Introduction

As you already know that Remote Desktop Connection (RDC) for Windows listens on Port 3389 by default. However, the Remote Desktop Connection Client for the Mac supports only port 3389.

This port is disabled in Windows Firewall by default. If you need to allow access to any server or client internally, you need to enable Remote Desktop on the desired machine, if you want to enable external access, then you need to enable Remote access on your edge Firewall and on the desired machine as well.

Changing the listening port will help to “hide” Remote Desktop from hackers who are constantly scanning the network for computers listening on the default Remote Desktop port (TCP 3389). This offers effective protection against the latest RDP worms, and add additional security to your environment.

Another scenario where changing the listening port is useful, if you want to allow external access to internal resources and you have only one Public IP address, in this case what you need to do, is to change the listening RDP default port number (TCP 3389) to different port number on each server.

Changing the listening port for Remote Desktop the manual way is described by Microsoft here.

In this post, I will how you how to change the port that Remote Desktop listens on large number of servers with PowerShell.

Change the listening port for Remote Desktop with PowerShell

Assume you have installed the Active Directory module for Windows PowerShell module on your management machine.

Open Windows PowerShell with Administrator privilege and run the following script:

$DCs = Get-ADComputer -Filter * -SearchBase "CN=Computers,DC=VIRT,DC=LAB"
Foreach ($DC in $DCs) {
Invoke-Command -ComputerName $DC.Name -ScriptBlock {
param ($DC)
Get-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\" -Name PortNumber | Select-Object PortNumber
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\" -Name PortNumber -Value 3395
New-NetFirewallRule -DisplayName “Remote Desktop - User Mode (TCP-In) 3395” -Direction Inbound –Protocol TCP -Profile Any –LocalPort 3395 -Action allow
New-NetFirewallRule -DisplayName “Remote Desktop - User Mode (UDP-In) 3395” -Direction Inbound –Protocol UDP -Profile Any –LocalPort 3395 -Action allow
[ValidateSet('Yes','No')]$Answer = Read-Host "`nAre you sure you want to restart $($DC.Name) ? Enter Yes/No"
If ($Answer -eq 'Yes') { Restart-Computer -Force }
 } -ArgumentList $DC
}

Above script will change the RDP listening port to 3395 for all servers in the OU named “Computers“, and finally it will create a new Firewall Rule to allow inbound remote access over TCP/UDP port 3395.

For the change to take effect, you need to restart the computer, thus I added a validate set variable to confirm if you want to restart the server now or later.

Last but not least, you need to connect to the target machine by specifying the new RDP port.

i.e. mstsc /v 172.16.20.13:3395

Hope this helps!

Cheers,
Charbel