Remote Desktop Port Change and Firewall Setup

with one comment

A very common technique used by malicious attackers is to scan the ports of a system looking for common services. The Remote Desktop service, used for remote system management, runs on port 3389 by default. It’s worthwhile to keep simple tools from reporting the port as open by changing the port that Remote Desktop uses. Please be aware that this requires editing of the registry, and somewhat advanced configuration of the Windows Firewall. First off, the registry needs to be backed up just in case something goes wrong. The steps to do so are as follows:

Open the start menu and click on the “Run…” menu item.

At the prompt, type in “regedit.exe” and press enter.

Next select “Export…” from the file menu.

In this example, the file is saved under the My Documents folder as “backup.reg”. This file can be used to restore the registry settings in case something goes wrong. Now that the backup is complete, the port number can be changed.

The first part of the path is HKEY_LOCAL_MACHINE -> SYSTEM -> CurrentControlSet -> Control.

The next part of the path is Terminal Server -> WinStations -> RDP-Tcp. Clicking on this item brings up a rather long list of options.

The option for the port is “PortNumber”. Double click on it to change the value

Click on the “Decimal” radio button to make the value human readable. Then change the port to what is desired. A port over 5000 and less than 10000 is a recommended value. In this case it is set to 5590. Click “Okay” when done and exit the Registry Editor to complete the change. However, Windows Firewall needs to be updated to handle the changing of the ports.

While editing the new ports, I’m going to add steps on restricting Remote Desktop connections to a specific IP address. In the case of larger organizations, connections to Remote Desktop can be configured to work with authentication of users through Active Directory. Setting up the firewall to use the new Remote Desktop port requires the following steps:

Click on the “Control Panel” option in the Start Menu.

Click on the “Windows Firewall” link in the control panel main window.

Click on the “Advanced Settings” link on the left.

On the left side of the screen, click on “Inbound Rules”.

On the right side of the screen, click on “New Rule…”.

Select “Custom”, then “Next”.

Select “This program path:” and enter “System” into the field. Then click “Next”.

For “Protocol Type” select “TCP”. For “Local Port”, select “Specific Ports”. Then in the field below, enter the port number set earlier during registry editing. In my case it is set to 5590. No changes need to be made for the “Remote Port” section. Click “Next”.

Now for restricting by IP. Under “Which Remote IP addresses does this rule apply to ?” select “These IP addresses”. Next, click “Add…” and enter in the IP address to allow for using remote desktop. As many IP addresses can be added as you like. In this case a LAN IP is specified with the address of “192.168.1.55”. Click “Next”.

The default of “Allow Connection” is fine. Click “Next”.

Finally, enter in a name for the rule, as well as a description. A sample one is provided here. Click “Finish” to finalize the process. One more rule needs to be added though, for the RemoteFX Remote Desktop support. The steps are much the same, except that for the program:

The value is instead “%SystemRoot%\System32\svchost.exe”. Clicking on “Next” will produce this dialog:

It is safe to ignore this warning, and the exact same program is used in the default firewall rule. All other options are the same, including the IP restriction. After clicking “Finish” at the end, a reboot of the computer is necessary to have the Remote Desktop port properly updated. With this in mind, make sure physical access or an alternative to remote desktop is available in case something went wrong with the setup. After rebooting, it will be necessary to add the port when connecting to the system like so:

If all went well, the login prompt will be displayed to initiate the remote desktop session. If not, be sure the verify the firewall settings.

Written by Chris

June 22, 2011 at 1:53 am