Windows IT Pro
Connect With Us
Home > Systems Management > Changing the Port That Terminal Services Uses to Connect to a Server

Changing the Port That Terminal Services Uses to Connect to a Server

Feb. 25, 2003 Randy Franklin Smith | Windows IT Pro

I use Windows 2000 Server Terminal Services on my network for remote administration, but I'm worried that someone might break into one of my servers through Terminal Services. How can I change the port that Terminal Services uses to a nonstandard port number so that users can't connect through Terminal Services unless they know the secret port number?

I can explain how to change the port number, but first let me comment about security. What you're trying to do is called "security through obscurity," which is seldom effective. In this case, you might confuse casual attackers trying to connect through port 3389 or unsophisticated port scanners from discovering Terminal Services on your server, but the chance that an intruder will discover the new port number still exists. For example, some sophisticated vulnerability scanners combine port scanning and response analysis to discover known services listening to nonstandard ports. A more secure measure is to configure IP Security (IPSec) protection for Terminal Services. Using IPSec, you can configure your server to reject any connection attempts to port 3389 except those requests from computers you've configured with the correct secret key or certificate. For more information about Terminal Services security settings, see "Terminal Services, Part 4," http://www.secadministrator.com, InstantDoc ID 20288. All that being said, here's how to configure Terminal Services to connect through a different port.

On the server, open a registry editor, navigate to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TerminalServer\WinStations\RDP-Tcp subkey, then edit the PortNumber value. Switch to the decimal display, then enter a new port number. You must restart the server for the change to take effect. To connect to Terminal Services now, you'll need to configure the client to connect through the new port number. If your workstation is running Windows XP, open the Remote Desktop Connection shortcut and append a colon and the new port number to the end of the server's name. For example, if your server's name is jupiter and the new port number is 4123, enter

jupiter:4123

Workstations running Win2K or earlier make connections through Client Connection Manager. Select your connection, then use File, Export to export it to a file. Open the file in Notepad and change Server Port=3389 to your new port number. Save the file and import it back into Client Connection Manager.

—Randy Franklin Smith

Discuss this Article 18

DANIEL (not verified)
on Apr 30, 2004
Very helpful article, which does not limit itself to answering the question in subtitle, but takes one step further to elaborate the reasons behind this question and to show consequences and ways to go next. I like such an approach. Thanks a lot! Meanwhile, I have a question related to the topic of the article: I am connecting to a remote terminal server via a forwarded port on my local Windows XP machine. RDP client that comes with XP won't connect to any port on a local machine, because 'You are already connected to the console of this computer'. Does anybody know how to tell it that I am not trying to connect to local machine and make it do the connection? Thanks.
Neal (not verified)
on Dec 26, 2003
Concise. I like that.
Jon (not verified)
on Dec 15, 2003
sensational!!!!
alirag (not verified)
on Apr 24, 2006
I found the article very informative and useful.
Anonymous User (not verified)
on Mar 25, 2005
2k3 server doesn't allow colon in the remote machine port number... any ideas??
Anonymous User (not verified)
on Dec 13, 2004
Great post, another good reason for this is if you only have 1 public IP and you want to connect to multiple stations using port forwarding. Thanks!
Anonymous User (not verified)
on Feb 4, 2005
You need to forward the port to 127.0.0.2 See: http://www.engr.wisc.edu/computing/best/rdesktop-putty.html
Anonymous User (not verified)
on Feb 25, 2005
not that it would matter if you changed your port number.. as any self respecting attacker would port scan you anyhow...
hwa (not verified)
on Nov 21, 2003
how to configure the terminal service that can use terminal service over internet with the adsl router that have one static ip only
Anonymous User (not verified)
on May 13, 2005
I can't change the port number for connect with a PDA & Windows mobile 2003 I dont see where i can configure antoher port number.

Please or Register to post comments.

Related Articles
IT/Dev Connections

Las Vegas
September 30th - October 4th

Paul ThurottYou'll have the opportunity to experience:
• The Microsoft
Technology Roadmap
• Office 365 Implementation
• Hyper-V Optimizing
• Windows 8 Deployment
and much more!

Come See Paul Thurrott & Rod Trent in Person!

Early Registration Now Open

Upcoming Training

Mastering System Center 2012

During over 6 hours of training you can join John Savill from your computer as he will walk you through the key components and capabilities of System Center 2012, what’s involved in using the components, and the benefit they can bring to your environment.

Register Now

Current Issue

May 2013 - The NameTranslate object is useful when you need to translate Active Directory object names between different formats, but it's awkward to use from PowerShell. Here's a PowerShell script that eliminates the awkwardness.

CURRENT ISSUE / ARCHIVE / SUBSCRIBE

Windows Forums

Get answers to questions, share tips, and engage with the Windows Community in our Forums.

Featured Products
Windows 8 Tips
Windows 8 Tips

You’ve been told that Microsoft has somehow compromised the beloved desktop environment and ruined it with Metro...

VIP - Premium Membership
For the IT Professional that needs access to training, premium content, discounts, and more, joining our VIP group just...
Testing with Visual Studio 2012

June 25th
Presented by: Brian Minisi

EARLY BIRD DISCOUNT -...

View CatalogView Shopping Cart

WindowsITPro.com
Related Sites
Copyright © 2013 Penton Media, Inc