Change the default RDP port 3389 via registry editor and PowerShell.
Registry Editor
Run the registry editor C:\Windows\regedit.exe
and change the following value:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TerminalServer\WinStations\RDP-Tcp\PortNumber
PowerShell
Run the command below where new-port is the desired RDP port:
PS> Set-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Control\Terminal*Server\WinStations\RDP-TCP\ -Name PortNumber -Value new-port
Make sure any local and/or public firewalls are configured appropriately. Restart the system.
Optional: Security Layers and Encryption Levels, NLA
There are three security layer options available for RDP:
- RDP Security Layer – communication between the server and the client will use native RDP encryption.
- Negotiable – The most secure layer that is supported by the client will be used.
- SSL (TLS 1.0) – SSL will be used for server authentication and for encryption all data transferred between the server and the client.
There are four encryption level options for RDP:
- Low.
- Client Compatible (the one enabled by default) – all data sent between the client and the server is protected by encryption based on the maximum key strength supported by the client.
- High – all data sent between the client and the server is protected by encryption based on the server’s maximum key strength.
- FIPS Compliant – all data sent between the client and the server is protected by using FIPS 140-1 validated encryption methods. FIPS is US Federal Information Processing Standard, not a protocol.
Network Level Authentication (NLA) is also available for Remote Desktop Connection 6.0 and above.
To change remote desktop security level to high (TLS), do:
PS> Set-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Control\Terminal*Server\WinStations\RDP-TCP\ -Name SecurityLayer -Value 2
To change remote desktop encryption level to FIPS-Compliant, do:
PS> Set-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Control\Terminal*Server\WinStations\RDP-TCP\ -Name MinEncryptionLevel -Value 4
To enable Network Level Authentication, do:
PS> Set-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Control\Terminal*Server\WinStations\RDP-TCP\ -Name UserAuthentication -Value 1
FreeRDP Client
FreeRDP is a free and open source implementation of the RDP protocol. Installation on Debian Wheezy:
# apt-get install freerdp-x11 libfreerdp1 libfreerdp-plugins-standard
Version installed:
$ xfreerdp --version loading plugin cliprdr This is FreeRDP version 1.0.1
Usage example:
$ xfreerdp --plugin cliprdr -g 1400x900 -z --no-rdp --no-tls --sec nla --ignore-certificate -u sandy -d domain 10.1.2.3:3389