How to improve the security of Windows RDP

April 10, 2020

Most people use RDP as it is one of the easiest ways to manage Windows servers. It has built-in clients on all Windows desktops and is included in all versions of Windows servers. But because of its popularity, it’s also one of the biggest targets when it comes to brute-force attacks. Hackers often use compromised computers to gain access to your servers via this connection, and even if they fail, the massive surge of attempted connections can cause instability and overall performance issues on your systems. Here are some tricks on how to secure RDP to minimize the risk of these kinds of attacks on your Windows VPS hosting server.

Use a VPN

It’s probably one of the best and easiest ways to protect your RDP and system from all kinds of malicious attacks and ensure that any sensitive information stored there remains safe. When using a Virtual Private Network, your connection first has to connect to a secure private network that is encrypted and hosted outside of your server. This means that it doesn’t use any of your resources. Once it’s connected, you are assigned a private IP address through which the RDP connects to your Windows VPS hosting server.

The system is then configured to only allow access from your assigned VPN IP address and will reject any outside attempts from other addresses. It also encrypts any inbound/outbound data, keeping your files extra secure.

Scope the RDP Firewall rule

Somewhat similar to VPN, you can add extra security via the Windows Firewall by limiting access to your RDP port. Restricting access to a single or group of IP addresses is known as “scoping” the port. After you do this, your Windows VPS hosting system won’t allow connections from IP addresses that are not included in the scope. This also significantly reduces the use of resources as the server doesn’t need to process connection attempts.

To scope your Windows Firewall, you have to:

  1. Log into your server and access the firewall.
  2. Select “Inbound Rules”.
  3. Scroll down until you find the rule labeled “RDP”.
  4. Double click it, then select the “Scope” tab.
  5. In the list of allowed Remote IPs include your current IP address.
  6. Mark the “These IP Addresses” option.
  7. Save the changes.

Now unauthorized users will be denied access at the firewall and won’t even reach your RDP system.

Change the RDP Port

Sometimes it’s not possible to scope the RDP port on the Windows VPS hosting server. For example, maybe one of the developers is using a dynamic IP address connection, so limiting access based on an IP address alone isn’t a practical choice. A solution for this is changing the default port.

But before changing it, make sure that the new one is open in the firewall or you will be locked out of your server. Duplicate the current firewall rule for RDP and update the new one with the number you want to use. To change the port number, you have to:

  1. Log in to your server and enter regedit.exe in the search bar to access the Registry editor.
  2. Go to “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TerminalServer\WinStations\RDP-Tcp”.
  3. Scroll down until you find “PortNumber”.
  4. Change it from HEX to DEC.
  5. Enter your desired port number and click “OK”.
  6. Close the registry and reboot the server.

All that’s left is to reconnect to your Windows VPS hosting server with the new RDP port number. Now that the port is changed, hackers will have a hard time trying to gain access to your system through RDP.

Just using a VPN and doing these simple changes to the Remote Desktop Connection itself greatly improves the security of this software. In turn, it will keep your server, and everything stored there, safe not only from brute force attacks but from potential viruses, malware and so on.