Why Move RDP traffice to new port?

At the usual ridiculous hour this morning I was greeted with an email informing me that effective immediately (as in this morning) our CTO had decided that all RDP access had to move another port, and we needed to add a port number to each connection from here on out. The fact that he managed to screw it up and it only works externally is one thing and we're working on that.

But what I can't get a straight answer on from either him or my Google-fu is WHY you would do this in the first place? Does anyone out there know of a reason to do this.

I don't even work in IT, but my geek knowledge tells me changing port doesn't make it any more secure.

That was kind of my thought. But he's done it, and he still won't say why, at least to me or any of our other devs.

Given your post history this is probably old news, but that doesn't sound good. I'm sure you're already taking CYA action.

It's the kind of thing that shouldn't surprise me, but it does seem like IT has more than it's fair share of decision making that wouldn't fly in other areas, like if computer equipment could cause injury. It's a lack of accountability that seems like a risk to the business, but because it's IT it's somehow okay.

Only legitimate reason I can think of off hand is that something else you need to use also uses 3389 by default and is much harder to change however were that the case he ought be able to explain it or at least present it as a reason.

I got an answer back from him finally, and it went pretty well. He says it's due to attacks by port listeners being lessened if the default ports are closed. I'm not going to second-guess him, and he got things to work internally this afternoon so we can reach all our servers so I'm good.

Within the enclave though, what port listeners would you need to worry about? You have IDS's for that and if they've gotten in to where they're scanning the ports of RDP you're boned anyway.
From outside? Sure but you usually have something like a VPN or Citrix gateway in the middle to handle the boundry.

At one of my jobs, where every desktop had a public internet address, we did this. RDP was moved up to a 5-digit port, and the reasoning was exactly the same. I still remember the port number.

That's what I thought, Eezy. I mean, if they're camping ports, it's easy to just walk them all. But he did this for our Minneapolis end of things and says it really helped. Squeegee, I can't imagine that nightmare that would be to manage.

This is why I'm a software person. If you can light it on fire it's supposed to be someone else's problem.

Does anyone out there know of a reason to do this.

Basically, there are port scanners running all the time on the Internet, looking for open 'interesting' ports. Typically, they don't scan every port, but rather a limited subset, looking for services of interest to them. Putting a service on a nonstandard port means that it's less visible to the routine mass scanning that's going on.

However, it does absolutely nothing against a targeted scan, where they're actually looking at YOU, as opposed to the Internet in general. And there's nothing stopping them from broadening their general-purpose scans to cover all ports, either.

So it's not completely stupid, in the sense that if a 0-day exploit on RDP comes out, then there won't be as many bad guys/gals out there aware that you have an exposed RDP service. But, overall, it's a very minor benefit.

And, honestly, if you guys are struggling with being able to do this smoothly and easily, then you don't really have enough knowledge on staff to be exposing ANY ports to the general Internet. Your lack of on-staff expertise is a far higher risk than running RDP on 3389.

Kinda pointless as no company should be exposing ports like RDP directly to the Internet. Invest in a good quality secure VPN or Something like Citrix for a portal

Yeah, security by obscurity is only Part of This Complete Breakfast.

I change default ports on certain services on the servers I run, with the rationale being that I prefer having a larger percentage of unwanted connection attempts getting filtered out at the firewall level rather than the application level.

It is, though, a very small benefit, and only worth doing if the effort in dealing with it is similarly small. (For SSH, for example, it means I add a "Port xxx" line in my ~/.ssh/config, and never think about it again, so that's what I would call a very small amount of effort).

I do read the code of 0-day exploits from time to time, and surprisingly often, they simply blind-fire at default ports and never bother to scan for targets, so, there is indeed a degree of benefit to avoiding the crosshairs of drive-by attacks. But, as Malor said, it is of zero value against a targeted attack, as any kiddie that knows a couple of nmap commands will find your open service ports wherever they may be.