По какому порту работает rdp на windows

В этой статье мы расскажем, как подключиться к серверу по RDP и рассмотрим основные ошибки при подключении.

Что такое RDP

RDP (Remote Desktop Protocol) — это протокол для удаленного подключения к компьютеру или серверу с ОС Windows. С его помощью пользователи могут подключиться к удаленной машине и взаимодействовать с ее рабочим столом так, как если бы они физически находились перед ней. Чаще всего служба RDP используется для администрирования серверов, технической поддержки пользователей и удаленной работы.

Как подключиться к удаленному рабочему столу по RDP

Ошибки при подключении по RDP

Ниже мы рассмотрим основные ошибки при подключении по RDP и расскажем, что делать, если не удается подключиться к удаленному компьютеру.

Произошла внутренняя ошибка

Ошибка подключения выглядит следующим образом:

Расскажем о наиболее распространенных причинах возникновения этой ошибки и способах ее устранения.

Проверка работы порта RDP

На локальном и удаленном устройстве прослушиватель протокола RDP должен быть настроен на работу по порту 3389. Важно, чтобы другие приложения не использовали этот порт. Проверить или изменить порт RDP можно с помощью редактора реестра:

Перезапуск служб удаленных рабочих столов

Перезапуск служб нужно выполнить на локальном и на удаленном устройстве.

Проверка статуса работы протокола RDP

Чтобы проверить статус работы протокола RDP на удаленном сервере:

Очистка кэша RDP-подключений

Увеличение лимита незавершенных подключений

В Windows существует счетчик, который подсчитывает количество незавершенных RDP-подключений. При достижении этого лимита RDP-соединение блокируется и пользователь видит ошибку. Для десктопных версий Windows лимит по умолчанию — 100, для Windows Server — 3000. Чтобы исправить ошибку, нужно увеличить лимит на удаленном устройстве. Для этого:

Произошла ошибка при проверке подлинности

Ошибка выглядит следующим образом:

В марте 2018 года Microsoft обнаружил уязвимости в протоколе CredSSP и выпустил патчи для закрытия уязвимости. Если вы столкнулись с этой ошибкой, значит, на удаленной машине с марта 2018 года не устанавливались обновления безопасности. Для решения проблемы рекомендуем установить обновления. Их можно скачать на официальном сайте Microsoft либо через «Центр обновлений Windows».

Если по каким-то причинам вы не можете установить обновления безопасности, но вам нужно подключиться по RDP, вы можете временно отключить на локальном компьютере проверку версии CredSSP при подключении.

Как отключить проверку версии CredSSP на Windows Home

Как отключить проверку версии CredSSP на Windows Professional

По умолчанию во всех операционных системах Windows для подключения по протоколу RDP (Remote Desktop Protocol / Удаленный рабочий стол) использует порт TCP 3389. После того, как вы включили RDP доступ в Windows, служба TermService (Remote Desktop Services) начинает слушать на порту 3389. В этой статье мы покажем, как изменить стандартный номер RDP порта в дестопных редакциях Windows (7/8/10/11) и Windows Server.

Обратите внимание, что в современных версиях Windows для удаленного рабочего стола используется также протокол UDP с тем же номером порта 3389.

Вы можете изменить номер стандартного порта RDP в Windows с 3389 на любой другой. Чаще всего это используется, когда нужно спрятать ваш RDP/RDS хост от автоматических сканеров портов, которые ищут в сети хосты Windows с открытым стандартным RDP портом 3389. Смена RDP порта позволит уменьшить вероятность эксплуатации RDP уязвимостей (последняя критическая уязвимость в RDP BlueKeep описана в CVE-2019-0708), уменьшить количество попыток удалённого подбора паролей по RDP (не забывает периодически анализировать логи RDP подключений), SYN и других типов атак (особенно при отключенном NLA). Чаще всего RDP порт меняют на компьютерах с прямым подключением к интернету (VPS/VDS), или в сетях, где пограничный маршрутизатор перенаправляет порт 3389/RDP в локальную сеть на компьютер/сервер с Windows.

Несмотря на смену порта, нежелательно выставлять открытый RDP порт в интернет. Сканеры портов позволяют по сигнатуре понять, что на новом порту находится RDP Listener. Если вы хотите открыть RDP доступ к компьютеру в своей сети, лучше использовать такие технологии подключения, как VPN, RD Web Access, RD Gateway и другие

Если вы решили использовать нестандартный номер порта для RDP, обратите внимание, что нежелательно использовать номера портов в диапазоне от 1 до 1023 (известные порты). Используйте динамический порт из RPC диапазона (от 49152 до 65535), или любой портов в диапазоне от 1024 до 49151, который не используется другим сервисом или приложением.

Изменить номер RDP порта по-умолчанию в Windows

В нашем примере мы изменим номер порта, на котором ожидает подключения служба Remote Desktop на 1350. Для этого:

1. Откройте редактор реестра (regedit.exe) и перейдите в ветку HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp;
2. Найдите DWORD параметр реестра с именем PortNumber.. В этом параметре указан порт, на котором ожидает подключения служба Remote Desktop. Значение по умолчанию – 3389 (decimal);
3. Измените значение этого порта. Я изменил RDP порт на 1350 в десятичном значении (Deciamal);
4. Если на вашем компьютере включен Windows Firewall, вы должны создать новое правило, разрешающее входящие подключения на новый RDP порт (если вы перенастраиваете удаленный сервер через RDP, создайте разрешающее правило в файерволе до перезапуска службы TermService, иначе вы потеряете доступ к серверу). Вы можете создать разрешающее входящее правило для нового TCP/UDP порта RDP вручную из консоли ‘Брандмауэр Защитника Windows’ (firewall.cpl) или с помощью PowerShell команд:
   New-NetFirewallRule -DisplayName "NewRDPPort-TCP-In" -Direction Inbound -LocalPort 1350 -Protocol TCP -Action allow
   И:
   New-NetFirewallRule -DisplayName "NewRDPPort-UDP-In" -Direction Inbound -LocalPort 1350 -Protocol UDP -Action allow
   
5. Перезагрузите компьютер или перезапустите службу удаленных рабочих столов командой:
   net stop termservice & net start termservice
   
6. Теперь для подключения к данному Windows компьютеру по RDP, в клиенте mstsc.exe нужно указывать порт RDP подключения через двоеточие следующим образом:
   Your_Computer_Name:1350
   или по IP адресу
   192.168.1.100:1350
   или из командной строки:
   mstsc.exe /v 192.168.1.100:1350
   

   Если для управления множеством RDP подключений вы используете менеджер RDP подключений RDCMan, новый номер RDP порта подключения можно указать на вкладке “Connection Settings”.
7. В результате вы успешно подключитесь к рабочему столу удаленного компьютера через новый номер RDP порта (с помощью команды
   nenstat –na | Find “LIST”
   убедитесь, что служба RDP теперь слушает на другом порту).

Обратите внимание, что номер UDP порта RDP также изменился на 1350 (проще всего проверить это с помощью утилиты TCPView).

С помощью команды Test-NetConnection, проверьте что старый RDP порт теперь закрыт (
TcpTestSucceeded : False
):

Test-NetConnection 192.168.13.202 -port 3389 |select TcpTestSucceeded

И для RDP подключения теперь нужно использовать новый порт 1350.

Если вы хотите изменить номер RDP порта на компьютерах в домене, можно воспользоваться групповыми политиками. Создайте новую GPO, которая распространит параметр реестра PortNumber с новым значением RDP порта на компьютеры домена.

PowerShell скрипт для смены номера RDP порта в Windows

Полный код PowerShell скрипт для смены номера RDP порта, создания правила в брандмауэре и перезапуска службы RDP может выглядеть так:

Write-host "Укажите номер нового RDP порта: " -ForegroundColor Yellow -NoNewline;$RDPPort = Read-Host
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-TCP\" -Name PortNumber -Value $RDPPort
New-NetFirewallRule -DisplayName "NewRDPPort-TCP-In-$RDPPort" -Direction Inbound –LocalPort $RDPPort -Protocol TCP -Action Allow
New-NetFirewallRule -DisplayName "NewRDPPort-UDP-In-$RDPPort" -Direction Inbound –LocalPort $RDPPort -Protocol UDP -Action Allow
Restart-Service termservice -force
Write-host "Номер RDP порта изменен на $RDPPort " -ForegroundColor Magenta

Вы можете удаленно изменить номер порта на компьютере. Для этого на удаленном компьютере должен быть настроен WinRM, тогда для подключения к компьютеру можно использовать командлет Invoke-Command:

Invoke-Command -ComputerName PC1name -ScriptBlock {Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-TCP\" -Name PortNumber -Value 1350}

Если нужно изменить номер RDP на нескольких компьютерах в домене AD (определенной OU), используйте такой скрипт (список компьютеров в OU можно получить с помощью Get-ADComputer):

Write-host "Укажите номер нового RDP порта: " -ForegroundColor Yellow -NoNewline;$RDPPort = Read-Host
$PCs = Get-ADComputer -Filter * -SearchBase "CN=DMZ,CN=Computers,DC=winitpro,DC=ru"
Foreach ($PC in $PCs) {
Invoke-Command -ComputerName $PC.Name -ScriptBlock {
param ($RDPPort)
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-TCP\" -Name PortNumber -Value $RDPPort
New-NetFirewallRule -DisplayName "New RDP Port $RDPPort" -Direction Inbound –LocalPort $RDPPort -Protocol TCP -Action Allow
New-NetFirewallRule -DisplayName "New RDP Port $RDPPort" -Direction Inbound –LocalPort $RDPPort -Protocol TCP -Action Allow
Restart-Service termservice -force
}

Это инструкция по смене стандартного RDP порта подойдёт для любой версии Windows, начиная с Windows XP (Windows Server 2003) и заканчивая Windows 11 (Windows Server 2022).

From Wikipedia, the free encyclopedia

Remote Desktop Protocol (RDP) is a proprietary protocol developed by Microsoft Corporation which provides a user with a graphical interface to connect to another computer over a network connection.^[1] The user employs RDP client software for this purpose, while the other computer must run RDP server software.

Clients exist for most versions of Microsoft Windows (including Windows Mobile but the support has ended), Linux (for example Remmina), Unix, macOS, iOS, Android, and other operating systems. RDP servers are built into Windows operating systems; an RDP server for Unix and OS X also exists (for example xrdp). By default, the server listens on TCP port 3389^[2] and UDP port 3389.^[3]

Microsoft currently refers to their official RDP client software as Remote Desktop Connection, formerly «Terminal Services Client».

The protocol is an extension of the ITU-T T.128 application sharing protocol. Microsoft makes some specifications public on their website.^[4]

History[edit]

Every version of Microsoft Windows from Windows XP onward^[5] includes an installed Remote Desktop Connection (RDC) («Terminal Services») client (mstsc.exe) whose version is determined by that of the operating system or by the last applied Windows Service Pack. The Terminal Services server is supported as an official feature on Windows NT 4.0 Terminal Server Edition, released in 1998, Windows 2000 Server, all editions of Windows XP except Windows XP Home Edition, Windows Server 2003, Windows Home Server, on Windows Fundamentals for Legacy PCs, in Windows Vista Ultimate, Enterprise and Business editions, Windows Server 2008 and Windows Server 2008 R2 and on Windows 7 Professional and above.

Microsoft provides the client required for connecting to newer RDP versions for downlevel operating systems. Since the server improvements are not available downlevel, the features introduced with each newer RDP version only work on downlevel operating systems when connecting to a higher version RDP server from these older operating systems, and not when using the RDP server in the older operating system.^{[clarification needed]}

Version 4.0[edit]

Based on the ITU-T T.128 application sharing protocol (during draft also known as «T.share») from the T.120 recommendation series, the first version of RDP (named version 4.0) was introduced by Microsoft with «Terminal Services», as a part of their product Windows NT 4.0 Server, Terminal Server Edition.^[1] The Terminal Services Edition of NT 4.0 relied on Citrix’s MultiWin technology, previously provided as a part of Citrix WinFrame atop Windows NT 3.51, in order to support multiple users and login sessions simultaneously. Microsoft required Citrix to license their MultiWin technology to Microsoft in order to be allowed to continue offering their own terminal-services product, then named Citrix MetaFrame, atop Windows NT 4.0. The Citrix-provided DLLs included in Windows NT 4.0 Terminal Services Edition still carry a Citrix copyright rather than a Microsoft copyright. Later versions of Windows integrated the necessary support directly. The T.128 application sharing technology was acquired by Microsoft from UK software developer Data Connection Limited.^[6]

Version 5.0[edit]

This version was introduced with Windows 2000 Server, added support for a number of features, including printing to local printers, and aimed to improve network bandwidth usage.

Version 5.1[edit]

This version was introduced with Windows XP Professional and included support for 24-bit color and sound. It is supported on Windows 2000, Windows 9x, and Windows NT 4.0.^[7] With this version, the name of the client was changed from Terminal Services Client to Remote Desktop Connection; the heritage remains to this day, however, as the underlying executable is still named mstsc.exe.

Version 5.2[edit]

This version was introduced with Windows Server 2003, included support for console mode connections, a session directory, and local resource mapping. It also introduces Transport Layer Security (TLS) 1.0 for server authentication, and to encrypt terminal server communications.^[8] This version is built into Windows XP Professional x64 Edition and Windows Server 2003 x64 & x86 Editions, and also available for Windows XP as a download.

Version 6.0[edit]

This version was introduced with Windows Vista and incorporated support for Windows Presentation Foundation applications, Network Level Authentication, multi-monitor spanning and large desktop support, and TLS 1.0 connections.^[9] Version 6.0 client is available for Windows XP SP2, Windows Server 2003 SP1/SP2 (x86 and x64 editions) and Windows XP Professional x64 Edition. Microsoft Remote Desktop Connection Client for Macintosh OS X is also available with support for Intel and PowerPC Mac OS versions 10.4.9 and greater.

Version 6.1[edit]

This version was released in February 2008 and is included with Windows Server 2008, Windows Vista with Service Pack 1 and Windows XP with Service Pack 3, and also made available for Windows XP SP2, Windows Server 2003 SP1/SP2 (x86 and (x64 editions) and Windows XP Professional x64 Edition as a download.^[10] In addition to changes related to how a remote administrator connects to the «console»,^[11] this version has new functionality introduced in Windows Server 2008, such as connecting remotely to individual programs and a new client-side printer redirection system that makes the client’s print capabilities available to applications running on the server, without having to install print drivers on the server^[12][13] also on the other hand, remote administrator can freely install, add/remove any software or setting at the client’s end. However, to start a remote administration session, one must be a member of the Administrators group on the server to which one is trying to get connected.^[14]

Version 7.0[edit]

This version was released to manufacturing in July 2009 and is included with Windows Server 2008 R2, as well as with Windows 7.^[15] With this release, also changed from Terminal Services to Remote Desktop Services. This version has new functions such as Windows Media Player redirection, bidirectional audio, multi-monitor support, Aero glass support, enhanced bitmap acceleration, Easy Print redirection,^[16] Language Bar docking. The RDP 7.0 client is available on Windows XP SP3 and Windows Vista SP1/SP2 through KB969084.^[17] The RDP 7.0 client is not officially supported on Windows Server 2003 x86 and Windows Server 2003 / Windows XP Professional x64 editions.

Most RDP 7.0 features like Aero glass remote use, bidirectional audio, Windows Media Player redirection, multiple monitor support and Remote Desktop Easy Print are only available in Windows 7 Enterprise or Ultimate editions.^[18][19]

Version 7.1[edit]

Release 7.1 of RDP was included with Windows 7 Service Pack 1 and Windows Server 2008 R2 SP1 in 2010. It introduced RemoteFX, which provides virtualized GPU support and host-side encoding.

Version 8.0[edit]

This version was released in Windows 8 and Windows Server 2012. This version has new functions such as Adaptive Graphics (progressive rendering and related techniques), automatic selection of TCP or UDP as transport protocol, multi touch support, DirectX 11 support for vGPU, USB redirection supported independently of vGPU support, etc.^[20][21] A «connection quality» button is displayed in the RDP client connection bar for RDP 8.0 connections; clicking on it provides further information about connection, including whether UDP is in use or not.^[22]

The RDP 8.0 client and server components are also available as an add-on for Windows 7 SP1. The RDP 8.0 client is also available for Windows Server 2008 R2 SP1, but the server components are not. The add-on requires the DTLS protocol to be installed as prerequisite.^[22] After installing the updates, for the RDP 8.0 protocol to be enabled between Windows 7 machines, an extra configuration step is needed using the Group Policy editor.^[23]

A new feature in RDP 8.0 is limited support for RDP session nesting; it only works for Windows 8 and Server 2012 though, Windows 7 and Server 2008 R2 (even with the RDP 8.0 update) do not support this feature.^[24]

The «shadow» feature from RDP 7, which allowed an administrator to monitor (snoop) on a RDP connection has been removed in RDP 8. The Aero Glass remoting feature (applicable to Windows 7 machines connecting to each other) has also been removed in RDP 8.^[21][22]

Version 8.1[edit]

This version was released with Windows 8.1 and Windows Server 2012 R2. A RDP 8.1 client update exists for Windows 7 SP1 as well, but unlike the RDP 8.0 update for Windows 7, it does not add a RDP 8.1 server component to Windows 7. Furthermore, if RDP 8.0 server function is desired on Windows 7, the KB 2592687 (RDP 8.0 client and server components) update must be installed before installing the RDP 8.1 update.^[25][26]

Support for session shadowing was added back in RDP version 8.1. This version also fixes some visual glitches with Microsoft Office 2013 when running as a RemoteApp.^[25]

Version 8.1 of the RDP also enables a «restricted admin» mode. Logging into this mode only requires knowledge of the hashed password, rather than of its plaintext, therefore making a pass the hash attack possible.^[27] Microsoft has released an 82-page document explaining how to mitigate this type of attack.^[28]

Version 10.0[edit]

Version 10.0 of the RDP was introduced with Windows 10 and includes the following new features: AutoSize zoom (useful for HiDPI clients).
In addition graphics compression improvements were included utilizing H.264/AVC.^[29]

Features[edit]

• 32-bit color support. 8-, 15-, 16-, and 24-bit color are also supported.
• Encryption: option of legacy 56-bit or 128-bit RC4 and modern MITM-resistant TLS since version 5.2^[8]
• Audio Redirection allows users to process audio on a remote desktop and have the sound redirected to their local computer.
• File System Redirection allows users to use their local files on a remote desktop within the terminal session.
• Printer Redirection allows users to use their local printer within the terminal session as they would with a locally- or network-shared printer.
• Port Redirection allows applications running within the terminal session to access local serial and parallel ports directly.
• The remote computer and the local computer can share the clipboard.
• Compression goes beyond a framebuffer and takes advantage of font knowledge and tracking of window states (inherited from T.128); later extensions add more content-aware features (e.g MS-RDPCR2).

Microsoft introduced the following features with the release of RDP 6.0 in 2006:

• Seamless Windows: remote applications can run on a client machine that is served by a Remote Desktop connection. It is available since RDP 6.^[30]
• Remote Programs: application publishing with client-side file-type associations.
• Terminal Services Gateway: enables the ability to use a front-end IIS server to accept connections (over port 443) for back-end Terminal Services servers via an https connection, similar to how RPC over https allows Outlook clients to connect to a back-end Exchange 2003 server. Requires Windows Server 2008.
• Network Level Authentication
• Support for remoting the Aero Glass Theme (or Composed Desktop), including ClearType font-smoothing technology.
• Support for remoting Windows Presentation Foundation applications: compatible clients that have .NET Framework 3.0 support can display full Windows Presentation Foundation effects on a local machine.
• Rewrite of device redirection to be more general-purpose, allowing a greater variety of devices to be accessed.
• Fully configurable and scriptable via Windows Management Instrumentation.
• Improved bandwidth tuning for RDP clients.^{[citation needed]}
• Support for Transport Layer Security (TLS) 1.0 on both server and client ends (can be negotiated if both parties agree, but not mandatory in a default configuration of any version of Windows).
• Multiple monitor support for allowing one session to use multiple monitors on the client (disables desktop composition)

Release 7.1 of RDP in 2010 introduced the following feature:

• RemoteFX: RemoteFX provides virtualized GPU support and host-side encoding; it ships as part of Windows Server 2008 R2 SP1.

Security issues[edit]

Version 5.2 of the RDP in its default configuration is vulnerable to a man-in-the-middle attack. Administrators can enable transport layer encryption to mitigate this risk.^[31][32]

RDP sessions are also susceptible to in-memory credential harvesting, which can be used to launch pass the hash attacks.^[33]

In March 2012, Microsoft released an update for a critical security vulnerability in the RDP. The vulnerability allowed a Windows computer to be compromised by unauthenticated clients and computer worms.^[34]

RDP client version 6.1 can be used to reveal the names and pictures of all users on the RDP Server (no matter which Windows version) in order to pick one, if no username is specified for the RDP connection.^{[citation needed]}

In March 2018 Microsoft released a patch for CVE-2018-0886, a remote code execution vulnerability in CredSSP, which is a Security Support Provider involved in the Microsoft Remote Desktop and Windows Remote Management, discovered by Preempt.^[35][36]

In May 2019 Microsoft issued a security patch for CVE-2019-0708 («BlueKeep»), a vulnerability which allows for the possibility of remote code execution and which Microsoft warned was «wormable», with the potential to cause widespread disruption. Unusually, patches were also made available for several versions of Windows that had reached their end-of-life, such as Windows XP. No immediate malicious exploitation followed, but experts were unanimous that this was likely, and could cause widespread harm based on the number of systems that appeared to have remained exposed and unpatched.^[37][38][39]

In July 2019, Microsoft issued a security patch for CVE-2019-0887, a RDP vulnerability that affects Hyper-V.^[40]

Non-Microsoft implementations[edit]

This section is missing information about Microsoft use of modified FreeRDP in WSLg. Please expand the section to include this information. Further details may exist on the talk page. (August 2021)

There are numerous non-Microsoft implementations of RDP clients and servers that implement subsets of the Microsoft functionality. For instance, the open-source command-line client rdesktop is available for Linux/Unix and Microsoft Windows operating systems. There are many GUI clients, like tsclient and KRDC, that are built on top of rdesktop.^[4]

In 2009, rdesktop was forked as FreeRDP, a new project aiming at modularizing the code, addressing various issues, and implementing new features. FreeRDP comes with its own command-line-client xfreerdp, which supports Seamless Windows in RDP6.^[41] Around 2011, the project decided to abandon forking and instead rewrite under Apache License, adding more features like RemoteFX, RemoteApp, and NTLMv2.^[42] A commercial distribution called Thincast was started in 2019.^[43] A multi-platform client based on FreeRDP including Vulkan/H.264 support followed in summer 2020. There’s a GTK-based client named Remmina also based on FreeRDP.

FreeRDP offers server implementations for macOS and Windows. On other systems including Linux, software packages may build upon FreeRDP to implement a complete server. Weston, the compositor in Wayland, uses FreeRDP to implement an rdp server it terms «rdp-backend».^[44] This server is in turn used by Microsoft to provide graphics support (WSLg) in its Windows Subsystem for Linux. ^[45]

Open-source RDP servers on Unix include FreeRDP (see above), ogon project and xrdp. The Windows Remote Desktop Connection client can be used to connect to such a server.

Proprietary RDP client solutions such as rdpclient are available as a stand-alone application or embedded with client hardware. A new access paradigm, browser-based access, has enabled users to access Windows desktops and applications on any RDP hosts, such as Microsoft Remote Desktop (RDS) Session Hosts (Terminal Services) and virtual desktops, as well as remote physical PCs.

There is also a VirtualBox Remote Display Protocol (VRDP) used in the VirtualBox virtual machine implementation by Oracle.^[46] This protocol is compatible with all RDP clients, such as that provided with Windows but, unlike the original RDP, can be configured to accept unencrypted and password unprotected connections, which may be useful in secure and trusted networks, such as home or office LANs. By default, Microsoft’s RDP server refuses connections to user accounts with empty passwords (but this can be changed with the Group Policy Editor^[47]). External and guest authorization options are provided by VRDP as well. It does not matter which operating system is installed as a guest because VRDP is implemented on the virtual machine (host) level, not in the guest system. The proprietary VirtualBox Extension Pack is required.

Patents[edit]

Microsoft requires third-party implementations to license the relevant RDP patents.^[48] As of February 2014, the extent to which open-source clients meet this requirement remains unknown.

Use in cybercrime[edit]

Security researchers have reported that cybercriminals are selling compromised RDP servers on underground forums as well as specialized illicit RDP shops.^[49][50] These compromised RDPs may be used as a «staging ground» for conducting other types of fraud or to access sensitive personal or corporate data.^[51] Researchers further report instances of cybercriminals using RDPs to directly drop malware on computers.^[52]

See also[edit]

• BlueKeep (security vulnerability)
• Comparison of remote desktop software
• Desktop virtualization
• SPICE and RFB protocol – other desktop remoting protocols
• Virtual private server
• Secure Shell

References[edit]

External links[edit]

• Remote Desktop Protocol – from Microsoft’s Developer Network
• Understanding the Remote Desktop Protocol – from support.microsoft.com
• MS-RDPBCGR: Remote Desktop Protocol: Basic Connectivity and Graphics Remoting Specification – from Microsoft’s Developer Network

9 Feb 2015 11:18 PM

I’m wondering about this piece under RD Session host;

Remote Desktop Session Host

RD License Server Port RPC

TCP 386|636: Active Directory communication

port386? Shouldn’t it be port 389?

27 May 2015 1:35 AM

Hi,

Can the port requirement be made clearer?

It is notclear that the ports listed are listening ports or outgoing ports.

Can we edit them to clarify

— Listening port, access by which services

— Outgoing port, access to which services

Thanks!

26 Jun 2015 8:18 AM

This document doesn’t really address the concept of directionality and doesn’t take into account the use of a dedicated file server for User Profile Disks.  I ran into problems relying on this document when implementing VDI on Hyper-V in a locked down environment.  Our firewall setup requires us to explicitely define all rules as {source} -> {destination} on {TCP/UDP port}.  In other words, «open this port on this component» isn’t sufficient.

Here are a couple of gotchas I ran into:

* RPC (tcp 135 + random port range) needs to be open BOTH WAYS between the Hyper-V hosts and the RD Connection Broker server(s).  (The document implies that you only need RDCB -> HV Hosts.)   If RPC is only open RDCB -> HV Hosts, you can add the Hyper-V hosts to your deployment but when you try to create a VDI collection, it won’t find your template VMs.

* If you are using an external storage solution for your User Profile Disks (like SOFS), you need to open RDCB -> SOFS on RPC (tcp 135 + random port range).  I opened it both ways but you might only need RDCB -> SOFS on RPC.

Maybe our firewall setup forces us to be a lot more granular than most but explicitly saying which direction traffic would save us a lot of time and trouble trying to figure out what’s getting blocked.

6 Dec 2016 6:06 AM

In addition to @Chamberlin72, we also got bitten by rule required in the opposite direction to expected.

In our scenario, we had a single server with RDWeb, RDG and RDCB roles, connecting to RD session hosts in another subnet.

We ruled out issues with the RDG by calling up mstsc and connecting to the session host using the RDG FQDN as a gateway. That pointed strongly to an issue with the RDCB.

We ran wireshark. We tested adding a session host in the same subnet as the RDCB, and when we connected to that, we saw traffic from the RDG to the SH that began with some RPC stuff (135 followed by high-numbered port) and then TCP 3389. When we connected to the original SHs on the other subnet, we did not see any traffic from the RDG to the SHs. This was capturing on the RDG box on all interfaces. It’s like the RDG didn’t even try to redirect the traffic; there were no packets being generated. We tried a permit-any rule on the firewall, but we didn’t see any traffic that we were confident reflected us trying to RDP in — most of the traffic we did see was on WSMAN 5985, and that was explained by the fact that we had Server Manager open with those other machines added to the console.

We also saw this event in the TerminalServices-SessionBroker\Admin log:

Log Name:      Microsoft-Windows-TerminalServices-SessionBroker/Admin

Source:        Microsoft-Windows-TerminalServices-SessionBroker

Date:          06/12/2016 13:11:27

Event ID:      802

Task Category: RD Connection Broker processes connection request

Level:         Error

Keywords:      

User:          NETWORK SERVICE

Computer:      ***************** (Our RDG / RDCB)

Description:

RD Connection Broker failed to process the connection request for user *****************

Error: Element not found.

*Element not found* is the crucial phrase.

So what happens is that you can have everything configured correctly in the deployment, and you will not be able to see anything amiss (anywhere I looked). However, the CB has no available SHs to broker connection requests to. That’s because the SHs periodically connect to the CB to announce their availability, and if that fails due to port rules, the CB never gets the announcements from the SHs to say they are ready and not overloaded. So you have a Connection Broker that’s got no destinations to broker to.

We had permit rules for netbios, 135, 445, 3389, 49152-65535 from the SH subnet to the RDCB. This was clearly not enough. (It’s not impossible that we had a firewall issue or our rules weren’t working as expected, though.)

We tried adding TCP 5020, because we saw that in Wireshark; that didn’t fix it.

We added a permit-any rule from the Session Host subnet back to the RDCB, and everything started working. We will probably analyse later and narrow the port rules down again, but for now our issue is over.

7 Sep 2017 4:24 PM

This is in reply to Freddie Sackur’s comment below regarding port requirements from Session Host to Connection Broker communications:

I ran into a similar issue on a new WS16 RDS farm with the RD Connection Broker servers on the main datacenter VLAN and the RD session hosts on an isolated VLAN.  I kept getting the «No computers available in the pool» error on collections that were properly configured.

I found Event IDs 1301 and 1296 in the TerminalServices-SessionBroker-Client Operational event logs on the RDSH servers — failed redirection attempts from the Connection Broker.

The fix for me was setting up a firewall rule that allowed the RDSH servers to talk to the RDCB servers on the usual MSFT ports:

— UDP/TCP 135

— UDP/TCP 137-139

— TCP 445

— TCP 49152-65535

After adding the firewall rule, I immediately saw Event ID 1281 in the event log mentioned above — «Remote Desktop Services successfully joined a farm on the Connection Broker server RDCB01.domain.com;RDCB02.domain.com.»

Hope this helps out.

Regards,

Scott

RDP (Remote Desktop Protocol), или протокол удалённого рабочего стола —  это протокол прикладного уровня, использующийся для обеспечения удаленного доступа к серверам и рабочим станциям Windows. По умолчанию для подключения по RDP используется порт TCP 3389, но иногда может возникнуть необходимость его изменить, например по соображениям безопасности.

Сама процедура выглядит следующим образом:

Запускаем редактор Regedit и идем в раздел реестра HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp.

Выбираем параметр PortNumber, переключаемя в десятичный формат и задаем любой порт (в пределах разумного).

При выборе порта имейте ввиду, что все номера портов разделены на три категории:

• Известные порты (от 0 до 1023) — назначаются и контролируются IANA (Internet Assigned Numbers Authority), и обычно используются низкоуровневыми системными программами;
• Зарегистрированные порты (от 1024 до 49151) — также назначаются и контролируются IANA, но выделяются для частных целей;
• Динамические и/или приватные порты (от 49152 до 65535) — могут быть использованы любым процессом с любой целью. Часто, программа, работающая на зарегистрированном порту (от 1024 до 49151) порождает другие процессы, которые используют эти динамические порты.

Порт сменили, теперь его надо открыть на фаерволе. Запускаем оснастку управления «Windows Firewall with Adwanced Security». В ней выбираем входящие подключения (Inbound Rule), кликаем правой клавишей мыши и в контекстном меню выбираем пункт Новое правило (New Rule).

Выбираем правило на основе порта.

Указываем номер заданного нами порта (в примере TCP 50000).

Затем указываем действие для нашего правила — разрешить подключение (Allow the connection). Здесь же при необходимости для нашего подключения можно включить шифрование.

В зависимости от того, где находится сервер — в рабочей группе, в домене или в публичном доступе указываем сетевой профиль, для которого действует правило.

Обзываем созданное правило так, чтобы его легко было опознать и жмем кнопку «Finish».

Перезагружаем сервер и подключаемся к нему, не забыв в адресе подключения указать порт через двоеточие.