- RBAC in Kubernetes - Fri, Dec 8 2023
- Kubernetes CoreDNS - Mon, Dec 4 2023
- Update container images with Copa - Mon, Nov 27 2023
Remember the infamous BlueKeep vulnerability? It exploited port 3389 by sending a specially crafted message that allowed the attackers to execute any code remotely on a compromised system. Considering the security risk, it is often recommended to disable RDP when it is not needed; however, there are still certain systems where you just can't disable it, such as servers.
The alternative solution is to change the RDP port number from the default to something else. This certainly won't make your Windows system bulletproof, but it surely does help stop a few script kiddies. I mean, that's the whole point of security through obscurity.
For this guide, I will change the RDP port on a system named TERMINAL that is running Windows 10. Since we are using PowerShell, we can leverage PowerShell remoting to run all the commands from our own system. Just launch an elevated PowerShell console, and use the following command to open an interactive PS remoting session to the remote computer where you want to change the RDP port.
Enter-PsSession -ComputerName TERMINAL -Credential domain\admin
If your currently logged-in user is a member of the Domain Admins AD group, you can skip the -Credential parameter.
Opening an interactive PS remoting session to the remote computer using the Enter PsSession command
You can also use the Invoke-Command cmdlet to run each command if you don't wish to open a persistent interactive session to the remote computer.
Determining the current Remote Desktop port
Now that we are connected to a remote computer (TERMINAL, in our example), you can use the following command to determine what port number RDP is currently using:
(Get-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\" -Name PortNumber).PortNumber
Using PowerShell to view the port number currently used by RDP
This command returns the current port number used by the RDP service on your target computer. You can see that the information is stored in the Windows registry, and we just queried the particular registry key for the port number using the Get-ItemProperty cmdlet. Modern versions of Windows (starting with Server 2012 and Windows 8) tend to use both the TCP and UDP protocols for RDP, which essentially means that, by default, the remote desktop server service (TermService) listens on both TCP 3389 and UDP 3389 on a typical Windows system. You can confirm this by running the Get-NetTCPConnection and Get-NetUDPEndpoint commands, as shown in the following screenshot:
Using the NetTCPConnection and Get NetUDPEndpoint commands to view the TCP and UDP endpoints for RDP
Changing the RDP port
Now that you are sure that the remote desktop service on your target computer is currently using a default port, use the following command to change the RDP port number:
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\" -Name PortNumber -Value 50102
Changing the RDP port using PowerShell
This command uses the Set-ItemProperty cmdlet to change the port number to an ephemeral port (50102, in our example). When you change the RDP port number using this command, both the TCP and UDP endpoints will be changed to the same port number.
You can use any port number, but it is recommended to use one between 1024 and 65535. Some people even like using a port number from the IANA suggested range (49152–65535), since it is not likely to conflict with other well-known or custom services.
Adding firewall rules for custom RDP ports
Now that the RDP port number has changed, you need to adjust the Windows Defender firewall to allow your new custom RDP port. Use the following PowerShell commands to add the rules:
New-NetFirewallRule -DisplayName "Custom RDP Port (TCP-In)" -Direction Inbound -LocalPort 50102 -Protocol TCP -Action Allow New-NetFirewallRule -DisplayName "Custom RDP Port (UDP-In)" -Direction Inbound -LocalPort 50102 -Protocol UDP -Action Allow
These two commands add rules to allow inbound traffic on the custom RDP port number. Make sure you modify the port number to match your own.
Adding Windows Defender firewall rules for custom RDP port numbers using PowerShell
If you intend to access the remote desktop from a list of known IP addresses, you could slightly modify the above commands to permit the known IPs only like this:
$myIPs = @("1.2.3.4", "192.168.10.15-192.168.10.17", "192.168.100.0/24")
New-NetFirewallRule -DisplayName "Custom RDP Port (TCP-In)" -Direction Inbound -LocalPort 50102 -Protocol TCP -RemoteAddress $myIPs -Action Allow
New-NetFirewallRule -DisplayName "Custom RDP Port (UDP-In)" -Direction Inbound -LocalPort 50102 -Protocol UDP -RemoteAddress $myIPs -Action AllowRemember that the remote computer will continue to use the old (default) port number until the Remote Desktop service (TermService) is restarted on the target computer. To restart the service on the target computer, use the following command:
Restart-Service TermService -Force
Restarting the remote desktop service on the target computer using PowerShell
Once the remote desktop service is restarted, the target computer will start listening on a new custom RDP port number.
Verifying the new RDP port
At this point, your remote computer is all set to use a custom port for Remote Desktop. If you run the following PowerShell command on a remote computer, it will give you the new endpoints:
Get-NetTCPConnection -LocalPort 50102; Get-NetUDPEndpoint -LocalPort 50102
Verifying the new TCP and UDP remote desktop endpoints on the target computer using PowerShell
Alternatively, you could use the Test-NetConnection cmdlet on your own computer, as shown in the following command:
Test-NetConnection -ComputerName TERMINAL -Port 50102 -InformationLevel Quiet
Using the Test NetConnection cmdlet to verify connectivity with the target computer on a new RDP port
True in output indicates that your local computer was able to successfully connect to a remote computer on the specified port number (50102, in our example), which proves that your new custom RDP port is now active. If you repeat this command with the default RDP port number, the connection will fail and will return false, as shown in the screenshot.
Using the custom Remote Desktop port
When the Remote Desktop service runs on the default port, you do not need to specify it when connecting to the target computer using the Remote Desktop Connection application. However, once you customize the port, you need to specify the port number in ComputerName:PortNumber or IPAddress:PortNumber format, as shown in the screenshot:
Subscribe to 4sysops newsletter!
Specifying a custom RDP port with the Remote Desktop Connection app
Conclusion
You just learned how to change the remote desktop port number using PowerShell. As discussed earlier, a custom RDP port doesn't promise to make a Windows system fully secure, but it adds a layer of obscurity to offer protection to a certain degree. It is always a good idea to disable Remote Desktop on public-facing Windows hosts. If you really have to keep Remote Desktop enabled, it is highly recommended that you use VPN.
After doing this attempt to run nmap against those ports. I believe the command is this.
#nmap -p0- -v -A -T4
It should show that the obfuscation of changing the port number is easily detected and VPN is absolutely necessary.
You’re right. VPN is the way to go for RDP access over internet but port obfuscation also helps a bit to keep dumb-bots in check who keep knocking on the default ports.
Additionally, if you access remote desktop from known IP addresses only, it is a good idea to modify the firewall rules to permit your custom RDP port for known IP addresses only to make it more secure.