2

I'm trying to bind the remote desktop listener to 127.0.0.1 on Windows Server 2003 Enterprise.

I tried tscc.msc but it only lets you choose a certain physical adapter.

Also by quickly glancing over HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp I couldn't find any setting that seemed to do the trick.

Is this impossible after all?

4 Answers4

3

Binding the RDP listeners to localhost can also be a cheap way to enable multiple concurrent sessions stemming from a single console session.

I'm guessing you want the localhost functionality, not strictly wanting 127.0.0.1. I'm also guessing that you don't want to expose the adapter to the network.

If you're still wanting to do this, I can think of the below method:

  1. Install a local loopback network adapter. (See here.)
  2. Configure the RDP Listener to bind only on the loopback network adapter. In Server2K8 and higher, this will be possible via the tsconfig.msc snap-in. I've never tried in Server2k3 but that should be a similar procedure. (I can go in more details about the configuring the registry if needed.)

From there, you'll be able to RDP to the loopback adapter using its link-local address.

MikeJM
  • 31
  • 1
3

Why would you want to only have it listen on 127.0.0.1? That would make you take over your own session which would then lock the machine.

I'm not sure if you can bind RDP to listen on only IP. I would imagine that you can't. You best option will probably be using Windows firewall to prevent access to port 3389 on all IPs other than 127.0.0.1.

mrdenny
  • 27,174
  • 4
  • 41
  • 69
  • I agree. Why would you access RDP from the machine itself? Makes no sense to me. But maybe there is a hidden agenda. – splattne Jul 02 '09 at 08:09
  • Yeap does not make sense to remote desktop to one's own machine. Might as well shut down the service altogether. – icelava Jul 09 '09 at 01:27
  • 1
    same reason vnc has the option for "looback only" ... you SSH in and port forward to localhost – CaffeineAddiction Feb 18 '19 at 08:37
  • This also is the ONLY option you have with WSL, as WSL does not work with listeners on others devices than 127.0.0.1 – Tino Jun 25 '23 at 17:20
2

I was able to resolve my issue by doing the following: Start, Run, MMC

MMC: add Terminal Server Configuration

Enable RDP_TCP

Right on The RDP-TCP

Click on Properties

Click on the Network Adapter Tab

Bind the new Vmware Adapter

Community
  • 1
Jesse Rivera
  • 21
  • 1
1

binding to localhost is very common for several services under linux. so you can ssh to the box and forward ports to your ManagementClient.

The reason is simple: security.

I'm not using windows server, so I have no idea to configure this service. But blocking via windows firewall sound good.

EDIT:

Here is a link how this can be done: www-css.fnal.gov/csi/win-firewall/win-firewall.html

ThorstenS
  • 3,122
  • 19
  • 21
  • 1
    Doing ssh and port forwarding to a windows host is very uncommon. – radius Jul 02 '09 at 07:59
  • Yet this is what I'm doing. I already have the firewall allowing only connections on 127.0.0.1. I just wanted another layer of security by completely removing the listener from every other IP address. –  Jul 02 '09 at 08:03
  • If you want RDP to listen only on 127.0.0.1, why not simply not allow RDP to run on the server, or change the TCP port that RDP runs on. What's the end result that you are looking for? RDP (especially on Windows 2008) is already encrypted via a certificate and can be configured to only accept connections which support this higher level of protection. – mrdenny Jul 02 '09 at 08:34
  • Doing ssh and port forwarding to window hosts is the most common way I work since I came across CygWin in 2006 or so. Nowadays replaced by WSL. But WSL only allows to access RDP on 127.0.0.1. If RDP listens on 0.0.0.0 WSL is unable to connect. The windows firewall does not help there. – Tino Jun 25 '23 at 17:28