By default, Windows Server 2003's Remote Desktop Service listens exclusively on TCP port 3389. This single-port limitation can be problematic for scenarios requiring alternative connection paths or enhanced security through port obscurity.
To enable multi-port listening, we need to modify the Windows Registry. Here's the step-by-step process:
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp] "PortNumber"=dword:00000D3D [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp2] "PortNumber"=dword:00000D3C "Transport"=hex:02,00,00,00 "LanAdapter"=dword:00000000
For a more robust solution, we can create additional listening ports through registry cloning:
- Export the original RDP-Tcp registry key
- Create a new key (e.g., RDP-Tcp2) with identical parameters
- Modify the PortNumber value to your desired alternative port
After registry changes, update Windows Firewall rules (or your third-party firewall):
netsh firewall add portopening TCP 3388 "Remote Desktop Alternative" netsh firewall add portopening TCP 3389 "Remote Desktop Default"
Confirm the changes with these commands:
netstat -ano | findstr 338 telnet localhost 3388 telnet localhost 3389
For changes to take effect, you must restart the Terminal Services service:
net stop "Terminal Services" net start "Terminal Services"
When using non-standard ports:
- Document all active RDP ports
- Implement IP restriction policies
- Consider Network Level Authentication (NLA)
- Monitor both ports for unauthorized access attempts
Clients can connect using either port by specifying it in the connection string:
mstsc /v:yourserver:3388 mstsc /v:yourserver:3389
By default, Windows Server 2003's Remote Desktop Protocol (RDP) listens exclusively on TCP port 3389. The service binds to this port through the Terminal Services component. When you need multiple simultaneous access points or port-based access control, modifying this behavior becomes necessary.
The primary method involves editing the Windows Registry to create additional port bindings:
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp] "PortNumber"=dword:00000D3D ; 3389 in hexadecimal [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp2] "PortNumber"=dword:00000D3C ; 3388 in hexadecimal "Transport"=hex:02,00,00,00 "LanAdapter"=dword:00000000
Follow these steps carefully:
- Open Registry Editor (regedit.exe)
- Navigate to HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations
- Right-click the RDP-Tcp key and select Export to backup your configuration
- Create a new key named RDP-Tcp2 under WinStations
- Copy all values from RDP-Tcp to RDP-Tcp2
- Modify PortNumber in RDP-Tcp2 to your desired alternate port (3388)
After registry changes, update Windows Firewall rules:
netsh firewall add portopening TCP 3388 "Remote Desktop Alternate"
Check active listeners with this command:
netstat -ano | findstr "3388 3389"
Expected output should show both ports in LISTENING state with PID matching termsrv.exe
When connecting from remote clients, specify the port explicitly:
mstsc /v:yourserver:3388 mstsc /v:yourserver:3389
If connections fail on the new port:
- Verify registry permissions - SYSTEM needs full control
- Check for port conflicts with other services
- Confirm Terminal Services is running in Application Mode
- Restart the Terminal Services service after changes
When exposing additional RDP ports:
- Implement Network Level Authentication
- Consider IP restrictions via firewall rules
- Monitor both ports for brute force attempts
- Document the non-standard port usage for your team
For environments where registry editing isn't preferred, consider these options:
netsh interface portproxy add v4tov4 listenport=3388 connectport=3389 connectaddress=127.0.0.1
This creates a local port forward while keeping the actual service on 3389.