• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 722
  • Last Modified:

Change RDP Port for a domain

I have two 64-bit Server 2008 domain controllers and all workstations are Windows XP and Windows 7.  i have tried using NUTS.EXE to convert my registry key to .ADM file to push out via group policy but it doesn't work.  (perhaps user error?)

Can anyone provide step by step instructions regarding the best method  to change the RDP port from 3389 to a custom port with the least amount of effort?
0
mkraemer11
Asked:
mkraemer11
  • 8
  • 4
  • 2
2 Solutions
 
Randy DownsOWNERCommented:
Is there a reason you don't want to make the change on the router? You could use the non standard port on the outside and the router can translate it internally to 3389
0
 
mkraemer11Author Commented:
We had a recent security audit and one of our feedback items was that the default RDP port should be changed.  We use RDP internally quite a lot internally.  The main reason this was recommended is because newer strains of worms are now capable of infecting machines via RDP if the port is the default 3389.

So I do need to change it internally on all workstations and servers in order to comply with our recent audit remediation recommendations.
0
 
Randy DownsOWNERCommented:
You can change it with the registry so maybe push the reg out to the clients. I would test it carefully in a test domain 1st.

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_23906016.html

http://support.microsoft.com/kb/225087


Converting a Registry Change into ADM Keywords
The biggest challenge may be finding a useful registry change that you want to distribute. For example, take the following change that allows you to move the printer spool folder. Remember that before you point the spool to a new folder, that folder must be created. You can then make the following change to the registry:

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756  (http://support.microsoft.com/kb/322756/ ) How to back up and restore the registry in Windows



1.Start Registry Editor (Regedt32.exe).
2.Locate the DefaultSpoolDirectory value under the following key in the registry:
   HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers
                                    NOTE: The above registry key is one path; it has been wrapped for readability.
3.On the Edit menu, click String, type X:\Pathname (for example, D:\Printing), and then click OK.
4.Quit Registry Editor.
This change to the registry must be converted into a template format so that HKEY becomes CLASS (Machine or User), Key becomes KEYNAME, and Value becomes VALUENAME (followed by NUMERIC if the type is BINARY or DWORD).
http://communities.vmware.com/thread/326936?tstart=0

if you want to change the port, it requires a quick change in the Windows registry.

(Note: Editing the registry is risky, so be sure you have a verified backup before saving any changes.)

The following hive has the specific TCP port used for RDP:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp]

In this hive, the PortNumber value contains the configured port that Windows will listen for RDP connections. The default port assignment is represented as D3D in hexadecimal or 3389 in binary. For this example, I will change the port to 53389. Figure A shows this change being made on a test server.
0
Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
mkraemer11Author Commented:
I will try this tomorrow and let you know the results.

0
 
Rob WilliamsCommented:
If you have a 2008 or 2008 R2 domain controller, instead of creating an adm file you can use group policy preferences. Create a new GPO linked the the OU/s that hold the computers/servers you wish to affect. Then within the new GPO go to:  computer configuration | preferences | Windows settings | right click on registry and manually create a new registry value, or use the wizard to extract the value from the current machine and it will create the policy to push out the registry change to all computers/servers in the appropriate OU.

With server 2008 the better and more secure option though would be to set up an RD gateway which requires an SSL certificate and uses port 443 externally and redirects to 3389 internally.
0
 
mkraemer11Author Commented:
Number-1 :  This method did not work and one fo the links you sent me was irrelevent (vmWare)


RobWill:  I followed your instructions and have run gpupdate /force and even restarted the workstation but the port is still the default 3389.  I confirmed the policy is applied to the correct container and the computer is assigned to the container.  Am I missing something?
0
 
Rob WilliamsCommented:
Should be straight forward.
If you run   gpresult    on one of the affected PC's do you see it lissted as a policy and if so are there any errors reported?
0
 
mkraemer11Author Commented:
The policy is listed and I don't see any errors.  The only thing that doesn't look right is that it it applying the policy from my secondary domain controller rather than the primary.
0
 
Rob WilliamsCommented:
If it is the correct policy name, using secondary DC should not be a problem.
It does require a reboot, which I appreciate you said you did.
There are some policies that require multiple logons or reboots. In other words the policy has to be updated and then a reboot and it may take two to do so. I can't see that being the case here, but perhaps give that a try.

Just to confirm, Small Business Server is not involved here is it?
0
 
mkraemer11Author Commented:
No SBS.  Server 2008 Enterprise and Server 2008 R2 Enterprise.
0
 
mkraemer11Author Commented:
Yes!  it is working.  It seems to be sort of trickling down to more machines now.  Strange how gpupdate /force did not initially apply the new policy update, but all that matters is that this worked.

Thank you so much.

Best regards,

Mitch
0
 
mkraemer11Author Commented:
Although the input provided by Number-1 was not the final solution, there was some good information there and the time spent putting that together was appreciated.  I awarded 100 points to Number-1 for the effort.
0
 
Rob WilliamsCommented:
Did you run GPupdate on the server or PC's? Running on the PC's it should have taken affect right after re-boot. Regardless it should apply to all PC's automatically after about 90 minutes. They may need to be reboot.
Glad to hear it is working.
Thanks mkraemer11.
--Rob
0
 
mkraemer11Author Commented:
ran gpupdate /force but that didn't change anything.  AFter about 90 minutes, like you said, machines started receiving the policy change.

Thanks again!

Mitch
0

Featured Post

[Webinar] Cloud and Mobile-First Strategy

Maybe you’ve fully adopted the cloud since the beginning. Or maybe you started with on-prem resources but are pursuing a “cloud and mobile first” strategy. Getting to that end state has its challenges. Discover how to build out a 100% cloud and mobile IT strategy in this webinar.

  • 8
  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now