Changing Remote Desktop Port Number

Remote Desktop is arguably one of the most powerful features included in the Windows operating system. By extension, this also makes it one of the most dangerous to expose to the outside world. While Windows forces all users who are allowed to connect via Remote Desktop to have a password, the quality of those passwords will vary widely. Many users won’t think twice about granting the built-in Administrator account (or one bearing their first name) the ability to connect to the service. Combine  this with the fact that Remote Desktop uses a well-known port number by default (3389), and you have a potentially dangerous situation. The bad guys regularly scan to check whether port 3389 is open, and if they find it is, they now have the ability to try to log on using the Remote Desktop client.

Enabling the Administrator account for Remote Desktop is a mistake, as using it would provide outside users with half the information they need to gain access to your PC. If they can guess the password (or use automated attack tools) the password could potentially be “guessed”. A different, dedicated account with a strong password would better serve the purpose. In my opinion, however, so too would changing the port number on which Remote Desktop accepts connections.

While changing the Remote Desktop port number technically doesn’t make the service any more secure, it does offer the advantage of security by obscurity. The majority of those engaging in wide-scale port scanning usually won’t scan for every open port, though some certainly will. If they find the Remote Desktop port (3389) closed, they’ll generally assume that Remote Desktop isn’t enabled. By changing the port number on which Remote Desktop accepts connections, you reduce the liklihood of malicious (or even casual) users attempting Remote Desktop connections to your system. It’s worth noting that this tip can also be used to change the listening port for Terminal Server connections on Windows Server systems.

As a general rule, I like to choose a higher port number – let’s say 36578 for the sake of argument. If the listening port number were changed to this value, the user would need to supply it as part of the address in the Remote Desktop client. For example, to connect to a system at address 1.1.1.1, the full address 1.1.1.1:36578 would need to be provided in the client’s Computer field.

But how is the listening port number changed? Unfortunately, it’s via a Registry edit, so you should back it up first as a precaution. The key in question is found under HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TerminalServer\WinStations\RDP-Tcp\PortNumber. For more details on changing the value, see this Microsoft Knowledge Base article.

If you do change your Remote Desktop port number, don’t forget that your firewall rules that allow incoming connections will need to be changed to reflect the new port number you choose.

Add Remote Control to Active Directory Users and Computers

If you’re an administrator of a network running Active Directory, then you probably spend a great deal of your time working within the Active Directory Users and Computers MMC. While there’s no question that this and other management tools can be extended in cool ways to perform additional tasks (similar to what Alan outlined in his recent Windows Scripting article Extending the Capabilities of Active Directory Users and Computers Using VBScript), scripting isn’t the only option. In fact, you can add “remote control” capabilities to Active Directory Users and Computers by installing a simple (and free) Resource Kit utility available for download from the Microsoft web site.

The Remote Control Add-on for Active Directory Users and Computers (rControlAD.exe) is a tool that adds the ability to connect to any computer running Remote Desktop or Terminal Services directly from the popular MMC tool. Once installed on one server in your Active Directory forest, you can simply right-click on any computer object and select Remote Control. Doing so launches a Remote Desktop-style connection to that system, without the need to specify a computer name or IP address manually.

The rControlAD tool can be downloaded here. Just extract the downloaded file, and then install it. You be presented with a message similar to one shown below.

Once the installation is complete, just fire up Active Directory Users and Computers, browse to a computer object, right-click, and select Remote Control. That’s all there is to it!

Whether you’re looking for an easy way to access your Windows XP Professional desktops or a way to seamlessly connect to Terminal Services on Windows servers, this tip makes it a snap.

Remote Desktop Alternatives and Dynamic DNS

While Windows XP Professional users can take advantage of the fact that Remote Desktop is a built-in and easily configured feature, the fact that it isn’t included with other Microsoft operating systems may leave you feeling a little out in the cold. Not to worry, as alternatives do exist. If you’re looking for a free solution, take the time to investigate RealVNC, available at www.realvnc.org. If you’re looking for something with support attached, you may want to take a closer look at GoToMyPC (http://www.gotomypc.com/), a subscription service that allows you to get to your PC from any web browser over a secure connection.

Get home with DynDNS

One of the biggest challenges involved with trying to access your home PC from the office or while on the road is remembering your IP address. Depending upon your ISP, you may have been allocated a fixed IP address that never changes, or one that changes regularly. Obviously changing IP addresses present an issue, since you’ll need to provide the correct address in order to connect to your XP system running Remote Desktop.

Thankfully there’s an easy solution at hand – dynamic DNS. Dynamic DNS is a service that allows you to map your current IP address to a free domain name like dan1999.dyndns.org. Then, you only need to remember that name rather than the address in use. Updates can be performed manually via the dyndns.org website, but a better bet is to download and install one of the many automatic updating tools listed on the site. Once installed, these utilities will automatically update your IP address with the dyndns.org servers whenever your IP address changes, and you’ll always be able to connect. Best of all, this service is free, and you have 45 potential domain names to choose from – good fun!

Adding Remote Desktop Users and Configuring Firewall Settings

In order for users to be able to connect to an XP Professional system using Remote Desktop, they must either be a member of the Administrators group on that system, only be explicitly granted access. To grant non-administrative users access to Remote Desktop, open the System applet to the Remote tab and click the Select Remote Users button. From the window that opens, use the Add button to select the user accounts that should have access. It’s worth noting that a user account must have already been created for the user from the Local Users and Group node in Computer Management, so you may need to stop there first. Also keep in mind that users without a password configured for their account are never allowed to connect to Remote Desktop.

Remote Desktop Firewall Settings

If you plan to need to connect to a Remote Desktop system behind a firewall, the firewall will need to be configured to forward traffic destined for TCP port 3389. This is simple if you’re using Windows Firewall – just check the Remote Desktop checkbox on the Exceptions tab. You’ll also need to supply the name or IP address of the system you’ll need to connect to through the firewall. For all other firewalls (including hardware models), check your documentation as to how to forward traffic received for port 3389 to the XP Professional system with Remote Desktop enabled.

Configuring Remote Desktop Client

At first glance, the Remote Desktop Connection window looks exceptionally simple, only requiring you to specify a computer to connect to. In this case, the “name” that you need to provide depends upon where you’re sitting. For example, if the client and XP Professional system with Remote Desktop enabled are located on the same network, the computer name (or local IP address) of the XP system will suffice. If you’re connecting over the Internet, then you’ll need to specify your public IP address. If your XP system is directly connected to the Internet, you can find this address with the IPCONFIG command. The tough part is that depending upon your Internet connection type, your IP address may change frequently. This obviously presents an issue (not knowing the address) when you need to connect. In these situations, your best bet is to use a free dynamic DNS solution, as outlined in the boxout at the end of this article. If implemented, you’ll be able to get at your home PC using a name like myhomepc.dyndns.org rather than have to remember or deal with changing IP addresses.

To get the most out of Remote Desktop Connection, you’ll want to customize its settings according to your preferences and needs. Clicking the Options button makes a number of additional configurable settings available to you, giving you control of everything from what username and password should be used for the connection through to optimization settings for speed and display.

When the Options button is pressed you’ll be presented with 5 tabs – General, Display, Local Resources, Programs, and Experience. The General tab allows you to configure a username and password to connect to the remote system, as well as a domain name if necessary. This user account must exist on the remote Windows XP Professional system, and the account must have permissions for Remote Desktop (more on that shortly). If you want to make future reconnections easier, use the Save As button on this tab to save your customized connection settings as a .RDP file that can be used as a shortcut later.

The Display tab looks somewhat similar to the Settings tab in the Control Panel display applet. However, its purpose in this case is to control how the remote desktop environment will be displayed on your local PC. Most users will prefer to use the right-most setting in the Remote Desktop Size section, allowing them to view things “full screen”. Smaller windows are also possible, and often preferable over slower connections. If you are dealing with a slower connection (such as dialup), then make a point of choosing the lowest possible color setting, namely 256 colors. If you choose 16- or 24-bit color more information will need to be transmitted over the connection, and performance will definitely be sluggish. Higher color settings are generally responsive enough over broadband connections, however.

The Local Resources tab allows you to control how different remote elements are presented to your local computer. For example, in the Sound section you can control whether remote sounds (like error beeps) are sent to your system running Remote Desktop Connection, and what will happen when you press a Windows key combination like Alt+Tab. As a general rule, avoid having sounds sent over the connection as this may chew limited bandwidth. As for the Keyboard section, the default setting (In full screen mode only), ensures that the remote system responds to Windows keys in full screen mode, and that the local system responds at any other window size.

The most important settings on this tab are those in the Local devices section. By checking the checkboxes for Disk drives, Printers, and Serial ports you can make these devices on your local system available to the system running Remote Desktop. That may sound confusing, but it’s actually quite simple. If you were to select Printers, for example, after connecting you would be able to open a file on your remote system and print to the printer sitting next to you. Similarly, making local disk drives your system available to the remote system would allow you to open a file on the remote system and save it to the disk of the system you’re working from – a very simple and effective way to transfer that forgotten file.

The Programs tab allows you to specify a program that should be started on the remote system once a connection to that system is established. This would be useful in cases where you need a certain application running on the remote PC and want to have it started automatically without any additional interaction.

Finally, the Experience tab allows you to specify your connection type and speed to optimize the performance of Remote Desktop – make sure the setting here matches your connection type for best performance. In the Allow the following section, you can control which “fancy” Windows elements will be enabled over the connection. We generally suggest unchecking all boxes here with the exception of Bitmap caching, since elements like Themes and animations will slow down performance. Bitmap caching helps to reduce the amount of information that needs to be transferred between the Remote Desktop system and the connecting client, and can noticeably improve performance.

Remote Desktop Client Software

The client software used to connect to an XP Professional system with Remote Desktop enabled is called Remote Desktop Connection, and is installed by default on both Windows XP Home and Professional systems. The software can be started from the Run command by specifying its executable name (mstsc.exe), or from the shortcut found under Start > All Programs > Accessories > Communications. The Remote Desktop Connection window that will open is shown here.

If you’re running a client operating system other than XP Home or Professional and need to connect to an XP system running Remote Desktop, all is not lost. Remote Desktop Connection software can be downloaded from Microsoft for free, and runs on everything from Windows 95 through to Windows 2000. Obtain the latest version online at http://www.microsoft.com/windowsxp/pro/downloads/rdclientdl.asp.

Allowing Remote Desktop Connections

The best thing about the Remote Desktop feature is how easy it is to enable. Disabled by default, simply open the System applet in Control Panel to the Remote tab. In the lower portion of this tab you’ll see a checkbox marked Allow users to remotely connect to this computer. Simply check that box, click OK, and Remote Desktop is enabled. If you’re running Windows XP Home, you won’t find this checkbox because Remote Desktop isn’t included with this OS version. If you’re looking for a Remote Desktop-type solution for XP Home (or 95/98/Me/2000 systems), alternative software is discussed later in the article.

Once Remote Desktop has been enabled, only members of the system’s local Administrators group will have the ability to connect to the system remotely by default. All other users will be denied access if they attempt to connect, and users without passwords are always denied access for security reasons. To add users to the Administrators local group, use the Local Users and Groups section of the Computer Management MMC, accessed by right-clicking on My Computer and selecting the Manage option.

Using Remote Desktop with Windows XP Professional

Users today commonly complete work on both a home and office PC, shuttling files back and forth using email, disks, and online storage services. Unfortunately, gaining access to your home PC from work (or vice versa) has typically not been an easy proposition. While some users have VPN software set up to simplify connections between a home and office network, most users who’ve forgotten important files take the road more traveled – a trip back to wherever those critical files currently reside. However, if you’re running Windows XP Professional, another potential solution exists in the form of Remote Desktop, a feature that allows you to connect to your desktop remotely as if sitting in front of it. A few simple clicks sure beats turning the car around – read on and learn how to get this useful setup sorted!

Why Remote Desktop?

First and foremost, it’s important to understand what Remote Desktop is all about, since it’s easy to get confused with the various remote access technologies out there today. In simple terms, Remote Desktop does exactly what it’s name suggests, providing access to your XP desktop from another system via a local network or Internet connection. Once you connect to an XP system with Remote Desktop enabled, you can interact with that desktop precisely as if you were sitting in front of it. That means you could open your home email client and send yourself a file at work, run programs on your home PC, and so on. Some people use Remote Desktop as a way to administer or “play around” with their home system from any location, while others keep it running just in case they happen to forget a critical file. Many office environments enable Remote Desktop on all XP Professional systems to allow workers to gain access to their desktops after hours from home in case it’s necessary.

What actually happens over a Remote Desktop connection is that local commands and actions (like typing or mouse clicks) are sent to the remote system as instructions. The remote systems “responds” by sending back images of the remote system’s screen as responses to these instructions. So, clicking on the remote system’s Start menu using your local mouse ends up being interpreted as clicking the Start button from a mouse connected to the remote system. The remote system opens the Start menu, and sends back regularly refreshed images of the remote screen.

Managing Windows Servers with Terminal Services

Administering multiple Windows 2000 Servers in a multi-site environment can sometimes become a tedious task to say the least. Picture this scenario: your company has four offices, two within a kilometer of each other, another approximately 100 km away, and the fourth resides in a totally different country. You are responsible for all the Win2K servers in each office. How much travel time do you have to account for in your daily administrative workload, just to perform minor updates, troubleshooting, or configurations of these servers? Fortunately, Microsoft has bundled a very useful component into the Win2K OS called Terminal Services, which can be used to remotely administer Windows 2000 Servers on your network. The Microsoft Terminal Services Client software used to make connections to Terminal Serves communicates over a TCP/IP network connection using the Microsoft Remote Desktop Protocol (RDP). When configured in Remote Administration Mode, Terminal Services provides a free and powerful tool that can save you time and your company money, by allowing you to remotely administer your servers right from your desk, using a variety of client connection options.

Terminal Services can be installed in one of two modes: Remote Administration mode or Application Server mode. Remote Admin mode provides you with up to two connections, and does not require any additional licensing or cost. By default, Users in the Administrators group will have permissions to make a connection to your server configured for Remote Admin. Application Server mode provides connections based on purchased client licenses and is used in a thin client server-based computing environment. To install Terminal Services on your server, select the Add/Remove Windows Components icon located in Add/Remove Programs in Control Panel.

Terminal Services

Windows 2000 Server includes terminal services for the purpose of remote administration of servers as well as the ability to provide centralized access to software and the Windows 2000 desktop. Not installed by default, terminal services provides an environment that is often referred to as‘thin client’. In this environment (also provided by third-party products such as Citrix Metaframe), only screen-shots, keyboard strokes,and mouse movements are passed between the server and the client. All processing actually takes place on the server, which greatly reduces the computing requirements on the client side. Assuch, even Intel 386 running Windows 3.11 can provide users with access to the Windows 2000environment and associated applications. Terminal services uses the Remote Desktop Protocol (RDP) to pass data between the terminal service client and server.

Terminal services is installed via the Windows Components Wizard. After choosing to install terminal services, you will be prompted to choose between the two possible install modes.

Remote administration mode allows 2 simultaneous terminal services connections for the purpose of remote administration and requires no additional licensing. Application server mode is provided for the purpose of allowing regular users to run applications in Windows 2000. In this mode, a terminal services licensing server much also exist(a 90-day grace period is provided), since every terminal client connection will require a terminal service CAL. Note that Windows 2000 Professional systems do not require an additional CAL to access the terminal server, but other operating systems do.