Remote Desktop is arguably one of the most powerful features included in the Windows operating system. By extension, this also makes it one of the most dangerous to expose to the outside world. While Windows forces all users who are allowed to connect via Remote Desktop to have a password, the quality of those passwords will vary widely. Many users won’t think twice about granting the built-in Administrator account (or one bearing their first name) the ability to connect to the service. Combine this with the fact that Remote Desktop uses a well-known port number by default (3389), and you have a potentially dangerous situation. The bad guys regularly scan to check whether port 3389 is open, and if they find it is, they now have the ability to try to log on using the Remote Desktop client.
Enabling the Administrator account for Remote Desktop is a mistake, as using it would provide outside users with half the information they need to gain access to your PC. If they can guess the password (or use automated attack tools) the password could potentially be “guessed”. A different, dedicated account with a strong password would better serve the purpose. In my opinion, however, so too would changing the port number on which Remote Desktop accepts connections.
While changing the Remote Desktop port number technically doesn’t make the service any more secure, it does offer the advantage of security by obscurity. The majority of those engaging in wide-scale port scanning usually won’t scan for every open port, though some certainly will. If they find the Remote Desktop port (3389) closed, they’ll generally assume that Remote Desktop isn’t enabled. By changing the port number on which Remote Desktop accepts connections, you reduce the liklihood of malicious (or even casual) users attempting Remote Desktop connections to your system. It’s worth noting that this tip can also be used to change the listening port for Terminal Server connections on Windows Server systems.
As a general rule, I like to choose a higher port number – let’s say 36578 for the sake of argument. If the listening port number were changed to this value, the user would need to supply it as part of the address in the Remote Desktop client. For example, to connect to a system at address 1.1.1.1, the full address 1.1.1.1:36578 would need to be provided in the client’s Computer field.
But how is the listening port number changed? Unfortunately, it’s via a Registry edit, so you should back it up first as a precaution. The key in question is found under HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TerminalServer\WinStations\RDP-Tcp\PortNumber. For more details on changing the value, see this Microsoft Knowledge Base article.
If you do change your Remote Desktop port number, don’t forget that your firewall rules that allow incoming connections will need to be changed to reflect the new port number you choose.
