All articles
TutorialsFeb 12, 2026 · 9 min read

Secure Windows RDP - Hardening Checklist

Secure Windows RDP - Hardening Checklist

Leaving RDP open to the internet is an invitation to brute-force attempts. You can still use RDP safely, but you need a few guardrails.

This is a practical checklist you can run through on any Windows VPS (Windows Server 2019/2022/2025 or Windows 10/11 Pro). Most of it takes 10-20 minutes.

Before changing firewall rules or the RDP port, make sure you have a fallback way to access the server (provider console/VNC), or an existing session you can test with.

TL;DR

  • Put RDP behind a VPN if you can (best option)
  • Enable Network Level Authentication (NLA)
  • Use a non-default admin username and a strong password
  • Turn on account lockout policies
  • Restrict RDP to your IP (or to your VPN subnet)
  • Keep Windows updated and check failed logons occasionally

1. Decide how you want to access the server

You have two sane setups:

  1. VPN-only RDP (recommended): RDP is not reachable from the public internet. You connect to the server over a private VPN IP.
  2. Public RDP, locked down: RDP is reachable, but only from specific IPs and with lockout policies plus NLA.

If you can do VPN-only, do it. It eliminates most of the noise and risk in one move.

2. Enable Network Level Authentication (NLA)

NLA requires authentication before a full RDP session is created. It reduces resource usage and blocks some older attack paths.

GUI:

  1. Right-click This PC and click Properties
  2. Click Remote settings
  3. Under "Remote Desktop" select:
    • "Allow remote connections to this computer"
    • "Allow connections only from computers running Remote Desktop with Network Level Authentication"

PowerShell (optional):

Set-ItemProperty ` -Path 'HKLM:\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp' ` -Name UserAuthentication ` -Value 1

If you use very old clients, they might not support NLA. Modern Windows/macOS/iOS/Android clients do.

3. Stop using the default Administrator account as your daily login

Bots try Administrator first.

Do one of these:

  • Create a new admin user for RDP and disable the built-in Administrator, or
  • Rename Administrator and use that new name

Create a new local user and add it to Administrators:

# Pick a strong password. $password = Read-Host -AsSecureString New-LocalUser -Name "rdpAdmin" -Password $password -FullName "RDP Admin" Add-LocalGroupMember -Group "Administrators" -Member "rdpAdmin"

Sign in once as the new user to confirm it works before you change anything else.

4. Turn on account lockout (brute-force throttle)

Account lockout is built-in and effective. It won't stop someone from trying, but it prevents unlimited password guessing.

GUI:

  1. Run secpol.msc
  2. Go to Account Policies and then Account Lockout Policy
  3. Set:
    • Account lockout threshold: 5 invalid logon attempts
    • Account lockout duration: 15 minutes
    • Reset account lockout counter after: 15 minutes

If multiple people RDP into the same server, tune these numbers to match your risk tolerance.

5. Restrict who can reach the RDP port

This is where most servers fail. A strong password is not enough if the login prompt is open to the world.

Option A: Provider firewall or security group (best)

If your VPS provider has a firewall, allow inbound TCP 3389 only from:

  • Your home/office public IP, or
  • Your VPN exit IP, or
  • Your VPN subnet (for Tailscale, 100.64.0.0/10)

Then deny everything else.

Option B: Windows Firewall scope (good fallback)

Open Windows Defender Firewall with Advanced Security and edit the inbound rule:

  • "Remote Desktop - User Mode (TCP-In)"
  • Go to the Scope tab
  • Under "Remote IP address", set only the IPs that should be allowed

If you prefer PowerShell:

# Replace with your public IP (or VPN subnet). $allowed = "203.0.113.10/32" Set-NetFirewallRule -DisplayName "Remote Desktop - User Mode (TCP-In)" -Enabled True Set-NetFirewallRule -DisplayName "Remote Desktop - User Mode (TCP-In)" -RemoteAddress $allowed
If your IP changes, you can lock yourself out. If you don't have a static IP, VPN-only access is usually safer than IP allowlists.

6. Put RDP behind a VPN (Tailscale example)

VPN-only access is simple and usually the best default.

High-level steps:

  1. Install a VPN agent on the server (Tailscale, WireGuard, etc.)
  2. Install the same VPN on your laptop or phone
  3. Allow RDP only from the VPN subnet
  4. Block public inbound RDP entirely

With Tailscale, your server gets a stable private IP in 100.64.0.0/10. You can scope firewall rules to that range and not worry about changing home IPs.

7. (Optional) Change the RDP port

Changing the port won't stop targeted attacks, but it reduces random scanning and log noise.

Pick a high, unused port like 3390 or 53489.

Change the port:

Set-ItemProperty ` -Path 'HKLM:\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp' ` -Name PortNumber ` -Value 3390

Then:

  • Update your provider firewall to allow the new port
  • Update Windows Firewall to allow the new port
  • Reboot the server (simplest)

To connect from Windows:

mstsc /v:YOUR_SERVER_IP:3390

8. Keep Windows patched and verify logging

Basic hygiene, but worth calling out:

  • Install security updates regularly
  • Keep your browser and any public-facing apps updated
  • Check failed RDP logons in Event Viewer:
    • Windows Logs and then Security
    • Look for repeated failed logon events and where they're coming from

If you see constant brute-force attempts, your server is still publicly exposed.

9. Quick sanity check

After you harden the server, test this:

  • From an allowed network: RDP connects normally
  • From a random network (phone hotspot): RDP is blocked
  • A few wrong passwords should trigger lockout
  • If you're VPN-only: a public port scan should not show RDP at all

The safe default

If you only do three things:

  1. VPN-only access
  2. NLA enabled
  3. Account lockout enabled

...you eliminate the most common RDP compromises.