and video

RDP connection stages

  • Establishing a connection
  • Negotiating encryption parameters
  • Server Authentication
  • Negotiating RDP session parameters
  • Client Authentication
  • RDP session data
  • Terminating RDP session

Security in the RDP protocol

Remote Desktop Protocol has two authentication methods Standard RDP Security and Enhanced RDP Security, we will look at both in more detail below.

Standard RDP Security

The RDP protocol with this authentication method encrypts the connection using the RDP protocol itself, which is in it, using this method:

  • When your operating system starts, a pair of RSA keys is generated
  • Proprietary Certificate is being created
  • After which the Proprietary Certificate is signed with the RSA key created earlier
  • Now the RDP client connecting to the terminal server will receive a Proprietary Certificate
  • The client looks at it and verifies it, then receives the server’s public key, which is used at the stage of agreeing on encryption parameters.

If we consider the algorithm with which everything is encrypted, it is the RC4 stream cipher. Keys of different lengths from 40 to 168 bits, it all depends on the edition of the Windows operating system, for example in Windows 2008 Server - 168 bits. Once the server and client have decided on the key length, two new different keys are generated to encrypt the data.

If you ask about data integrity, then it is achieved through the MAC (Message Authentication Code) algorithm based on SHA1 and MD5

Enhanced RDP Security

The RDP protocol with this authentication method uses two external security modules:

  • CredSSP
  • TLS 1.0

TLS is supported from version 6 of RDP. When you use TLS, an encryption certificate can be created using a terminal server, a self-signed certificate, or selected from a store.

When you use the CredSSP protocol, it is a symbiosis of Kerberos, NTLM and TLS technologies. With this protocol, the check itself, which checks permission to enter the terminal server, is carried out in advance, and not after a full RDP connection, and thereby you save resources on the terminal server, plus there is more reliable encryption and you can log in once (Single Sign On). ), thanks to NTLM and Kerberos. CredSSP only works in OSs no lower than Vista and Windows Server 2008. Here is this checkbox in the system properties

Allow connections only from computers running Remote Desktop with network level authentication.

Connecting from a smartphone

To connect to remote hosts via RDP, Microsoft has released applications for two major mobile operating systems:

  • Remote Desktop on iOS
  • Remote Desktop 8 on Android

Connections in these applications are configured according to the same principle. First you need to add a new connection:

  1. Click the plus icon and select Desktop.
  2. In the PC name field, enter the address of the host to which you want to connect.
  3. Click on the User name line and add an account by selecting the Add user account option.
  4. Provide connection credentials: name and password.

The first time you try to connect, you will also receive a warning about an untrusted certificate. Highlight Never ask again and click Connect to generate a self-signed certificate.

Change rdp port

In order to change the rdp port, you will need:

  1. Open the registry editor (Start -> Run -> regedit.exe)
  2. Let's move on to the next section:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp

Find the PortNumber key and change its value to the port number you need.

Be sure to select a decimal value; for example, I’ll put port 12345.

Once you have done this, restart the Remote Desktop Service via the command line using the following commands:

Next, do not forget to open it in the Windows firewall after changing the RDP port; to do this, press WIN + R and write firewall.cpl in the execute window.

Next, go to Additional settings

And we create a new incoming rule for the new rdp port. Let me remind you that the default rdp port is 3389.

We choose what the rule will be for the port

We leave the protocol as TCP and specify a new RDP port number.

The rule will be to allow RDP connection on a non-standard port

If necessary, set the necessary network profiles.

Well, let’s call the rule in a language that we understand.

To connect from Windows client computers, write the address indicating the port. For example, if you changed the port to 12345, and the address of the server (or just the computer you are connecting to): myserver, then the MSTSC connection will look like this: mstsc -v:myserver:12345

or via the command line.

As you can see, changing the rdp port is not at all a difficult task; the same thing can be done using Group Policy.

Connection on Debian

On Debian, you can also use the Remmina application to connect to the server via RDP. To install it:

  1. Launch the package installation manager.
  2. Enter "Remmina" in the search bar.
  3. Select all installation results and click “Apply Changes”.
  4. Launch the program after installation.
  5. Click "Create" to enter the new connection details.
  6. Provide a name for the connection. It can be anything.
  7. In the “Server” field, enter the IP address of the remote host.
  8. Enter your username and password.
  9. You can configure additional connection settings. For example, select the sound source and security settings.
  10. Click Save to save the connection.

All saved connections are stored in one list. Find what you need and click on it to start. A warning about an untrusted certificate will appear on the screen. Click OK or Accept. After a successful connection, you will be taken to the desktop of the remote host.

On Debian you can also use the freerdp and rdesktop clients instead of Remmina. They are installed using the same commands as on Ubuntu. The connection setup process is also the same.

Results

RDP is a convenient tool for creating a remote connection. It allows you to quickly and flexibly set up a connection on a local network or via the Internet. Despite the fact that the protocol was developed by Microsoft, it can also be used on other platforms: macOS, Ubuntu, Debian, Android, iOS.

To review how to set up a connection in Windows, watch this video. It's in English, but each step is very clearly demonstrated:

And from this video you will learn how to set up RDP on a mobile device and control a computer from it:

Rating
( 2 ratings, average 4 out of 5 )
Did you like the article? Share with friends:
For any suggestions regarding the site: [email protected]
Для любых предложений по сайту: [email protected]