Binding the RDP listener to 127.0.0.1 only

Question

I'm trying to bind the remote desktop listener to 127.0.0.1 on Windows Server 2003 Enterprise.

I tried tscc.msc but it only lets you choose a certain physical adapter.

Also by quickly glancing over HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp I couldn't find any setting that seemed to do the trick.

Is this impossible after all?

The answer to this question would be really useful when using Bitvise WinSSHD. — djangofan, Jan 20 '12 at 00:20

score 3 · Answer 1 · answered May 17 '11 at 05:09

Binding the RDP listeners to localhost can also be a cheap way to enable multiple concurrent sessions stemming from a single console session.

I'm guessing you want the localhost functionality, not strictly wanting 127.0.0.1. I'm also guessing that you don't want to expose the adapter to the network.

If you're still wanting to do this, I can think of the below method:

Install a local loopback network adapter. (See here.)
Configure the RDP Listener to bind only on the loopback network adapter. In Server2K8 and higher, this will be possible via the tsconfig.msc snap-in. I've never tried in Server2k3 but that should be a similar procedure. (I can go in more details about the configuring the registry if needed.)

From there, you'll be able to RDP to the loopback adapter using its link-local address.

Your link (experts exchange) is permanently down. – jingyu9575 Nov 17 '15 at 14:04 — jingyu9575, Nov 17 '15 at 14:04

score 3 · Answer 2 · answered Jul 02 '09 at 07:44

3

Why would you want to only have it listen on 127.0.0.1? That would make you take over your own session which would then lock the machine.

I'm not sure if you can bind RDP to listen on only IP. I would imagine that you can't. You best option will probably be using Windows firewall to prevent access to port 3389 on all IPs other than 127.0.0.1.

answered Jul 02 '09 at 07:44

mrdenny

27,074
4
40
68

I agree. Why would you access RDP from the machine itself? Makes no sense to me. But maybe there is a hidden agenda. – splattne Jul 02 '09 at 08:09
Yeap does not make sense to remote desktop to one's own machine. Might as well shut down the service altogether. – icelava Jul 09 '09 at 01:27
same reason vnc has the option for "looback only" ... you SSH in and port forward to localhost – CaffeineAddiction Feb 18 '19 at 08:37

score 2 · Answer 3 · edited Jun 11 '20 at 10:02

2

I was able to resolve my issue by doing the following: Start, Run, MMC

MMC: add Terminal Server Configuration

Enable RDP_TCP

Right on The RDP-TCP

Click on Properties

Click on the Network Adapter Tab

Bind the new Vmware Adapter

edited Jun 11 '20 at 10:02

Community

1

answered Sep 14 '12 at 01:50

Jesse Rivera

21
1

score 1 · Answer 4 · answered Jul 02 '09 at 07:48

1

binding to localhost is very common for several services under linux. so you can ssh to the box and forward ports to your ManagementClient.

The reason is simple: security.

I'm not using windows server, so I have no idea to configure this service. But blocking via windows firewall sound good.

EDIT:

Here is a link how this can be done: www-css.fnal.gov/csi/win-firewall/win-firewall.html

answered Jul 02 '09 at 07:48

ThorstenS

3,084
18
21

1

Doing ssh and port forwarding to a windows host is very uncommon. – radius Jul 02 '09 at 07:59
Yet this is what I'm doing. I already have the firewall allowing only connections on 127.0.0.1. I just wanted another layer of security by completely removing the listener from every other IP address. – Jul 02 '09 at 08:03
If you want RDP to listen only on 127.0.0.1, why not simply not allow RDP to run on the server, or change the TCP port that RDP runs on. What's the end result that you are looking for? RDP (especially on Windows 2008) is already encrypted via a certificate and can be configured to only accept connections which support this higher level of protection. – mrdenny Jul 02 '09 at 08:34

Binding the RDP listener to 127.0.0.1 only

4 Answers4

Linked