Securing my Win 7 RDP

soulesschild

Supreme [H]ardness
Joined
Feb 18, 2007
Messages
6,176
So I'm a bit confused on what to do here. What I want to do is change the default port for RDP on my machine so it's not the standard 3389. Here's what I THINK I need to do.

Router: D-Link 655
Setup Virtual Server to point to desktop's static IP, CHANGE the port to something I want, such as 62856.

Port forward 3389 on my main desktop's machine.

Done? Or do I have to change the port forwarding to 62856 as well? :confused::confused:
 
It's secure to begin with, as long as you didn't leave your Administrator password at something like...password. So no need to worry about it, no exploits against it.

But...several ways, can leave your host PC at 3389 and port forward some wonky port like 62856...if your router support port redirection.....so that the router will flip 62856 back to 3389.

Or you can change your host computers listen port to 62856 if your router doesn't support port redirection.
http://support.microsoft.com/kb/306759

And on your remote desktop client, you'd type in "publicipaddress:62856" or "dnsname:62856"
 
I have always been taught by the CCIE's, "security through obsecurity" never works.
If the machine is properly locked down, exposing a known port 3389 makes no difference. If you are really concerned, just create a simple PPTP connection and VPN into your personal network. And even on top of that you can search for the registry settings to increase the RDP encryption to it's highest level, and I also recommend editing the local policy of the machine to NOT display the last user whom logged in.

Many people will have many suggestions here, but digital camouflage doesn't work.
 
I have always been taught by the CCIE's, "security through obsecurity" never works.
If the machine is properly locked down, exposing a known port 3389 makes no difference. If you are really concerned, just create a simple PPTP connection and VPN into your personal network. And even on top of that you can search for the registry settings to increase the RDP encryption to it's highest level, and I also recommend editing the local policy of the machine to NOT display the last user whom logged in.

Many people will have many suggestions here, but digital camouflage doesn't work.

While I agree, it's highly unlikely someone will single target this residential user. If this is a business, then yes I would at very least increase the security in RDP to the highest level, create a very complex password. If you're still worried consider a VPN setup into the network Of course keep track of logs of incoming login requests on a weekly/daily basis to ensure no one is even attempting to login.

Security through obscurity rarely works, but of course you have to understand your attackers too. Most fit into 2 profiles:
1. Random port scanners
2. Focused attack

Obscurity will prevent the random port scanners from abroad from seeing a default 3389 exposed, but if someone is focused on getting into YOUR network, they'd likely do a full range scan and try and exploit any open port/service, so switching RDP's default port will not help much in this type of threat.
 
Back
Top