Solved

Change RDP Port for a domain

Posted on 2011-09-14
14
697 Views
Last Modified: 2013-11-21
I have two 64-bit Server 2008 domain controllers and all workstations are Windows XP and Windows 7.  i have tried using NUTS.EXE to convert my registry key to .ADM file to push out via group policy but it doesn't work.  (perhaps user error?)

Can anyone provide step by step instructions regarding the best method  to change the RDP port from 3389 to a custom port with the least amount of effort?
0
Comment
Question by:mkraemer11
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 4
  • 2
14 Comments
 
LVL 30

Expert Comment

by:Randy Downs
ID: 36537024
Is there a reason you don't want to make the change on the router? You could use the non standard port on the outside and the router can translate it internally to 3389
0
 

Author Comment

by:mkraemer11
ID: 36537547
We had a recent security audit and one of our feedback items was that the default RDP port should be changed.  We use RDP internally quite a lot internally.  The main reason this was recommended is because newer strains of worms are now capable of infecting machines via RDP if the port is the default 3389.

So I do need to change it internally on all workstations and servers in order to comply with our recent audit remediation recommendations.
0
 
LVL 30

Assisted Solution

by:Randy Downs
Randy Downs earned 100 total points
ID: 36538112
You can change it with the registry so maybe push the reg out to the clients. I would test it carefully in a test domain 1st.

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_23906016.html

http://support.microsoft.com/kb/225087


Converting a Registry Change into ADM Keywords
The biggest challenge may be finding a useful registry change that you want to distribute. For example, take the following change that allows you to move the printer spool folder. Remember that before you point the spool to a new folder, that folder must be created. You can then make the following change to the registry:

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756  (http://support.microsoft.com/kb/322756/ ) How to back up and restore the registry in Windows



1.Start Registry Editor (Regedt32.exe).
2.Locate the DefaultSpoolDirectory value under the following key in the registry:
   HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers
                                    NOTE: The above registry key is one path; it has been wrapped for readability.
3.On the Edit menu, click String, type X:\Pathname (for example, D:\Printing), and then click OK.
4.Quit Registry Editor.
This change to the registry must be converted into a template format so that HKEY becomes CLASS (Machine or User), Key becomes KEYNAME, and Value becomes VALUENAME (followed by NUMERIC if the type is BINARY or DWORD).
http://communities.vmware.com/thread/326936?tstart=0

if you want to change the port, it requires a quick change in the Windows registry.

(Note: Editing the registry is risky, so be sure you have a verified backup before saving any changes.)

The following hive has the specific TCP port used for RDP:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp]

In this hive, the PortNumber value contains the configured port that Windows will listen for RDP connections. The default port assignment is represented as D3D in hexadecimal or 3389 in binary. For this example, I will change the port to 53389. Figure A shows this change being made on a test server.
0
Increase Agility with Enabled Toolchains

Connect your existing build, deployment, management, monitoring, and collaboration platforms. From Puppet to Chef, HipChat to Slack, ServiceNow to JIRA, Splunk to New Relic and beyond, hand off data between systems to engage the right people.

Connect with xMatters.

 

Author Comment

by:mkraemer11
ID: 36540048
I will try this tomorrow and let you know the results.

0
 
LVL 77

Accepted Solution

by:
Rob Williams earned 400 total points
ID: 36540212
If you have a 2008 or 2008 R2 domain controller, instead of creating an adm file you can use group policy preferences. Create a new GPO linked the the OU/s that hold the computers/servers you wish to affect. Then within the new GPO go to:  computer configuration | preferences | Windows settings | right click on registry and manually create a new registry value, or use the wizard to extract the value from the current machine and it will create the policy to push out the registry change to all computers/servers in the appropriate OU.

With server 2008 the better and more secure option though would be to set up an RD gateway which requires an SSL certificate and uses port 443 externally and redirects to 3389 internally.
0
 

Author Comment

by:mkraemer11
ID: 36543308
Number-1 :  This method did not work and one fo the links you sent me was irrelevent (vmWare)


RobWill:  I followed your instructions and have run gpupdate /force and even restarted the workstation but the port is still the default 3389.  I confirmed the policy is applied to the correct container and the computer is assigned to the container.  Am I missing something?
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 36543353
Should be straight forward.
If you run   gpresult    on one of the affected PC's do you see it lissted as a policy and if so are there any errors reported?
0
 

Author Comment

by:mkraemer11
ID: 36543479
The policy is listed and I don't see any errors.  The only thing that doesn't look right is that it it applying the policy from my secondary domain controller rather than the primary.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 36543545
If it is the correct policy name, using secondary DC should not be a problem.
It does require a reboot, which I appreciate you said you did.
There are some policies that require multiple logons or reboots. In other words the policy has to be updated and then a reboot and it may take two to do so. I can't see that being the case here, but perhaps give that a try.

Just to confirm, Small Business Server is not involved here is it?
0
 

Author Comment

by:mkraemer11
ID: 36543574
No SBS.  Server 2008 Enterprise and Server 2008 R2 Enterprise.
0
 

Author Comment

by:mkraemer11
ID: 36544782
Yes!  it is working.  It seems to be sort of trickling down to more machines now.  Strange how gpupdate /force did not initially apply the new policy update, but all that matters is that this worked.

Thank you so much.

Best regards,

Mitch
0
 

Author Closing Comment

by:mkraemer11
ID: 36544816
Although the input provided by Number-1 was not the final solution, there was some good information there and the time spent putting that together was appreciated.  I awarded 100 points to Number-1 for the effort.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 36545102
Did you run GPupdate on the server or PC's? Running on the PC's it should have taken affect right after re-boot. Regardless it should apply to all PC's automatically after about 90 minutes. They may need to be reboot.
Glad to hear it is working.
Thanks mkraemer11.
--Rob
0
 

Author Comment

by:mkraemer11
ID: 36545626
ran gpupdate /force but that didn't change anything.  AFter about 90 minutes, like you said, machines started receiving the policy change.

Thanks again!

Mitch
0

Featured Post

Raise the IQ of Your IT Alerts

From IT major incidents to manufacturing line slowdowns, every business process generates insights that need to reach the people required to take action. You need a platform that integrates with your business tools to create fully enabled DevOps toolchains.

You need xMatters.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Every system administrator encounters once in while in a problem where the solution seems to be a needle in haystack.  My needle was an anti-virus version causing problems with my Exchange server. I have an HP DL350 with Windows Server 2008 Stand…
1. Boot PC and press F10, select storage options and change the compatibility from “AHCI” to “IDE”, save and exit 2. Boot PC and press F12 3. Upon PXE display of searching for DHCP server, press Pause break to obtain MAC address 3. Open Configu…
This is a high-level webinar that covers the history of enterprise open source database use. It addresses both the advantages companies see in using open source database technologies, as well as the fears and reservations they might have. In this…
In this video, viewers are given an introduction to using the Windows 10 Snipping Tool, how to quickly locate it when it's needed and also how make it always available with a single click of a mouse button, by pinning it to the Desktop Task Bar. Int…

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question