Solved

Change RDP Port for a domain

Posted on 2011-09-14
14
685 Views
Last Modified: 2013-11-21
I have two 64-bit Server 2008 domain controllers and all workstations are Windows XP and Windows 7.  i have tried using NUTS.EXE to convert my registry key to .ADM file to push out via group policy but it doesn't work.  (perhaps user error?)

Can anyone provide step by step instructions regarding the best method  to change the RDP port from 3389 to a custom port with the least amount of effort?
0
Comment
Question by:mkraemer11
  • 8
  • 4
  • 2
14 Comments
 
LVL 29

Expert Comment

by:Randy Downs
ID: 36537024
Is there a reason you don't want to make the change on the router? You could use the non standard port on the outside and the router can translate it internally to 3389
0
 

Author Comment

by:mkraemer11
ID: 36537547
We had a recent security audit and one of our feedback items was that the default RDP port should be changed.  We use RDP internally quite a lot internally.  The main reason this was recommended is because newer strains of worms are now capable of infecting machines via RDP if the port is the default 3389.

So I do need to change it internally on all workstations and servers in order to comply with our recent audit remediation recommendations.
0
 
LVL 29

Assisted Solution

by:Randy Downs
Randy Downs earned 100 total points
ID: 36538112
You can change it with the registry so maybe push the reg out to the clients. I would test it carefully in a test domain 1st.

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_23906016.html

http://support.microsoft.com/kb/225087


Converting a Registry Change into ADM Keywords
The biggest challenge may be finding a useful registry change that you want to distribute. For example, take the following change that allows you to move the printer spool folder. Remember that before you point the spool to a new folder, that folder must be created. You can then make the following change to the registry:

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756  (http://support.microsoft.com/kb/322756/ ) How to back up and restore the registry in Windows



1.Start Registry Editor (Regedt32.exe).
2.Locate the DefaultSpoolDirectory value under the following key in the registry:
   HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers
                                    NOTE: The above registry key is one path; it has been wrapped for readability.
3.On the Edit menu, click String, type X:\Pathname (for example, D:\Printing), and then click OK.
4.Quit Registry Editor.
This change to the registry must be converted into a template format so that HKEY becomes CLASS (Machine or User), Key becomes KEYNAME, and Value becomes VALUENAME (followed by NUMERIC if the type is BINARY or DWORD).
http://communities.vmware.com/thread/326936?tstart=0

if you want to change the port, it requires a quick change in the Windows registry.

(Note: Editing the registry is risky, so be sure you have a verified backup before saving any changes.)

The following hive has the specific TCP port used for RDP:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp]

In this hive, the PortNumber value contains the configured port that Windows will listen for RDP connections. The default port assignment is represented as D3D in hexadecimal or 3389 in binary. For this example, I will change the port to 53389. Figure A shows this change being made on a test server.
0
 

Author Comment

by:mkraemer11
ID: 36540048
I will try this tomorrow and let you know the results.

0
 
LVL 77

Accepted Solution

by:
Rob Williams earned 400 total points
ID: 36540212
If you have a 2008 or 2008 R2 domain controller, instead of creating an adm file you can use group policy preferences. Create a new GPO linked the the OU/s that hold the computers/servers you wish to affect. Then within the new GPO go to:  computer configuration | preferences | Windows settings | right click on registry and manually create a new registry value, or use the wizard to extract the value from the current machine and it will create the policy to push out the registry change to all computers/servers in the appropriate OU.

With server 2008 the better and more secure option though would be to set up an RD gateway which requires an SSL certificate and uses port 443 externally and redirects to 3389 internally.
0
 

Author Comment

by:mkraemer11
ID: 36543308
Number-1 :  This method did not work and one fo the links you sent me was irrelevent (vmWare)


RobWill:  I followed your instructions and have run gpupdate /force and even restarted the workstation but the port is still the default 3389.  I confirmed the policy is applied to the correct container and the computer is assigned to the container.  Am I missing something?
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 36543353
Should be straight forward.
If you run   gpresult    on one of the affected PC's do you see it lissted as a policy and if so are there any errors reported?
0
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

 

Author Comment

by:mkraemer11
ID: 36543479
The policy is listed and I don't see any errors.  The only thing that doesn't look right is that it it applying the policy from my secondary domain controller rather than the primary.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 36543545
If it is the correct policy name, using secondary DC should not be a problem.
It does require a reboot, which I appreciate you said you did.
There are some policies that require multiple logons or reboots. In other words the policy has to be updated and then a reboot and it may take two to do so. I can't see that being the case here, but perhaps give that a try.

Just to confirm, Small Business Server is not involved here is it?
0
 

Author Comment

by:mkraemer11
ID: 36543574
No SBS.  Server 2008 Enterprise and Server 2008 R2 Enterprise.
0
 

Author Comment

by:mkraemer11
ID: 36544782
Yes!  it is working.  It seems to be sort of trickling down to more machines now.  Strange how gpupdate /force did not initially apply the new policy update, but all that matters is that this worked.

Thank you so much.

Best regards,

Mitch
0
 

Author Closing Comment

by:mkraemer11
ID: 36544816
Although the input provided by Number-1 was not the final solution, there was some good information there and the time spent putting that together was appreciated.  I awarded 100 points to Number-1 for the effort.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 36545102
Did you run GPupdate on the server or PC's? Running on the PC's it should have taken affect right after re-boot. Regardless it should apply to all PC's automatically after about 90 minutes. They may need to be reboot.
Glad to hear it is working.
Thanks mkraemer11.
--Rob
0
 

Author Comment

by:mkraemer11
ID: 36545626
ran gpupdate /force but that didn't change anything.  AFter about 90 minutes, like you said, machines started receiving the policy change.

Thanks again!

Mitch
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Join & Write a Comment

1. Boot PC and press F10, select storage options and change the compatibility from “AHCI” to “IDE”, save and exit 2. Boot PC and press F12 3. Upon PXE display of searching for DHCP server, press Pause break to obtain MAC address 3. Open Configu…
The question has been asked on multiple occasions as to how best to do printing in a remote desktop or terminal services environment.   It seems that this particular question has plagued several people and most especially as Terminal Services, as…
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now