While you should never leave Remote Desktop open to the outside world, should you choose to do so, you should at least change the port number to something other than the default 3389. This will not thwart a determined attacker from finding the open port via a port scan of the network, but it will cut down on a lot of the automated scans searching only for open connections on this port. Ideally, Remote Desktop should only be allowed on the internal network, and if you need to access it externally, you will use a VPN to first connect, and then RDP to your destination. If this is not feasible, then having an account lockout policy defined on the computer accepting the connections will help combat brute force attacks. We have a write-up on how to configure a lockout policy here: Lockout Policy Creation
On your Windows server or workstation, follow the below steps to change your RDP port to one of your choosing:
1. Open the registry by going pressing the Windows + R keys and enter "Regedit"
2. Once the Registry Editor is open, browse to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-TCP\ and find the DWord entry "Port Number"
3. Double-click "PortNumber", change the base to decimal, and enter a value between 1025 and 65535. Click Ok and reboot the system.
Now, the only other thing you will need to do is that when you want to connect to this machine you will need to append the port number to the IP address or the host name that you enter into RDP.
You can view an in depth article on changing your RDP Listening Port by click on this link!
No comments:
Post a Comment