Docs / Windows Server / Windows Server Remote Desktop Setup and Hardening

Windows Server Remote Desktop Setup and Hardening

By Admin · Feb 11, 2026 · Updated Apr 25, 2026 · 275 views · 2 min read

Enabling RDP

# Enable Remote Desktop
Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -Name "fDenyTSConnections" -Value 0

# Allow through firewall
Enable-NetFirewallRule -DisplayGroup "Remote Desktop"

Hardening RDP

Change Default Port

# Change from 3389 to custom port
Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -Name "PortNumber" -Value 13389

# Open new port in firewall
New-NetFirewallRule -DisplayName "RDP Custom" -Direction Inbound -Protocol TCP -LocalPort 13389 -Action Allow

# Restart RDP service
Restart-Service TermService

Network Level Authentication (NLA)

# Require NLA (pre-authentication before session)
Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -Name "UserAuthentication" -Value 1

Account Lockout Policy

# Lock account after 5 failed attempts for 30 minutes
net accounts /lockoutthreshold:5 /lockoutduration:30 /lockoutwindow:30

IP Restriction

# Only allow RDP from specific IPs
New-NetFirewallRule -DisplayName "RDP Restricted" -Direction Inbound -Protocol TCP -LocalPort 13389 -RemoteAddress 203.0.113.0/24 -Action Allow

# Block default port
Set-NetFirewallRule -DisplayName "Remote Desktop - User Mode (TCP-In)" -Enabled False

Session Limits

# Disconnect idle sessions after 30 minutes
Set-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' -Name "MaxIdleTime" -Value 1800000

# End disconnected sessions after 1 hour
Set-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' -Name "MaxDisconnectionTime" -Value 3600000

Monitoring

# View current RDP sessions
qwinsta

# View login history
Get-EventLog -LogName Security -InstanceId 4624 -Newest 20 | Where-Object { $_.Message -like "*10*" } | Format-Table TimeGenerated, Message -Wrap
Security Measure Impact
Custom port Reduces automated scanning by 99%
NLA Prevents unauthenticated resource consumption
IP restriction Most effective — limits access entirely
Account lockout Prevents brute force
Session limits Prevents abandoned sessions

Warning Always ensure you have console access (VNC) before making RDP changes. If you lock yourself out of RDP, VNC is your recovery path.

Was this article helpful?

Related Articles