Change port Remote Desktop

KrasimirPetrov_​ can you please explain it to me more because i am not getting it what you just write i am sorry for being so dumb ...

• KrasiPetrov

  Habanero

Are you adding the new port number on the end of your Remote Desktop. I.e. remote computer:3390 or whatever port you change it too?

When you launch Remote Desktop are you placing the port number at the end of the computer name you are connecting to?

Computeroripaddress:3333

KrasimirPetrov_​ i am can see a one entery named fDenyTSConnections and its value is already 0 . can you please tell me what to do with thtat ...

• KrasiPetrov

  Habanero

You can also add in the telnet feature thru add remove programs and type in telnet remote computer 3333 and see if it connects

Bappy​ no i didnt not try that, you mean do i have to mentioned the port after the IP or name ?

you mean if the computer name is RD and IP is 192.168.2.40 then i should connect it through 192.168.2.40:3333 or RD:3333 if i am right please tel me. i am accessing the computer through windows mstsc service.

• Bappy

  Serrano

Bappy​ thanks man, you made my life easy. you are a life saver ... thanks for your concern, settings was okay but i didnt know i have to mention the port with the computer name, now i can access it through the changed port. thanks. really appreciated your concern :]

• Bappy

  Serrano

Just in case your rdp service is not enabled

mstsc /v:192.168.2.40:3333

you need to specify the port in rdp client

KrasimirPetrov_​ yes thanks, really appreciated your concern, setting was okay i was missing that port thing, now i can access it .. really thanks.

• KrasiPetrov

  Habanero

How long do you wager the inclusion of the tag "public" in that open port will take before it bites you somewhere uncomfortable?

T

thomastheobald2​ what you mean by this ? i didnt get your point ? what exactly you are trying to say ?

• thomastheobald2

  Jalapeno

Cashif2106 wrote:

thomastheobald2​ what you mean by this ? i didnt get your point ? what exactly you are trying to say ?

I think he means to say that tagging a Port used for RDP as Public might lead to unwanted attention, as it were.
A lot of cracking teams will scan for ports associated with RDP, and will then try to break in.

Even changing the default RDP Port to another port might not mitigate the risk.

spicehead-wm05c​ thanks for your concern man...

i havent done this practice till now, i was testing them on virtual machine :$ ... these changes are not done live yet.. but really thanks in future i will avoid to mention such information ...

• ZX Christopher

  Jalapeno

Changing the port is called "security by obscurity" and it is NOT a good method because ports scans WILL FIND that open open port. "Obscurity" these days lasts a few minutes at best.

As long as you ONLY use RDP on your local network, you should be OK, assuming all of your systems have the most current Windows Updates installed.

What the others above are warning about with your "Domain, Private, Public all checked" comment is abouthaving your RDP port open inbound and having forwarding on your perimeter firewall that forwards to an internal computer. Having "Public" checked above by itself won't do any harm **IF** you do not have any port forwarding to it from the perimeter firewall. If you port forward from the Internet to a system, you are begging for a ransomware attack.

In plain English, DO NOT open any inbound port from the Internet for use with Remote Desktop Connection unless you have some kind of protection in front of it, such as a firewall that requires a login and 2FA before it even opens the port to that particular user.

Gregg

• Cashif2106

  Poblano

greggmh223​ i have cisco asa 5520 firewall installed, and traffic is going through it, and as you said about requires a login and 2FA before it, can you please tel me how i cab enable it because if i am missing something then i will configure it as well. please.

• greggmh223

  Datil

That's exactly it. Malign actors scan every IP, all ports, and when they find one they try a number of protocols on them - RDP included. So leaving one open and exposed, even if it is a non-standard port, is inviting a bad actor to try a credential stuffing attack on your RDP, or a brute-force. And if there's some kind of zero-day which enables someone to get in through RDP, then you're really borked.

Best to keep RDP access closed until / unless you need it, and then manually open it [or have someone do so for you while you talk to them over the phone].

Hope this helps -

T

thomastheobald2​ , yes i understand that.

that means i am depending on someone then to enable the rdp for me whenever i need it, i cant leave it on for all the time.

thanks for your concern and your time to make me understand all this.
really appreciated. Thanks.

• thomastheobald2

  Jalapeno

Cashif2106 wrote:

greggmh223​ i have cisco asa 5520 firewall installed, and traffic is going through it, and as you said about requires a login and 2FA before it, can you please tel me how i cab enable it because if i am missing something then i will configure it as well. please.

I have no experience with Cisco firewalls. With WatchGuard firewalls [known as a "Firebox"], I can set them up to use an internal "Firebox-DB" user database or tie the login to Active Directory and use 2FA [I use both Duo Security and WatchGuard AuthPoint]. I prefer the latter.

On the Firebox, there is a rule to allow inbound RDP from a particular user or AD group. The RDP port is not open to the Internet until one successfully logs into the firewall.

The process is that a remote user opens a browser and goes to the authentication page of the WatchGuard firewall, for example remote.whateverdomain.com:4100, then they enter either the local Firebox credentials or their AD credentials, depending upon their internal network [if no AD internally, then they use local Firebox credentials]. Once they have logged into the Firebox [with internal Firebox credentials or with AD/2FA], that action gives them access to the inbound RDP port. I make that port NOT 3389. For example, I could use 4489 and they would tack that onto the end of their RDP target. The Firebox translates 4489 to the 3389 internal port. That way I have two benefits: one is that I don't have to change each internal computer's listening port, and the other benefit is that I can use port 3389 in my "HackAttacks" rule on the Firebox. That rule has commonly-attacked ports in it, and if any one of them gets hit from the Internet, the offending IP address instantly goes onto the Blocked Sites list. If one were to scan my WAN IP and hit port 21, 22, 23, 3389, and a handful of others, their IP gets blocked from all other attempts. So, if it's a scan from the lowest port to highest port, the scan would hit 21 and get blocked, never being able to scan anything higher. If they hit 3389 directly, then their IP gets blocked from all other scans, so even if another port were open, they couldn't touch it. I did that as an added measure for clients who have 25/443 open [none left now!] and to entertain myself when I get bored enough to look at firewall logs.

Once the user has authenticated, they can use RDP to get to the internal systems. In my opinion, this method is actually more secure than using a VPN and then RDP because it eliminates any chance of something malicious traversing a VPN and getting to the office LAN.

Using the above setup, there are no ports open for the world to scan. The Firebox has geolocation blocking as well, so if someone scans, they are blocked entirely unless the IP is from the USA and a few other countries, so even the authentication port 4100 is not reachable from everywhere.

Gregg

• Cashif2106

  Poblano