Drew Robinson's Blog

Azure, Powershell and Security things

Change the default RDP port (3389) on a Azure Windows ARM VM to a high range port

I recommend leveraging site to site VPN or point to site VPN for admin port access (RDP, SQL, etc). If VPN is not option, next method is to secure the exposed inbound port/source ip to only known ip addresses (ACL).

Last method is to change the default port to higher range port – making it more expensive to probe up to the exposed RDP port. This is not good security as the port is still fully exposed to internets but this is somewhat better than 3389 direct.

The following Procedure will update the RDP port, create a inbound windows firewall rule and update the Azure Network Security Group (NSG).

Note: As with any change, sandbox this change before executing in production, make sure you fully understand the changes you are making and you have a rollback plan.

#PS Code for the Windows registry and firewall change:

1
2
3
4
5
6
7
8
9
# Paste this line first
Write-host "What Port would you like to set for RDP: " -ForegroundColor Yellow -NoNewline;$RDPPort = Read-Host
 
# Paste these two lines next
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-TCP\" -Name PortNumber -Value $RDPPort
New-NetFirewallRule -DisplayName "RDP HighPort" -Direction Inbound –LocalPort $RDPPort -Protocol TCP -Action Allow
 
Write-host "port number is $RDPPORT" -ForegroundColor Magenta
Write-host "Launch RDP with IP:$RDPORT or cmdline MSTSC /V [ip]:$RDPORT"

Procedure

#update VM with new port

a. Admin Powershell

1a

 

 

 

 

 

b. Paste the first line, enter the high range port you will use (document the port number otherwise you might forget, RDP = $null)

1b

c. Paste the next two lines

1c

Both RDP and Windows Firewall have been updated with the new port.

You can now restart  the VM.

# Update the Network Security Group (NSG) with the new port.

a. VM Properties – Network Interfaces

2a

b. Click on the network interface name

2b

c. Network Security Group

2c

d. Click on the name

2d

e. Click on default-allow-rdp

2e

f. Click on Advanced

2f

g. Update the port range to port your defined in step 1.

2g

h. Click outside the dialog, Save button should light up .. save

2h

Wait for the NSG to update, you can confirm the port is listening via Powershell TNC:  {TNC IPAddress -Port PORT} confirm true.

 

2i

Launch RDP, usage {IPAddress:Port}

2j