JVH Consulting's Blog

In supporting several clients with servers behind their firewall routers, I find that hiding the default RDP port 3389 is most beneficial in preventing remote attacks. The way I do this is to change or rather add another RDP-TCP listening port on servers and then add this port to the firewall rules. To connect to the server remotely, just use the command: mstsc /v:{remote dns name of server}:{Port Number} Normally you don’t have to add the :port number but since you’ve changed it or added it to the server, specifying it in the command will use that port for the RDP connection.

How to do this you ask. Well here’s a simple procedure:

1. Open up regedit on the server (or workstation as it works for them as well).
2. Browse under: HKLM\System\Currentcontrolset\control\Terminal Server\Winstations\
3. Under this Key, there is a key called RDP-TCP – this has all the setting information as found in the Terminal Server Configuration Console (tscc.msc).
4. Export this key to a text file or .reg file – I usually store it in the Documents folder.

5. Open the .reg file in Notepad editor and look for the line that says Port Number. The default value is 0x00000d3d which equates to 3389

6. Change this port number to another port number like say 25000 (in hex this will be 0x000061A8). Change the port to the new Hex value.

7. If you’re going to change the default listening port from 3389 to 25000, just save the reg file, then double-click to merge it into the registry. If though you’d rather just add this listening port (which I recommend) then make sure to change the name at the top where it has the full path to the RDP-TCP and just add a 2 (RDP-TCP2).
The Reg file the top line will look like this:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp2]

8. Save the reg file and then double click it to merge it into the registry. If you then open the tscc.msc console, you’ll now see two connections – one named RDP-TCP and RDP-TCP2.

9. Check to make sure the server is now listening on the secondary port by running this at the cmd prompt: netstat -an |findstr 25000 – If it returns with nothing, you might need to reboot the erver. If it still returns nothing then the import wasn’t successful.

10. Lastly, go to your firewall and direct port 25000 (TCP) from the outside to your server internally. Of course then test this remotely by either checking to see if the port is listening by using portqry (portqry -n -e 25000). If it returns listening then you’re in business! You can then connect to it using the syntax above.

Troubleshooting:
1. I recently had a customer where at some point the second port just wasn’t working anymore. To fix this, I opened up Tscc.msc and deleted both remote desktop connections. Also need to make sure to delete them from the registry as they do leave remnants which will prevent you from creating new ones on the server.
Note: If doing this remotely, make sure you have another means to connect to the server such as gotomypc or logmein clients installed, otherwise when you delete the RDP-TCP connection – you’ll lose your connection to the server as well.

2. After deleting both connections both in the console and in the registry, I went to the console and created a new default RDP-TCP connection – just follow all the prompts and pick the default settings.

3. Then go back and add the second RDP port from above and it should restore both the 3389 listening port as well as the 25000 one.