none
Is there a Best Practice doc for changing RDP port 3389 in SBS 2003 Premium?

    Question

  • Hi,

    Anyone know if there's a Best Practice doc/KB/Url for changing the RDP listening port from 3389 on Small Business Server 2003 Premium (updated to with ISA 2004) ?

    I don't want to break RWW. I also know that some people just suggest blocking 3389 external and solely using RWW. However, I've had scenarios where RWW broke and it was handy to have RDP still open on the server to do the fixing.

    I look forward to your comments and suggestions.

    Regards,

    Brcobrem

    Thursday, February 16, 2012 5:57 PM

Answers

  • The rise of brute force attacks on servers running RDP that is open to the Internet is extreamly high.  THe best thing you can do is open 3389 ONLY to your IP address at your home or office.  Don't change the port, or you will break RWW. 

    Be aware, that the source IP address can also be spoofed, but having it open only to your house or office lowers the risk. 


    Jeremy

    • Marked as answer by Tiger Li Tuesday, February 21, 2012 1:36 AM
    Thursday, February 16, 2012 7:17 PM
  • Use vpn first to get to the box, then fire up 3389.
     
    • Proposed as answer by Tiger Li Monday, February 20, 2012 6:41 AM
    • Marked as answer by Tiger Li Tuesday, February 21, 2012 1:36 AM
    Thursday, February 16, 2012 7:30 PM
  •  

    Hi Brcobrem,

    Thanks for posting here.

    Agree about the VPN method or perhaps consider to migrate and upgrade to SBS 2011 solution which will make the remote incoming connection more secure.

    Introduction to SBS 2011 Standard Remote Web Access (RWA)

    http://blogs.technet.com/b/sbs/archive/2011/03/10/introduction-to-sbs-2011-remote-web-access-rwa.aspx

    Thanks.

    Tiger Li


    Tiger Li

    TechNet Community Support

    • Marked as answer by Tiger Li Tuesday, February 21, 2012 1:36 AM
    Monday, February 20, 2012 6:41 AM

All replies

  • The rise of brute force attacks on servers running RDP that is open to the Internet is extreamly high.  THe best thing you can do is open 3389 ONLY to your IP address at your home or office.  Don't change the port, or you will break RWW. 

    Be aware, that the source IP address can also be spoofed, but having it open only to your house or office lowers the risk. 


    Jeremy

    • Marked as answer by Tiger Li Tuesday, February 21, 2012 1:36 AM
    Thursday, February 16, 2012 7:17 PM
  • Use vpn first to get to the box, then fire up 3389.
     
    • Proposed as answer by Tiger Li Monday, February 20, 2012 6:41 AM
    • Marked as answer by Tiger Li Tuesday, February 21, 2012 1:36 AM
    Thursday, February 16, 2012 7:30 PM
  •  

    Hi Brcobrem,

    Thanks for posting here.

    Agree about the VPN method or perhaps consider to migrate and upgrade to SBS 2011 solution which will make the remote incoming connection more secure.

    Introduction to SBS 2011 Standard Remote Web Access (RWA)

    http://blogs.technet.com/b/sbs/archive/2011/03/10/introduction-to-sbs-2011-remote-web-access-rwa.aspx

    Thanks.

    Tiger Li


    Tiger Li

    TechNet Community Support

    • Marked as answer by Tiger Li Tuesday, February 21, 2012 1:36 AM
    Monday, February 20, 2012 6:41 AM
  • Hi Susan, Jeremy and Tiger,

    Thank everyone for the replies and suggestions. Not having used VPNs before, I have a question on the VPN function.

    Is it 100% necessary to join the remote PC to the SBS domain? I wouldn't want to join my workstation to someone's domain just to do occassional work on their server.

    If no machine join is required and I establish a VPN connection from remote to server, what can you do with the connection to manipulate the server? Can you then open an RDP session through the VPN connection (using LAN addressses of course)? Sorry if that't obvious, I've just never tried it.

    Thanks,
    Brcobrem

    Tuesday, February 21, 2012 2:21 PM
  • My home pc is not joined to the domain.  I click on the network icon and click on the vpn connector I've already set up.  I have to make sure that my home PC is not on the same IP range as the office (key to the success).  I then put in my username/password and connect.  I can now merely go to rdp and connect to any server or workstation inside the office even though I'm not domain joined and no 3389 port is directly open.
    Tuesday, February 21, 2012 4:16 PM
  • The VPN is just establishing a TCP/IP connection. It's the same as if you took your home PC and put it on the same LAN as the server.

    I have about 18 VPN connections defined on my laptop, and it's in just a workgroup.

    Jim

    Tuesday, February 21, 2012 6:42 PM
  • I've never worked with ISA and VPN together, so I don't know how you would do it, but you can filter VPN connections. In 2003 Standard, it was done using policy in RRAS, but I assume ISA takes over that job. Probably worth looking into, as people round here cross their fingers and look for garlic at the mention of VPN these days. You will be able to limit VPN access to just RDP if you wish.

    A somewhat lower security quick-and-dirty option is to use your original idea, but use the Internet router to forward some very high number TCP port to 3389 on the SBS. Nearly all attacks, especially brute force, use software rather than a human, so this should prevent such attempts, at least until you can get a more sophisticated solution working.

    I have one client who has a *nix server running as well as the SBS, so I connect there using SSH (Secure SHell) to forward RDP to 3389 on four machines. Not only are domains not involved, I don't often use a Windows computer for remote admin work, either by SSH or VPN. The RDP protocol doesn't care. Other things do: for example, you may need to mess around a bit to see network shares, at least by name. That can be difficult over VPN from a non-domain client.

    One simple point, sometimes overlooked: a VPN by default gives your client computer an additional network interface with an IP address in the SBS LAN network (one of the addresses reserved in the DHCP pool specifically for this purpose). You need to make sure the network address of the SBS LAN is different from the network addresses of all the interfaces of your client, or routing won't work. You'll get a successful VPN connection which does nothing at all.

    The default PPTP VPN uses the TCP port 1723 and also IP protocol 47, GRE. If you get a message on the client claiming a successful VPN connection, but you then get a timeout before logging in successfully to the SBS, this is usually a sign that TCP/1723 is working but GRE is getting lost somewhere along the line. Check any firewall at the client end and also the router forwarding.

    Joe

    Tuesday, February 21, 2012 10:35 PM
  • Hi Joe et Al,

    Setup of the VPN was relatively easy: CEICW and then the RRAS wizard.

    Don't forget about VPN Pass Through on the remote's router (three hours later, dugh to me).

    As pointed out above, no need to join the remote to the domain.

    Use CEICW to disable RDP.

    Summary: 1) Connect to SBS via VPN. 2) RDP to SBS LAN IP addresses as required.

    Piece of cake now.

    Btw, down from about 4000 RDP (Logon Type 10) brute force attacks a day to zero! Security Log is much happier (no more Event 529 :-)

    RWW, OWA and OMA still work without issue.

    Old School Tip: Stick a modem in one of the SBS's network PCs, create an Incoming Connection on that PC, and have a POTS line available to plug into the modem when needed. Perfect for those rainy days when the WAN goes down and you need to backdoor into the LAN for a little tech support.

    Thanks again to everyone for the fine suggestions and assistance.

    Regards,
    Brcobrem



    • Edited by Brcobrem Wednesday, February 29, 2012 3:04 AM
    Wednesday, February 29, 2012 2:57 AM
  • Hi again Forum,

    The VPN/RDP cake wasn't as tasty the second day :-(

    I noticed that on the remote PC, Outlook email would not go out to the remote ISP's smtp server. 

    The first fix attempt: In the Win7 remote PC, if I look at the VPN's "Properties > Networking tab > IPv4 or IPv6 item > Properties > Advanced button" there's a check box for "Use default gateway on remote network". If I disable that, then email goes out from the remote PC through the remote PC's gateway/router (and not piped through the VPN tunnel to the SBS server). So the remote's email is going out and the remote's browsing is now using the remote's router/gateway. Perfect I'm thinking.

    However, I have a new problem: The VPN connection is still made with no problems, but now the RDP session from the Win7 remote to the SBS server through the VPN no longer works. I notice that I can no longer ping the server by its local LAN address either.

    Any ideas what I'm missing here?

    Thanks an advance . . .
    Brcobrem

    Thursday, March 01, 2012 10:24 PM
  • No takers on my last thread?

    Btw, I think the fix might be to set up a route in Win7. Not sure though.

    Some environment info:

    PPP adapter VPN Connection = 169.254.109.44 (btw, this IP changes every time you disconnect/reconnect the vpn).

    Win7 Ethernet Adapter LAN = 192.168.0.45 (this is a fixed IP address on this workstation).

    SBS Server LAN = 10.0.0.5 (this is a fixed IP address as required by SBS).

    Maybe there's no solution ?

    Humm . . .

    Brcobrem

    Friday, March 02, 2012 9:56 PM
  • The VPN is getting an APIPA IP address because RRAS is incorrectly configured.

    ALL FROM SBS Console:

    disable VPN. Fix my Network. enable VPN.

    and if it's still broken, start another thread.

    Friday, March 02, 2012 10:13 PM
  • This is SBS 2003. No FMNW wizard I'm aware of.

    Time for a new post?

    Saturday, March 03, 2012 5:44 PM