How do I change the port for remote desktop in win2003?

How do I change the port of 3389 for remote desktop in win2003? I like this feature in 2003 but don't want people probing me for the default port but I can't seem to figure out how to change the port used for remote desktop

It would be a waste of time changing it for the reason you give.

Jason

Don't change the port, setup a VPN connection to your firewall and once you VPN into the firewall you can access RD though the VPN tunnel.

You do have a firewall in front of the server, right? No one in their right mind would put a Windows workstation/server directly on the net if they understood the risks.

Actually Microsoft sells a version of Windows 2003 for web services ONLY.

I don't know that I would concede that it is "hardened" but it is built for web services only.

Smooter

Absolutely right. Too many things can change during the lifetime of a server to make it a practical proposition.

Would be an interesting exercise to produce a hardened installation of Win2003 that is still usable as (for example) a web server. I suspect it has been done before.

I've done it on NT4, 2000 and 2003, but only as a test case where we left them online in a DMZ and passed everything through to them - as though they were on a public IP. If you are very careful and understand the user accounts, services, etc... and disable everything not needed, and change the names of the accounts, remove access to things like CMD and other resources from everything except the administrator user.....

I have not yet used VPNs. Looks like a need to come up to speed on them. RD will only be accessed from one fixed IP so I guess I can make the VNP respond to just this IP? Do you have a web site that you conisder a good into / resource for someone just getting into VPNs?

You have menti>Don't change the port, setup a VPN connection to your firewall and once

In essence you would pass the VPN port inbound to the server and then configure the server as a VPN server. The alternative is to utilize a VPN appliance and VPN into it, which means you don't directly expose the server to authentication attempts.

If you look at the MS site there are articles on how to configure a VPN on

2003 server - you just need to use the non-standard method. MS describes, in detail, how to set up VPN services when you have a public NIC and a private NIC, but the barely cover a single NIC VPN solution.

I'm just very partial to WatchGuard appliances over all the others. Sonic ticked me off a few years ago over a support question on a new unit where the customer hadn't bought a support contract and they would not let me access support even though the firewall was only a week old. WatchGuard has all the services and features I've ever needed and I've never had one fail, but they are not cheap either. The one I use in my home was around $4000 new and it's currently almost 5 years old.

One easy way to do what you want is to setup a PPTP connection to the firewall (any real firewall will handle a PPTP authentication to the firewall itself) and then you can access the entire network across that VPN.

When you expose any ports, like RD, over the net you run the risk of a known or unknown exploit on the server. In general I never expose any ports that let users authenticate (except for SSL) directly to the servers, I require them to VPN into the office instead.

One good thing about VPN's is that if you run Exchange or SQL server you can access all of the server services without having to expose them to the world.

Oh!!! The servers are supermicro 1U servers and then have dual LAN cards. Perhaps I don't even need a seperate hardware solution. The servers have a simple configuration and they don't get a lot of traffic, counted in hundreds of hits a day not thousands. And there isn't a lot of byte traffic.

So maybe I should setup the vpn using the two lan card approach? I only need to make public http, https.

There is only ONE person in the company that will need. RD, ftp, pop, mssql admin, and -possibly- smtp (Rockliffe mailsite not exchange), me and I have a fixed ip address.

So is the dual LAN vpn solution viable? Is it worth the $400-$800 to go with a dedicated hardware appliance for this setup? I have approvial for up to $500 for a device and could possibly push thsi to $700-$800 but management starts to choke aat this price range.

I will check into this thanks for the tip.

As I said. the only open public ports that I need are http and https.

I am jus tlearning about vpns so I have some work to do now in researching how to best set this up.

Do you do any consulting? Your help is appreciated and has already been a big help. Thanks agin.

It's not really a dual lan, it's a NIC on WAN (internet) and a NIC on local network (LAN).

It's still a bad idea to put Windows 2003 server directly on the Internet. Even if you only use a cheap router with NAT you are better off then a direct connection.

Take the weekend to read up on the MS site about setting up a VPN solutions on 2003, it will give you a couple ideas.

When I setup firewalls, as in my office or home or depending on the client, if they are not providing services outside their country of origin, I tend to block most of the foreign subnets in the firewall, and I have automatic blocking enabled based on select ports that are probed - this accounts for a major step in preventing unwanted traffic from even reaching the rules that permit traffic into the server, but a firewall appliance that does all of this and more is not as cheap as $800. I think the cheapest Firebox III unit runs about $1700 USD, but it has all the features that I want in a protection device - like the ability to remove unacceptable attachments from inbound SMTP traffic, the ability to block access to active-x and restrict cookies and other things....

I bought a D-LINK DI-804HV for one small shop that wanted to have VPN access to the network from their homes/hotel. The DI-804HV was setup as a PPTP end-point and the rules were configured to allow access to the entire network once they PPTP'd into it.

I also setup a couple port forwards that allow me to connect via VNC, but I used very high port numbers that we don't see scanned in the monthly sweep lists - ports above 60000 were used for two internal systems. Since the VNC was setup to use NON-NT accounts, they attackers have to find the non-standard port that I use, then get a user account/password for VNC, and then they still have to get a user account/password for the server just to logon - two layers of user/passwords and a non-standard port.

The PPTP is nice since once they connect they can run a batch file that will map the server shares to their local computer using a user/password combination and access the files as though they were in the office.

You can setup VPN services directly on your server and just forward the port inbound to the server from your public IP, but you want to make sure that only select accounts have DIAL-IN enabled. You also want to make sure that you change the administrator account name to something other than administrator.

The main point of this is to NOT put the servers directly on the Internet, even NAT is better than a direct connection.

Right. Just after I sent that I realized that was not an option for my setup. A server used as a vpn with one nic public one private serving a local network.

Yes definitely. I am pretty sure I am going to get the tz170.

Willl/ am doing thanks.

Interesting idea!

I have used VNC but it seemed to use a lot of cpu even when no one was connected.

Have already done that,tx. For years I thought having a COMMON logon with admin priv. as well as advertising the last user to log in was a serious security risk. How ignorant can some companies be about BASIC security????

Going with the tz170. For my limited requirments and bandwidth it should do fine. Thanks for all of you help.

The Sonic will be a nice unit.

I get flack for that, but when I look at our clients and where they do business, there is no reason to allow foreign subnets into their systems, not even their websites in most cases. I review the logs, look at them in a couple spread sheets, determine when I don't know a particular IP and then use a tool called Visual Route to trace it back to the owner - the nice thing about VR is that it will give me all the NOC information for each HOP along the way, so I can see the routers (at each hop) subnet designation and block all the way from Ohio to China and only have to hit the routers in china if I want.

I'm using VNC 4.x and find it doesn't take anything in the background on our servers if nothing in connected, and I use 256 color mode when I connect anyway.

Yea, but that ignorance is what gives us work :)

NP, let me know how it comes out.