RE: Terminal Server Publishing
- From: "Thomas W. Shinder" <tshinder@xxxxxxxxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Tue, 11 Jun 2002 14:48:23 -0500
Hi Tim,
Check this out:
RDP and Firewalls
RDP uses TCP port 3389. Terminal servers are a highly desirable plum for
intruders, so you may not want to open this port on your firewall. Use
port translation to change the external port. If you want to discourage
connection attempts by internal users, change the RDP port used by the
terminal servers. This involves a quick Registry hack. Use Registry
Editor to locate this entry:
Key:HKLM | System | CurrentControlSet | Control | Terminal Server |
WinStations Value: Port Number
Data: d3d (hex for 3389, REG_DWORD)
Change the PortNumber entry to another port well above the standard port
ranges. Restart the server then use netstat -a to verify that the server
is listening at the new port and not listening at port 3389. Then modify
your clients to use the new port number as follows:
* Win2K clients: Export the Connection Manager entry to a text
file (.cns extension) using File | Export. Change the Server Port entry
from 3389 to the new port number then import the file back into
Connection Manager.
* XP clients: Launch the Mstsc client executable then specify the
server name, followed by a colon then the port number. For example,
S1.company.com:6500.
* TsWeb client: Change the Visual Basic code in the ASP page that
makes the connection. Go to %system root%\Web\TsWeb. Locate the file
called Connect.asp and edit it with Notepad or vim. Look for a series of
entries starting with MsTsc.AdvancedSettings2. Add the following line
right after these entries:
MsTsc.AdvancedSettings2.RDPPort =
Test to make sure that you can connect with the new setting.
HTH,
Tom
-----Original Message-----
From: Deus, Attonbitus [mailto:Thor@xxxxxxxxxxxxxxx]
Sent: Tuesday, June 11, 2002 1:57 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Terminal Server Publishing
http://www.ISAserver.org
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
At 10:39 AM 6/11/2002, you wrote:
>Hi Thor
>
>I stand corrected :), btw, it's not like you to mak a mistake, the
correct
>reg key to change the listening port is
>
>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TerminalServer\WinS
tations\RDP-Tcp\PortNumber.
>
>
Heh- that's what I get for trusting the Q article! I just copied and
pasted it. Thanks for checking up on me!! ;)
Oh, and you did catch that email from Jim a while back regarding XP's
Remote Desktop Client to append the port to the IP Address in the
Computer
box, right? You just connect to 10.1.1.1:13389 or whatever the new port
is- that *really* makes it easy to change the listen port.
I'm still working on a hack for TSAC to change it's listen port, but it
requires editing the binary directly, which would keep me (legally) from
distributing it... Have you found a way around that?
AD
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1
iQA/AwUBPQZIGIhsmyD15h5gEQKTmgCeKAZLdS6tFRNoZGi3pbIVrHVTbHoAnRbk
uVJb0M6sU869YQ9/R+qJfLVG
=cj7D
-----END PGP SIGNATURE-----
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
Other related posts:
