Sign up for our newsletter.

I agree to this site's Privacy Policy.

Weekly quickTIP

Hacking RDP

Need quick access to your files remotely? Herewith, an alternative to buying something.

As a consultant and a writer I spend a lot of time working outside the office. Unfortunately, it's within that office where a lot of my files are located. Out on the road, it can be a pain in the neck to set up a VPN connection just to grab a file or check mail.

Typical VPN connections often don't provide remote control access to the desktop. There are tools available like VNC or Citrix's GoToMyPC that can enable that access. But, VNC can have a choppy frame rate and GoToMyPC has a monthly fee.

So I thought, "What about Terminal Services?"

Opening TCP port 3389 from the Internet to my computer would probably be a bad idea (we'll actually talk about why that's a bad idea in this column next time). But the network security guy in me had a sneaking suspicion that people aren't necessarily looking for RDP connections on other ports.

So, I hacked RDP. Specifically, I hacked it to change the port it listens in on to a different port. Then, I enabled connectivity to that port through the firewall. In many cases, the corporate networks I'm working on away from the office are watching traffic on ports 80 and 443. So, I changed the RDP port to 444. Now, I can connect via Terminal Services to my office computer by starting the Remote Desktop Client and typing in

Tech Help—Just An
E-Mail Away

Got a Windows, Exchange or virtualization question or need troubleshooting help? Or maybe you want a better explanation than provided in the manuals? Describe your dilemma in an e-mail to the editors at; the best questions get answered in this column and garner the questioner with a nifty Redmond T-shirt.

When you send your questions, please include your full first and last name, location, certifications (if any) with your message. (If you prefer to remain anonymous, specify this in your message, but submit the requested information for verification purposes.)

If you'd like to change your RDP port, navigate to HKEY_LOCAL_MACHINE\ SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp and change the DWORD value for PortNumber to the hex number for 444 (or any other TCP port value).

About the Author

Greg Shields is a senior partner and principal technologist with Concentrated Technology. He also serves as a contributing editor and columnist for TechNet Magazine and Redmond magazine, and is a highly sought-after and top-ranked speaker for live and recorded events. Greg can be found at numerous IT conferences such as TechEd, MMS and VMworld, among others, and has served as conference chair for 1105 Media’s TechMentor Conference since 2005. Greg has been a multiple recipient of both the Microsoft Most Valuable Professional and VMware vExpert award.

comments powered by Disqus

Reader Comments:

Wed, Jan 7, 2009 Anonymous Anonymous

The whole "security through obscurity" mantra chanted by many ... and it seems like they're always an anti-MS camp ... is pretty ridiculous. If you think about it, ALL security efforts are one form or another of obscurity. A password is simply an obscure element of a credential set. Encryption is a form of obscuring all the data. Granted, some forms are more effective than others but for gosh sake ... pick another mantra. No wait, look up synonyms for obscure first (notice that one is 'cryptic' as in crypto) and THEN pick another mantra.

Wed, Dec 5, 2007 Anonymous Anonymous

good idea to set a different port atleast a little more secure

Tue, Aug 21, 2007 Tim Chesapeake, VA

Aren't all securty policies based on a risk vs. cost? (cost can be $, ease of setup, use, etc) You can always do more. You want fries with that? How about super sizing it?

Tue, Aug 21, 2007 Tim Chesapeak, VA

No one has identifed any real vulnerabilities with the latest RDP other than an open port and man-in-the-middle attacks. No matter what port it is, an open port is an open port for a hacker to find. Easy to do. I'm not too worried about the man-in-the-middle if I'm using strong encryption. However, I have seen at least two brute force attempts on my RDP runnng on the standard port. (SBS 2003) Both came from Russia. I've renamed the admin account and I maintain strong passwords.

Mon, Aug 20, 2007 Anonymous Anonymous

What's RDP?

Tue, May 29, 2007 RaT Anonymous

That won't work, tools like nmap would simply get over your "Hacking"
Here's what I would do:

Set up a VPN with openvpn (Windows version). Create certificates with the easy-rsa scripts provided. That should take you no more than 10 minutes. Then you can even access your SMB shares, RDP or whatever from home.

I think that could be the easy quite-secure way.

Tue, Apr 17, 2007 David McGaughey Anonymous

I redirect RDP thru ssh. That way it has an open encryption applied, pre-shared, encrypted authentication keys, and ssh protocol protection. And I do that with free software. . .

Tue, Apr 17, 2007 Taha Toronto

This is not hacking its legitimate way to change RDP. Port.
Microsoft gave the option to change port on any services you want using the system registry hive. Except RPC and few others
Anyways it’s a good method for servers that is exposing to the internet it will make the computer harder to detect as TS.
And if any of you out there worrying about RDP over the internet I want to tell the that it is completely safe to use RDP over the internet its highly encrypted and secure and hacker got a better chance of winning the lottery than decipher your RDP session.

Mon, Apr 16, 2007 Anonymous Anonymous

Now that this secret's out, we'll have to find another way to hide from those pesky hackers.

Mon, Apr 16, 2007 Anonymous Anonymous

one word, NMAP

Fri, Apr 13, 2007 Anonymous Anonymous

No offense , BUT, is this is what MCPMAG site has come to.. Stuff that has been around since TSE 4.0? To the Author, did you like "Just get your MCP" Seriously,
How about a well thought out article, on the CORRECT way to accomplish this? IE, If you cahge the listner on your machine, then a REAL network admin, would suspect SOMEONE of trying to gain unauthorized access... NOOB

Thu, Apr 12, 2007 Anonymous Anonymous

security by obscurity...

Wed, Apr 11, 2007 Anonymous Anonymous

You could always use SSL or like one reader above said SSH

Tue, Apr 10, 2007 Stan Anonymous

richard612 & Greg: I have audit logging turned on but do not see any failed RDP attempts, either--not even the ones where I typed in the wrong password. Can you confirm where this setting is? Is there perhaps a special setting for logging RDP attempts?

Wed, Apr 4, 2007 Anonymous Anonymous

It took this guy that long to Figure out RDP. He didnt hack anything that reg key has been posted for years. NATing is an ok solution except for man in the middle attacks. If you are that worried use double encryption, RDP over VPN, but i'm sure it will be slow. One could also use Cisco PIX 7.0 for some packet regulation and combine it with Cisco NAC with CSA. But I think that is a tad overkill, but would weed out script kiddies.

Wed, Apr 4, 2007 suckapunk the trap

ditto security via obscurity. This is not a secure solution and if you were to implement you should at least change that port regularly.

Tue, Apr 3, 2007 Greg Shields Anonymous

What great conversation! Thanks to everyone for their thoughts. I have to concur with richard612 as I've been doing this method for years now and have never had any issues associated with hacking attempts. One thing of note that may not have been clear in the article is that this "hack" was designed for those little networks (like home networks) that may not have NAT or port forwarding capability on low-end router-firewall combos. Keep the great conversation a'coming!

Tue, Apr 3, 2007 Anonymous Anonymous

How about using SSH? You can use the freeware OpenSSH server on the Office-bound desktop, and then use Putty on your traveling laptop. Then tunnel 3389 through the SSH connection. You can of course use key athentication to make this even more secure.

Tue, Apr 3, 2007 richard612 Anonymous

I have to wonder if the fears of port 3389 exposure are overblown. I ran RDP on 3389 for several months with audit logging enabled. Not once did anyone connect and try a bad password (other than me).

I will admit to being rather shocked by this discovery.

Tue, Apr 3, 2007 ALex Anonymous

I want to hear Opening TCP port 3389 from the Internet is a bad thing. Also, the mstsc client ver. 6.0 encrypts all traffic...

Tue, Apr 3, 2007 Terry Canada

I agree with Earl from Australia. The port you selected is for SNPP as per the following;

On TCP, the Simple Network Paging Protocol runs on this port. There are many application that support this protocol, such as cell phones and PDAs.

On TCP, the Stronghold webserver has a configuration service running on this port. Stronghold is a server with SSL extensions on top of Apache webserver.

Default port for the Bluestem WWW authentication service based upon NTLM (NT LAN Mgr) service.

Sybase uses this port in the HiSecure client/server.

So if your machine is listening on this port, somebody will attempt to attack it anyway. based on what they assume the service is running
Best bet as per Earl is to change your port number in the high end range

Tue, Apr 3, 2007 Anonymous Anonymous

Simply changing the default RDP port does little to hide it from hackers. Widely available hacker tools scan ALL ports looking for ANY common program running on each port. The tools are completely automated so it requires NO real work on the hacker's part to find your open port 444.

Tue, Apr 3, 2007 Andrei Ungureanu Romania

It seems that many of you are not aware with the security issues exposed by RDP (newer versions are already better). The fact is the rdp client will not try to authenticate the other end of the connection and this is making it vulnerable to man in the middle attaks. And this is not just theory; it has been proved several times at live demos. With the proper tools anyone can do it. An attaker doing this will have a hard time when the connections are running on a non standard port (of course that a smart one, and one that has a precise target will catch that traffic). So I belive that Greg's recomandations is fair; but don't forget to upgrade to the latest version of RDP client.

Mon, Apr 2, 2007 Swadeep India

Kidd stuff.

Mon, Apr 2, 2007 Earl Grey Perth - Australia

Changing to a low numbered port will still get hacked by port scanners.

Try something above 50,000 as a port number, well out of the range of Well Known Ports.

Michael from M, you need to add a separate Port for each PC you want to connect from, unless you have a firewall that is very clever.

Mon, Apr 2, 2007 Anonymous Anonymous

Redirecting ports is a decent solution, but still a flavor of security through obscurity. You might want to check out SecureRDP if you want an "active" solution. No, I don't work for them - just very happy with their product.

Mon, Apr 2, 2007 Michael Miamisburg, OH

The method explained by Greg will work for all the computers in your home network. My question is to John, if I want to RDP several computers on my home network from work, how does your method allow for this? My understanding is that your method will let me RDP only one computer.

Mon, Apr 2, 2007 PCASADO NY, USA

Isn't the AAA rule apply for terminal services?, why redirection of ports? (yes, of course to avoid security treats and scans) isn't your comm. suppose to be securely encapsulated when you are using this services?
so you saying that the RADIUS, TACACS, TACACS+ or XTACACS is not as good and secure for RDP as it claims to be?
Isn't the use of microsoft NAP or cisco NAT an alternative solution to secure communication?

...mmm, you just had open my concern to verify possible exploitation to my services server..

Mon, Apr 2, 2007 Anonymous Anonymous

I "assume" that the reason you don't want to have RDP over the Internet is security. If so, since you are reg hacking, why not setup XP so that your system is encrypted?

Mon, Apr 2, 2007 Lee Watertown, SD

Agree with comment above. Additonally, I turn off the admin account for terminal services and create another admin account... then set the account policies to lockout for 30 minutes after 5 bad logon attempts and expire the passwords periodically making sure complex passwords are enabled.

Mon, Apr 2, 2007 John Jones Monterey, CA

The proposed solution to reassign your RDP port on your desktop so that you can use terminal services over the Internet is just a more complicated, nonstandard way to accomplish a relatively simple task. Most people already accomplish this by simply redirecting an external, nonstandard port on the router to the standard RDP port on the workstation. No changes are needed on the workstation, and it makes it much easier to use RDP to your machine internally on your LAN because you won't have to remember which nonstandard port you configured in the registry on each machine that you make available over the Internet. Even the simplest of home routers have this functionality available. It is much easier to see the mappings in a graphical view through router administration than it is to have to look up each workstation's value using registry editor on each PC on your LAN.

Add Your Comment Now:

Your Name:(optional)
Your Email:(optional)
Your Location:(optional)
Please type the letters/numbers you see above