Re: Changing port on web rdp client

From: Patrick Rouse (PatrickRouse_at_discussions.microsoft.com)
Date: 02/20/05 

Date: Sun, 20 Feb 2005 14:05:04 -0800

Actually I was not referring to this, but just wanted to get your reasoning
for changing the port number. I know a lot of people do this, however I do
not feel the tiny bit of added security is worth making the change.

In my opinion, anyone smart enough to crack your system, is smart enough to
search for non-standard ports. Port scanners will scan for whatever port
range you tell them to.

By default TS will drop connections when it detects a an attempt at DOS or
hack/crack, i.e. if one system sends to many requests in a period of time, or
if the someone enters the incorrect logon credentials too many times. These
events can be tracked in the security log, and you can use your firewall to
block the address/address range they originated from, if so desired.

I've been managing Terminal Servers for 5 years and have never had a
security breach related in any way to RDP or Terminal Server.

Things I would recommend are things like denying the administrator account
permissions to the RDP-Tcp connection, having a good password policy,
restricting logons for people outside of their working hours, deny TS use for
accounts that don't use it.

If you want an excellent additional security feature, look into something
measurable like using SecureID, which is bullet-proof, i.e. you need proper
credentials + the digital token to match that account.

If changing the listening TCP port gives your IT Manager warm fuzzies, he's
free to make that decision, I'm just giving you reasons why it doesn't make
that much of a difference, and that you should at least consider other
security layers.

If you have any more questions, feel free to ask. If you decide to change
the TCP port, users will need to enter in the port number after the IP or DNS
address in their Remote Desktop Client.

Lots of good info here:
http://www.workthin.com/tshta.htm

"[-=Dan=-]" wrote:

> "Patrick Rouse" <PatrickRouse@discussions.microsoft.com> wrote in message
> news:515A6832-3AC0-4882-A9FB-AF68B027FE98@microsoft.com...
> > Check here:
> > http://support.microsoft.com/?id=187623
> >
> > May I ask why you want to do this? It really doesn't add any measurable
> > security to your system, as anyone with a good port scanner and free time
> > can
> > find your TS.
> >
>
> Are you pointing me to the "NOTE: The Terminal Server ActiveX client listens
> on TCP port 3389 and this cannot be changed. " section at the bottom? Looks
> like I can't do it then. The reason I want to do this, is our network
> manager says that port scanners won't usually bother scanning high ports, so
> I was going to change it to 33890 or something. You see, If I do as he
> suggests then at least I've done my bit if/when we get hacked! :P
>
> Thanks for the reply
>
> Dan
>
>
>

Relevant Pages