Windows Server RDP安全配置

2025-12-04 07:58:06

RDP安全配置简介

Windows Server 2012的默认RDP端口3389是黑客攻击的常见目标。通过修改RDP端口并禁用默认的Administrator账户，可以显著提高服务器的安全性。

重要警告：在执行此配置前，请确保您有其他方式访问服务器，以防配置错误导致无法远程连接。

准备工作

1. 创建脚本文件

打开记事本，复制以下完整脚本内容：

# 远程桌面安全配置脚本 - Windows Server 2012

Write-Host "Starting Windows Server 2012 RDP Security Configuration..." -ForegroundColor Cyan

# 1. 修改RDP端口从3389到25701
Write-Host "Step 1: Changing RDP port to 25701..." -ForegroundColor Yellow
try {
    Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" -Name "PortNumber" -Value 25701 -ErrorAction Stop
    Write-Host "RDP port changed to 25701" -ForegroundColor Green
}
catch {
    Write-Host "Failed to change RDP port: $_" -ForegroundColor Red
    exit 1
}

# 2. 配置Windows防火墙（Windows Server 2012兼容版本）
Write-Host "Step 2: Configuring firewall rules..." -ForegroundColor Yellow
try {
    # 禁用旧的3389端口规则
    netsh advfirewall firewall set rule name="Remote Desktop" new enable=no 2>&1 | Out-Null
    
    # 创建新的25701端口规则（使用netsh命令，兼容Windows Server 2012）
    netsh advfirewall firewall add rule name="RDP-25701" dir=in action=allow protocol=TCP localport=25701 2>&1 | Out-Null
    Write-Host "Firewall rules configured" -ForegroundColor Green
}
catch {
    Write-Host "Failed to configure firewall rules: $_" -ForegroundColor Red
    # 继续执行，因为端口修改可能已经成功
}

# 3. 创建新管理用户 guboysky
Write-Host "Step 3: Creating new admin user guboysky..." -ForegroundColor Yellow
try {
    # 检查用户是否已存在
    $userExists = Get-LocalUser -Name "guboysky" -ErrorAction SilentlyContinue
    if ($userExists) {
        Write-Host "User guboysky already exists, resetting password..." -ForegroundColor Yellow
        # 删除已存在用户
        Remove-LocalUser -Name "guboysky" -ErrorAction Stop
    }
    
    # 创建新用户
    $securePassword = ConvertTo-SecureString "ovh-64(Fr)6479862" -AsPlainText -Force
    New-LocalUser -Name "guboysky" -Password $securePassword -FullName "Guboysky Admin" -Description "Administrative Account" -ErrorAction Stop
    
    # 添加到管理员组
    Add-LocalGroupMember -Group "Administrators" -Member "guboysky" -ErrorAction Stop
    
    # 设置密码永不过期
    Set-LocalUser -Name "guboysky" -PasswordNeverExpires $true -ErrorAction Stop
    
    Write-Host "New user guboysky created successfully" -ForegroundColor Green
}
catch {
    Write-Host "Failed to create user: $_" -ForegroundColor Red
    exit 1
}

# 4. 禁用Administrator账户
Write-Host "Step 4: Disabling Administrator account..." -ForegroundColor Yellow
try {
    Disable-LocalUser -Name "Administrator" -ErrorAction Stop
    Write-Host "Administrator account disabled" -ForegroundColor Green
}
catch {
    Write-Host "Failed to disable Administrator account: $_" -ForegroundColor Red
}

# 5. 重启远程桌面服务
Write-Host "Step 5: Restarting Remote Desktop services..." -ForegroundColor Yellow
try {
    Restart-Service TermService -Force -ErrorAction Stop
    Write-Host "Remote Desktop services restarted" -ForegroundColor Green
}
catch {
    Write-Host "Warning: Could not restart services: $_" -ForegroundColor Yellow
}

# 6. 验证配置
Write-Host "Verification Results:" -ForegroundColor Cyan

# 验证端口
$port = Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" -Name "PortNumber"
Write-Host "RDP Port: $($port.PortNumber)" -ForegroundColor $(if($port.PortNumber -eq 25701){"Green"}else{"Red"})

# 验证防火墙规则
$firewallCheck = netsh advfirewall firewall show rule name="RDP-25701" 2>&1
if ($firewallCheck -notlike "*No rules match*") {
    Write-Host "Firewall Rule: Configured" -ForegroundColor Green
} else {
    Write-Host "Firewall Rule: Not found" -ForegroundColor Red
}

# 验证用户状态
$adminStatus = Get-LocalUser -Name "Administrator"
Write-Host "Administrator Status: $($adminStatus.Enabled)" -ForegroundColor $(if(-not $adminStatus.Enabled){"Green"}else{"Red"})

$newUser = Get-LocalUser -Name "guboysky" -ErrorAction SilentlyContinue
if ($newUser) {
    Write-Host "guboysky User: Created" -ForegroundColor Green
    Write-Host "guboysky Password Never Expires: $($newUser.PasswordNeverExpires)" -ForegroundColor Green
} else {
    Write-Host "guboysky User: Not found" -ForegroundColor Red
}

# 验证管理员组成员
$isAdmin = (Get-LocalGroupMember -Group "Administrators" | Where-Object {$_.Name -like "*guboysky"}).Count -gt 0
Write-Host "guboysky in Administrators group: $isAdmin" -ForegroundColor $(if($isAdmin){"Green"}else{"Red"})

Write-Host "Configuration Complete!" -ForegroundColor Green
Write-Host "=" * 50 -ForegroundColor Cyan
Write-Host "New Remote Desktop Connection Info:" -ForegroundColor Yellow
Write-Host "Server Address: YourServerIP:25701" -ForegroundColor White
Write-Host "Username: guboysky" -ForegroundColor White
Write-Host "Password: ovh-64(Fr)6479862" -ForegroundColor White
Write-Host "=" * 50 -ForegroundColor Cyan

Write-Host "Important Notes:" -ForegroundColor Red
Write-Host "1. Please test login with new user guboysky immediately" -ForegroundColor Yellow
Write-Host "2. Keep the password secure" -ForegroundColor Yellow
Write-Host "3. If connection fails, check firewall and network settings" -ForegroundColor Yellow

将脚本保存到桌面：

文件名：Configure-RDP.ps1
保存类型：选择"所有文件"
编码：选择"UTF-8"

执行步骤

1. 以管理员身份运行 PowerShell

右键点击 PowerShell 图标，选择"以管理员身份运行"。

cd $env:USERPROFILE\Desktop

2. 设置执行策略

如果因为执行策略限制而无法运行脚本，先执行以下命令：

Set-ExecutionPolicy -ExecutionPolicy Bypass -Scope Process -Force

3. 运行配置脚本

执行保存的脚本文件：

.\Configure-RDP.ps1

注意: 脚本执行过程中会重启远程桌面服务，现有RDP连接会中断

脚本功能说明

步骤	操作	说明
1	修改RDP端口	从默认3389改为25701
2	配置防火墙	禁用旧端口规则，创建新端口规则
3	创建新用户	创建管理员用户guboysky，设置密码
4	禁用Administrator	禁用默认管理员账户
5	重启服务	重启远程桌面服务使配置生效
6	验证配置	检查所有配置是否正确应用

连接测试

完成配置后，使用以下信息连接服务器：

服务器IP:25701
用户名：guboysky
密码：ovh-64(Fr)6479862

连接测试提示：配置完成后，请立即使用新账户测试连接，确保配置正确。

<< 数据库关键字定时替换配置

一键虚拟化项目指南 >>