Changing the Port That Terminal Services Uses to Connect to a Server

I use Windows 2000 Server Terminal Services on my network for remote administration, but I'm worried that someone might break into one of my servers through Terminal Services. How can I change the port that Terminal Services uses to a nonstandard port number so that users can't connect through Terminal Services unless they know the secret port number?

I can explain how to change the port number, but first let me comment about security. What you're trying to do is called "security through obscurity," which is seldom effective. In this case, you might confuse casual attackers trying to connect through port 3389 or unsophisticated port scanners from discovering Terminal Services on your server, but the chance that an intruder will discover the new port number still exists. For example, some sophisticated vulnerability scanners combine port scanning and response analysis to discover known services listening to nonstandard ports. A more secure measure is to configure IP Security (IPSec) protection for Terminal Services. Using IPSec, you can configure your server to reject any connection attempts to port 3389 except those requests from computers you've configured with the correct secret key or certificate. For more information about Terminal Services security settings, see "Terminal Services, Part 4," http://www.secadministrator.com, InstantDoc ID 20288. All that being said, here's how to configure Terminal Services to connect through a different port.

On the server, open a registry editor, navigate to the HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminalServerWinStationsRDP-Tcp subkey, then edit the PortNumber value. Switch to the decimal display, then enter a new port number. You must restart the server for the change to take effect. To connect to Terminal Services now, you'll need to configure the client to connect through the new port number. If your workstation is running Windows XP, open the Remote Desktop Connection shortcut and append a colon and the new port number to the end of the server's name. For example, if your server's name is jupiter and the new port number is 4123, enter

jupiter:4123

Workstations running Win2K or earlier make connections through Client Connection Manager. Select your connection, then use File, Export to export it to a file. Open the file in Notepad and change Server Port=3389 to your new port number. Save the file and import it back into Client Connection Manager.

—Randy Franklin Smith