Adding an RDP port to Windows 2003

by Ed Fisher on 2007-09-06

in Infrastructure

I’m sure many of you have a Windows box at home that you would like to connect to using RDP, but you are not sure you want to have an open port on your Internet connection waving the big tcp 3389 flag for all to see. While port scans to 3389 aren’t exactly HUGE, they do happen. You may want to change the port for rdp connections on your Internet connection to move it into the background.
disclaimer:obscurity is NOT security! We are doing the equivalent of planting a big bush in front of the door. A casual observer may not notice it, but a motivated attacker will.
There are three things you can do to permit rdp connections directly to your box without using tcp 3389.
1) Port Address Translation: If your Internet connection is behind a firewall, or a DSL bridge that can map one port to another, simply pick a different port on the outside, and map it to tcp port 3389 on the inside. From other machines on your internal network you can continue to connect to tcp 3389. Over the Internet, you can connect to what ever port you choose to use.*
2) Bind rdp to a different port: If you want, you can just configure rdp to use a different port from the default. Launch regedit and access this key
HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp
Edit the "PortNumber" dword and set the port you want. The default value is hex. Now you can connect to this port, but you will have to do so whether you are internal or external to your network.
3) Add a new listening port: Export the key above. Then edit it as follows…
-change the name to something unique, like RDP-Tcp-Alt. That’s the name of the key in the first line of the file, not the name you gave the exported file.
-Edit the "PortNumber" dword and set the port you want, specifying a HEX value.
-Import the new registry file. Your system will now be listening on both tcp 3389 and whatever port you chose to add.

*To connect using the Microsoft mstsc client in Windows, you have to specify the port by appending :port# to the hostname or ip.addr. eg
mstsc /console /v:server.example.com:5000 [enter]

more information:

How can I add a new RDP listening port to Windows 2000/2003 Terminal Server?
How to change the listening port for Remote Desktop

I hope this helps!

You might also enjoy:

  1. howto://add a remote control shortcut to ADUC
  2. Enabling hyperlinks for remote connections in Windows
  3. howto://mount a VHD in Windows
  4. PortQueryUI

Tagged as: howto, windows

Leave a Comment

CommentLuv Enabled
You can link your twitter feed here @

Previous post:

Next post: