Change Default RDP Port on Windows Server 2008/2012

Change the default RDP port 3389 via registry editor and PowerShell. 

Registry Editor

Run the registry editor C:\Windows\regedit.exe and change the following value:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TerminalServer\WinStations\RDP-Tcp\PortNumber

PowerShell

Run the command below where new-port is the desired RDP port:

PS> Set-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Control\Terminal*Server\WinStations\RDP-TCP\ -Name PortNumber -Value new-port

Make sure any local and/or public firewalls are configured appropriately. Restart the system.

Optional: Security Layers and Encryption Levels, NLA

There are three security layer options available for RDP:

  1. RDP Security Layer – communication between the server and the client will use native RDP encryption.
  2. Negotiable – The most secure layer that is supported by the client will be used.
  3. SSL (TLS 1.0) – SSL will be used for server authentication and for encryption all data transferred between the server and the client.

There are four encryption level options for RDP:

  1. Low.
  2. Client Compatible (the one enabled by default) – all data sent between the client and the server is protected by encryption based on the maximum key strength supported by the client.
  3. High – all data sent between the client and the server is protected by encryption based on the server’s maximum key strength.
  4. FIPS Compliant – all data sent between the client and the server is protected by using FIPS 140-1 validated encryption methods. FIPS is US Federal Information Processing Standard, not a protocol.

Network Level Authentication (NLA) is also available for Remote Desktop Connection 6.0 and above.

To change remote desktop security level to high (TLS), do:

PS> Set-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Control\Terminal*Server\WinStations\RDP-TCP\ -Name SecurityLayer -Value 2

To change remote desktop encryption level to FIPS-Compliant, do:

PS> Set-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Control\Terminal*Server\WinStations\RDP-TCP\ -Name MinEncryptionLevel -Value 4

To enable Network Level Authentication, do:

PS> Set-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Control\Terminal*Server\WinStations\RDP-TCP\ -Name UserAuthentication -Value 1

FreeRDP Client

FreeRDP is a free and open source implementation of the RDP protocol. Installation on Debian Wheezy:

# apt-get install freerdp-x11 libfreerdp1 libfreerdp-plugins-standard

Version installed:

$ xfreerdp --version
loading plugin cliprdr
This is FreeRDP version 1.0.1

Usage example:

$ xfreerdp --plugin cliprdr -g 1400x900 -z --no-rdp --no-tls --sec nla --ignore-certificate -u sandy -d domain 10.1.2.3:3389

Leave a Reply

Your email address will not be published. Required fields are marked *