How to Secure Your Remote Desktop Ports

The Remote Desktop Protocol (RDP) is commonly used by many different Windows software solutions to provide users with access to remote services. Depending on your IT environment, there’s a good chance that RDP is being used this very minute by one or more of those solutions.

RDP was developed by Microsoft as a proprietary technology and has been built into every version of Windows since Windows XP in 2001. And, yes, that does include more recent versions of the operating system like Windows 10 and 11. As its name indicates, the Remote Desktop Protocol was intended to make remote desktops more user friendly by facilitating communication between Microsoft’s Terminal Server and the Terminal Server Client.

Part of that ease of use derived from the standardization that RDP provides. Windows servers and clients know that RDP port number 3389 is the default listening port for computers to establish a remote desktop connection, so they keep this port open automatically. That way, users are less likely to encounter the kinds of connection errors or Windows Firewall issues that will send them to IT in search of help.

Unfortunately, the use of 3389 as a standard port didn’t escape the attention of malicious actors. They quickly realized that they could exploit RDP’s open port as a way to deliver a ransomware payload or a DDOS attack. A popular method is simple brute force attacks: Hackers will try a relentless series of authentications in the hope of gaining illicit access to the remote desktop server on that port.

This has turned the default RDP port into a major liability. Cybercrime experts currently estimate that RDP is the initial attack vector for half of all ransomware attacks. Naturally, the number of ransomware attacks rose during the pandemic, when the world shifted quickly to providing remote desktop access to users who were now working outside of the office.

But with a 2021 PWC survey revealing that 83% of companies anticipate continuing remote or hybrid work going forward, remote desktop services and the software that leverages them will remain in demand. Consequently, RDP will remain a point of vulnerability for IT and organizations as a whole.

The not-so-quick (or effective) fix: Manually configure your RDP port

There’s a widespread assumption that simply changing the default port for RDP to something other than 3389 will thwart hackers. And if you have no other options, it’s true that assigning a new RDP port is a better defensive maneuver than not changing it at all.

Here’s a quick tutorial on how to do it:

  1. Double-click on the Windows Start button. Type regedit and then press Enter. This will launch the Registry Editor. In newer versions of Windows, you can do this directly from the Windows Search feature.
  2. In the Registry Editor, look for HKEY_LOCAL_MACHINE in the sidebar. Extend the drop-down list and navigate to HKEY_LOCAL_MACHINE\SYSTEM. Keep extending the drop-downs next to CurrentControlSet > Control > Terminal Server > WinStations > RDP-Tcp.
  3. Click on RDP-Tcp. That will open up a list of items in the main window.
  4. Locate the dword file named “PortNumber”. Right-click on the PortNumber dword file and select “Modify…”
  5. This results in a dialog with three fields: Value name, Value data and Base. Change the base to Decimal. In the Value data field, enter a new port number between 1025 and 65535. Make sure that the new remote desktop port number you choose is not already in use by another application or service.
  6. Click OK, then reboot the computer.

This general procedure should change the default RDP port on your Windows machine. But bear in mind that the Windows Registry contains sensitive, system-level data that is not supposed to be altered in most circumstances. Any changes you make could cause instability.

Another important thing to remember is that this only changes the local ports on the current machine. If you have multiple clients using Windows Remote Desktop or other RDP-based software, you will need to make the exact same changes to the default RDP port on those machines as well.

On top of this, you’ll also need to update your Windows firewall rules. This is done by creating a new rule or set of inbound rules that account for the new RDP port. If you’re using Windows Server to provide remote desktop services, these changes to the Windows Registry and Windows Firewall will likely need to be replicated there too. Double check with your software solution provider to determine whether it’s okay to do this without breaking functionality.

The next time the user connects to these RDP-based services using a Remote Desktop client, they will have to manually update the local port. They can do this by adding a colon and the new RDP port number after the machine’s hostname or IP address (e.g., “hostname:1234”) in the connection field.

However, just changing the RDP port number doesn’t mean that the security problem is solved. It isn’t hard for someone with basic technical knowledge to determine the new port number, especially if they gain access to a remote computer.

This method is also insufficient if your organization practices or plans to implement a zero trust policy. Zero trust assumes that every device is potentially compromised, so any open port—even if it’s not the default—is treated like an attack vector. In a zero trust environment, the only acceptable course of action is to lock down vulnerabilities, restrict user access to essential functionality and minimize all exposure of the internal network to remote entities.

Practice zero trust with Cameyo cloud desktops 

Cameyo’s Virtual App Delivery (VAD) platform enables organizations to maintain strict zero trust IT policies while providing their work-from-home (WFH) and hybrid users with effortless cloud desktop access. We’re able to achieve this mix of uncompromising security and incredible ease of use thanks to a suite of innovative technologies and practices. These include:

  • Non-persistent servers: Every time the user logs out, all of their user data is fully wiped from the Cameyo server.
  • Cameyo NoVPN: As a rule, virtual private networks (VPNs) grant users access to the corporate network. Cameyo keeps clients off the corporate network, yet it’s also far easier for users to connect than with a VPN.
  • Secure Cloud Tunneling: With Cameyo, IT can deliver applications to remote & hybrid users outside of the VPN and without opening any ports in their firewall. It’s the best of both worlds: flexibility and security.
  • User segmentation: Cameyo’s virtual app delivery (VAD) isolates sessions and ensures constant separation of resources, so users and their devices never come into contact with networks or data beyond that.
  • No lateral movement: In the event that a user’s device is infected with malware, by design Cameyo prevents that malware from ever reaching your internal network and data. Nor can it reach the Cameyo system.
  • Least privilege: Cameyo delivers all apps via a secure HTML5 browser and encrypts all traffic with HTTPS. Cameyo also leverages Windows Terminal Services and temporary user profiles, so admin privileges, settings and files remain off-limits
  • Identity and access control: Cameyo integrates with your single sign-on (SSO) provider of choice. Any multi-factor authentication (MFA) you have set up with your SSO carries over to Cameyo.
  • Port Shield: Rather than leaving the RDP port open, Cameyo opens and closes both the HTTP and the RDP ports dynamically in response to authenticated user activity and whitelisted IP addresses.

This is how Cameyo delivers an ultra-secure, user-friendly cloud desktop even as it eliminates the need to tinker with Windows Registry settings and firewall rules.

Better still, Cameyo’s VAD solution is Windows-independent. What this means is that Cameyo doesn’t force users to interact with an entire Windows-based desktop environment or use a Windows-based client to stay productive. They can selectively access the apps they want, and they can do so on any device, regardless of its operating system. That stands in stark contrast to Windows Remote Desktop and other legacy remote desktop access solutions, which are often built around providing a full Windows desktop experience.

If zero-trust security coupled with industry-leading ease of use for your remote workforce sounds like an ideal combo, simply sign up for your free trial of Cameyo’s VAD platform to experience it for yourself. And if you’ve got technical questions about how Cameyo is able to provide greater flexibility while hardening security, all you have to do is request a demo. Our engineers will gladly talk you through the features and practices described above in more detail.