Solved

Change RDP Port for a domain

Posted on 2011-09-14
14
689 Views
Last Modified: 2013-11-21
I have two 64-bit Server 2008 domain controllers and all workstations are Windows XP and Windows 7.  i have tried using NUTS.EXE to convert my registry key to .ADM file to push out via group policy but it doesn't work.  (perhaps user error?)

Can anyone provide step by step instructions regarding the best method  to change the RDP port from 3389 to a custom port with the least amount of effort?
0
Comment
Question by:mkraemer11
  • 8
  • 4
  • 2
14 Comments
 
LVL 29

Expert Comment

by:Randy Downs
ID: 36537024
Is there a reason you don't want to make the change on the router? You could use the non standard port on the outside and the router can translate it internally to 3389
0
 

Author Comment

by:mkraemer11
ID: 36537547
We had a recent security audit and one of our feedback items was that the default RDP port should be changed.  We use RDP internally quite a lot internally.  The main reason this was recommended is because newer strains of worms are now capable of infecting machines via RDP if the port is the default 3389.

So I do need to change it internally on all workstations and servers in order to comply with our recent audit remediation recommendations.
0
 
LVL 29

Assisted Solution

by:Randy Downs
Randy Downs earned 100 total points
ID: 36538112
You can change it with the registry so maybe push the reg out to the clients. I would test it carefully in a test domain 1st.

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_23906016.html

http://support.microsoft.com/kb/225087


Converting a Registry Change into ADM Keywords
The biggest challenge may be finding a useful registry change that you want to distribute. For example, take the following change that allows you to move the printer spool folder. Remember that before you point the spool to a new folder, that folder must be created. You can then make the following change to the registry:

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756  (http://support.microsoft.com/kb/322756/ ) How to back up and restore the registry in Windows



1.Start Registry Editor (Regedt32.exe).
2.Locate the DefaultSpoolDirectory value under the following key in the registry:
   HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers
                                    NOTE: The above registry key is one path; it has been wrapped for readability.
3.On the Edit menu, click String, type X:\Pathname (for example, D:\Printing), and then click OK.
4.Quit Registry Editor.
This change to the registry must be converted into a template format so that HKEY becomes CLASS (Machine or User), Key becomes KEYNAME, and Value becomes VALUENAME (followed by NUMERIC if the type is BINARY or DWORD).
http://communities.vmware.com/thread/326936?tstart=0

if you want to change the port, it requires a quick change in the Windows registry.

(Note: Editing the registry is risky, so be sure you have a verified backup before saving any changes.)

The following hive has the specific TCP port used for RDP:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp]

In this hive, the PortNumber value contains the configured port that Windows will listen for RDP connections. The default port assignment is represented as D3D in hexadecimal or 3389 in binary. For this example, I will change the port to 53389. Figure A shows this change being made on a test server.
0
Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

 

Author Comment

by:mkraemer11
ID: 36540048
I will try this tomorrow and let you know the results.

0
 
LVL 77

Accepted Solution

by:
Rob Williams earned 400 total points
ID: 36540212
If you have a 2008 or 2008 R2 domain controller, instead of creating an adm file you can use group policy preferences. Create a new GPO linked the the OU/s that hold the computers/servers you wish to affect. Then within the new GPO go to:  computer configuration | preferences | Windows settings | right click on registry and manually create a new registry value, or use the wizard to extract the value from the current machine and it will create the policy to push out the registry change to all computers/servers in the appropriate OU.

With server 2008 the better and more secure option though would be to set up an RD gateway which requires an SSL certificate and uses port 443 externally and redirects to 3389 internally.
0
 

Author Comment

by:mkraemer11
ID: 36543308
Number-1 :  This method did not work and one fo the links you sent me was irrelevent (vmWare)


RobWill:  I followed your instructions and have run gpupdate /force and even restarted the workstation but the port is still the default 3389.  I confirmed the policy is applied to the correct container and the computer is assigned to the container.  Am I missing something?
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 36543353
Should be straight forward.
If you run   gpresult    on one of the affected PC's do you see it lissted as a policy and if so are there any errors reported?
0
 

Author Comment

by:mkraemer11
ID: 36543479
The policy is listed and I don't see any errors.  The only thing that doesn't look right is that it it applying the policy from my secondary domain controller rather than the primary.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 36543545
If it is the correct policy name, using secondary DC should not be a problem.
It does require a reboot, which I appreciate you said you did.
There are some policies that require multiple logons or reboots. In other words the policy has to be updated and then a reboot and it may take two to do so. I can't see that being the case here, but perhaps give that a try.

Just to confirm, Small Business Server is not involved here is it?
0
 

Author Comment

by:mkraemer11
ID: 36543574
No SBS.  Server 2008 Enterprise and Server 2008 R2 Enterprise.
0
 

Author Comment

by:mkraemer11
ID: 36544782
Yes!  it is working.  It seems to be sort of trickling down to more machines now.  Strange how gpupdate /force did not initially apply the new policy update, but all that matters is that this worked.

Thank you so much.

Best regards,

Mitch
0
 

Author Closing Comment

by:mkraemer11
ID: 36544816
Although the input provided by Number-1 was not the final solution, there was some good information there and the time spent putting that together was appreciated.  I awarded 100 points to Number-1 for the effort.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 36545102
Did you run GPupdate on the server or PC's? Running on the PC's it should have taken affect right after re-boot. Regardless it should apply to all PC's automatically after about 90 minutes. They may need to be reboot.
Glad to hear it is working.
Thanks mkraemer11.
--Rob
0
 

Author Comment

by:mkraemer11
ID: 36545626
ran gpupdate /force but that didn't change anything.  AFter about 90 minutes, like you said, machines started receiving the policy change.

Thanks again!

Mitch
0

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Remote Desktop Protocol or RDP has become an essential tool in many offices. This article will show you how to set up an external IP to point directly to an RDP session. There are many reasons why this is beneficial but perhaps the top reason is con…
Welcome to my series of short tips on migrations. Whilst based on Microsoft migrations the same principles can be applied to any type of migration. My first tip is around source server preparation. No migration is an easy migration, there is a…
This tutorial gives a high-level tour of the interface of Marketo (a marketing automation tool to help businesses track and engage prospective customers and drive them to purchase). You will see the main areas including Marketing Activities, Design …
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question