Remote Desktop is arguably one of the most powerful features included in the Windows operating system. By extension, this also makes it one of the most dangerous to expose to the outside world. While Windows forces all users who are allowed to connect via Remote Desktop to have a password, the quality of those passwords will vary widely. Many users won’t think twice about granting the built-in Administrator account (or one bearing their first name) the ability to connect to the service. Combine this with the fact that Remote Desktop uses a well-known port number by default (3389), and you have a potentially dangerous situation. The bad guys regularly scan to check whether port 3389 is open, and if they find it is, they now have the ability to try to log on using the Remote Desktop client.
Enabling the Administrator account for Remote Desktop is a mistake, as using it would provide outside users with half the information they need to gain access to your PC. If they can guess the password (or use automated attack tools) the password could potentially be “guessed”. A different, dedicated account with a strong password would better serve the purpose. In my opinion, however, so too would changing the port number on which Remote Desktop accepts connections.
While changing the Remote Desktop port number technically doesn’t make the service any more secure, it does offer the advantage of security by obscurity. The majority of those engaging in wide-scale port scanning usually won’t scan for every open port, though some certainly will. If they find the Remote Desktop port (3389) closed, they’ll generally assume that Remote Desktop isn’t enabled. By changing the port number on which Remote Desktop accepts connections, you reduce the liklihood of malicious (or even casual) users attempting Remote Desktop connections to your system. It’s worth noting that this tip can also be used to change the listening port for Terminal Server connections on Windows Server systems.
As a general rule, I like to choose a higher port number – let’s say 36578 for the sake of argument. If the listening port number were changed to this value, the user would need to supply it as part of the address in the Remote Desktop client. For example, to connect to a system at address 188.8.131.52, the full address 184.108.40.206:36578 would need to be provided in the client’s Computer field.
But how is the listening port number changed? Unfortunately, it’s via a Registry edit, so you should back it up first as a precaution. The key in question is found under HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TerminalServer\WinStations\RDP-Tcp\PortNumber. For more details on changing the value, see this Microsoft Knowledge Base article.
If you do change your Remote Desktop port number, don’t forget that your firewall rules that allow incoming connections will need to be changed to reflect the new port number you choose.
If you’re an administrator of a network running Active Directory, then you probably spend a great deal of your time working within the Active Directory Users and Computers MMC. While there’s no question that this and other management tools can be extended in cool ways to perform additional tasks (similar to what Alan outlined in his recent Windows Scripting article Extending the Capabilities of Active Directory Users and Computers Using VBScript), scripting isn’t the only option. In fact, you can add “remote control” capabilities to Active Directory Users and Computers by installing a simple (and free) Resource Kit utility available for download from the Microsoft web site.
The Remote Control Add-on for Active Directory Users and Computers (rControlAD.exe) is a tool that adds the ability to connect to any computer running Remote Desktop or Terminal Services directly from the popular MMC tool. Once installed on one server in your Active Directory forest, you can simply right-click on any computer object and select Remote Control. Doing so launches a Remote Desktop-style connection to that system, without the need to specify a computer name or IP address manually.
The rControlAD tool can be downloaded here. Just extract the downloaded file, and then install it. You be presented with a message similar to one shown below.
Once the installation is complete, just fire up Active Directory Users and Computers, browse to a computer object, right-click, and select Remote Control. That’s all there is to it!
Whether you’re looking for an easy way to access your Windows XP Professional desktops or a way to seamlessly connect to Terminal Services on Windows servers, this tip makes it a snap.
While Windows XP Professional users can take advantage of the fact that Remote Desktop is a built-in and easily configured feature, the fact that it isn’t included with other Microsoft operating systems may leave you feeling a little out in the cold. Not to worry, as alternatives do exist. If you’re looking for a free solution, take the time to investigate RealVNC, available at www.realvnc.org. If you’re looking for something with support attached, you may want to take a closer look at GoToMyPC (http://www.gotomypc.com/), a subscription service that allows you to get to your PC from any web browser over a secure connection.
Get home with DynDNS
One of the biggest challenges involved with trying to access your home PC from the office or while on the road is remembering your IP address. Depending upon your ISP, you may have been allocated a fixed IP address that never changes, or one that changes regularly. Obviously changing IP addresses present an issue, since you’ll need to provide the correct address in order to connect to your XP system running Remote Desktop.
Thankfully there’s an easy solution at hand – dynamic DNS. Dynamic DNS is a service that allows you to map your current IP address to a free domain name like dan1999.dyndns.org. Then, you only need to remember that name rather than the address in use. Updates can be performed manually via the dyndns.org website, but a better bet is to download and install one of the many automatic updating tools listed on the site. Once installed, these utilities will automatically update your IP address with the dyndns.org servers whenever your IP address changes, and you’ll always be able to connect. Best of all, this service is free, and you have 45 potential domain names to choose from – good fun!
In order for users to be able to connect to an XP Professional system using Remote Desktop, they must either be a member of the Administrators group on that system, only be explicitly granted access. To grant non-administrative users access to Remote Desktop, open the System applet to the Remote tab and click the Select Remote Users button. From the window that opens, use the Add button to select the user accounts that should have access. It’s worth noting that a user account must have already been created for the user from the Local Users and Group node in Computer Management, so you may need to stop there first. Also keep in mind that users without a password configured for their account are never allowed to connect to Remote Desktop.
Remote Desktop Firewall Settings
If you plan to need to connect to a Remote Desktop system behind a firewall, the firewall will need to be configured to forward traffic destined for TCP port 3389. This is simple if you’re using Windows Firewall – just check the Remote Desktop checkbox on the Exceptions tab. You’ll also need to supply the name or IP address of the system you’ll need to connect to through the firewall. For all other firewalls (including hardware models), check your documentation as to how to forward traffic received for