Remote access is convenient, but if your RDP is exposed to the internet, attackers will try to break in, so Windows VPS RDP Security should be the first thing you must harden before you install apps, upload data, or give access to a team.

RDP connections are constantly attacked by bots trying thousands of passwords, so you need more than just a strong password to stay safe.
​
In this 2026 hardening guide, you will learn to secure your Windows VPS by using strong authentication, enforcing modern encryption, limiting who can access RDP, and turning on the logging you need to detect and respond to suspicious activity quickly.

Understanding Windows VPS RDP Security Risks

RDP connections face several major security risks, including brute-force attacks targeting the default port 3389, hackers stealing weak passwords, attackers exploiting unpatched bugs in Windows, such as CVE-2025-58718, and attacks when encryption isn’t strong enough.

To protect your Windows VPS, you must implement security layers. To do this, follow the steps below to complete the Windows VPS RDP security guide.

Enable Network Level Authentication (NLA)

Network Level Authentication requires users to authenticate before establishing a full RDP session, thereby reducing resource abuse and blocking unauthenticated attempts.

To enable Network Level Authentication on your Windows VPS:

Press Win + R and type sysdm.cpl to open System Properties and navigate to the Remote tab.

Check the box “Allow connections only from computers running Remote Desktop with Network Level Authentication“. Once you are done, click Apply and OK.

To verify NLA is enabled, run the command below from your PowerShell:

Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -Name UserAuthentication

In the output, you must see:

UserAuthentication : 1

The value 1 means it is enabled.

Configure TLS Encryption

Modern RDP connections must use TLS 1.2 or higher to prevent encryption attacks. You can enable TLS via Group Policy:

Press Win + R and type gpedit.msc to open Local Group Policy Editor and navigate to:

Computer Configuration → Administrative Templates → Windows Components → Remote Desktop Services → Remote Desktop Session Host → Security

Enable “Require use of specific security layer for remote (RDP) connections“. Set the value to SSL (TLS 1.0). It enables TLS 1.2+ on modern Windows versions.

Also, enable the “Set client connection encryption level” and set it to High.

To apply the group policy changes, run the command below in PowerShell:

gpupdate /force

Change Default RDP Port

The default RDP port, 3389, must be changed to reduce exposure to automated scanning and brute-force attacks.

To change the default RDP port, press Win + R and type regedit to open Registry Editor and navigate to:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp

Locate the PortNumber value, double click on it, select Decimal base, and enter your new port number (any unused port between 1024-65535). Click OK and close Registry Editor.

Then, you must configure the firewall for the new RDP port. From your PowerShell, you can run the command below with your new RDP port, for example, 33891:

New-NetFirewallRule -DisplayName "RDP Custom Port" -Direction Inbound -Protocol TCP -LocalPort 33891 -Action Allow

You can optionally remove the Old port rule with:

Remove-NetFirewallRule -DisplayName "Remote Desktop - User Mode (TCP-In)"

This ensures connections are only possible through your custom port.

Restart the Remote Desktop Services to apply the new port configuration:

Restart-Service TermService -Force

Implement IP Address Whitelisting

Another factor in Windows VPS RDP security is to implement IP address whitelisting. Restricting RDP access to specific trusted IP addresses reduces your attack surface.

Press Win + R and type wf.msc to open Windows Defender Firewall with Advanced Security.

Click Inbound Rules in the left pane, find the rule with Local Port 3389 or your custom port and Protocol TCP, and double-click the rule to open Properties.

Navigate to the Scope tab, under Remote IP address, select “These IP addresses“, click Add, and enter trusted IP addresses. For example, your office IP: 203.0.113.50 or IP range: 203.0.113.0/24.

Click OK and Apply.

Also, you can do this from PowerShell with the command below:

Set-NetFirewallRule -DisplayName "Remote Desktop - User Mode (TCP-In)" -RemoteAddress @("203.0.113.50", "198.51.100.0/24")

This command modifies the existing RDP firewall rule to only accept connections from the specified IP addresses.

Enforce Strong Password Policies

Another important factor in Windows VPS RDP security is to set strong passwords to defend against credential-based attacks.

Press Win + R, type gpedit.msc, and navigate to:

Computer Configuration → Windows Settings → Security Settings → Account Policies → Password Policy

Configure the following settings:

• Minimum password length: 14 characters
• Password must meet complexity requirements: Enabled
• Maximum password age: 90 days
• Enforce password history: 24 passwords remembered
• Minimum password age: 1 day

To verify the settings, run the command below from PowerShell:

net accounts

This command displays the current account policy settings, including password requirements, lockout settings, and minimum and maximum password ages.

Configure Account Lockout Policy

Account lockout policies in Windows VPS RDP security protect against brute-force password attacks by temporarily disabling accounts after repeated failed login attempts.

To configure the account lockout policy, open the Group Policy Editor (gpedit.msc) and navigate to:

Computer Configuration → Windows Settings → Security Settings → Account Policies → Account Lockout Policy

Configure these three settings:

• Account lockout threshold: 5 invalid logon attempts
• Account lockout duration: 30 minutes
• Reset account lockout counter after: 30 minutes

Alternatively, you can apply it via PowerShell:

net accounts /lockoutthreshold:5 /lockoutduration:30 /lockoutwindow:30

Note: All three parameters must be configured together.

Implement Automated Brute-Force Protection

Another way for Windows VPS RDP security is to use automated brute-force protection. Windows lacks built-in fail2ban functionality, but third-party tools provide similar protection.

For example, you can use the IPBan tool, which is a free and open-source solution that monitors failed login attempts and automatically blocks attacking IPs.

IPBan Installation Steps:

• Download IPBan from GitHub
• Extract to C:\IPBan
• Edit ipban.config to customize settings:

<add key="FailedLoginAttemptsBeforeBan" value="3" />
<add key="BanTime" value="02:00:00" />
<add key="Whitelist" value="203.0.113.50,198.51.100.0/24" />

The FailedLoginAttemptsBeforeBan value sets how many failed attempts trigger a ban, BanTime sets the ban duration in HH:MM:SS format, and Whitelist specifies IP addresses that should never be banned.

• Install as Windows Service:

New-Service -Name "IPBan" -BinaryPathName "C:\IPBan\IPBan.exe" -StartupType Automatic
Start-Service IPBan

These commands create a new Windows service named IPBan that starts automatically with Windows, then immediately starts the service.

Alternative tool: EvlWatcher is another free alternative that monitors the Event Viewer for failed RDP login attempts and blocks attacking IPs for 2 hours by default.

Enable RDP Connection Logging

Detailed logging enables detection and analysis of Windows VPS RDP security issues.

To enable RDP connection logging, press Win + R and type eventvwr.msc to open Event Viewer and navigate to:

Applications and Services Logs → Microsoft → Windows → TerminalServices-RemoteConnectionManager → Operational

Right-click Operational and select Properties. From there, increase the Maximum log size to at least 100 MB and select “Overwrite events as needed” or “Archive the log when full“.

From PowerShell, monitor failed login attempts:

Get-WinEvent -LogName Security -FilterXPath "*[System[EventID=4625]]" | Select-Object -First 50 | Format-Table TimeCreated, Message -AutoSize

This queries the Security event log for Event ID 4625 (failed logon attempts), selects the 50 most recent events, and displays them in a table format showing when each failed attempt occurred and details about the attempt.

To monitor successful RDP connections, you can run:

Get-WinEvent -LogName 'Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational' -FilterXPath '*[System[EventID=1149]]' | Select-Object -First 20 | Format-List

Disable RDP When Not Needed

You can eliminate the attack vector by disabling RDP entirely on systems that don’t require remote access. To disable RDP, you can use the following PowerShell commands:

Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -Name "fDenyTSConnections" -Value 1
Disable-NetFirewallRule -DisplayGroup "Remote Desktop"

If you plan to re-enable RDP, you can use the following commands:

Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -Name "fDenyTSConnections" -Value 0
Enable-NetFirewallRule -DisplayGroup "Remote Desktop"

Implement Multi-Factor Authentication

Another factor in Windows VPS RDP security is to use Multi-Factor Authentication (MFA). Here are the most common MFA solutions:

Azure AD MFA (Enterprise Option): For domain-joined systems, Azure AD Conditional Access can enforce MFA for RDP connections. This requires Azure AD Premium licenses and proper Azure AD Connect configuration.

Third-Party MFA Solutions:

• Duo Security: Provides RDP MFA via Authentication Proxy
• AuthAnvil: Two-factor authentication specifically for RDP
• TSplus Advanced Security: Commercial solution with built-in MFA

Note: MFA implementation varies by solution and requires following vendor-specific documentation.

Deploy Remote Desktop Gateway

An RD Gateway centralizes RDP access, enforces SSL encryption, and provides access policies. To configure the RD gateway for Windows VPS RDP security, follow the steps below.

Install Remote Desktop Gateway:

• Open Server Manager
• Click Add roles and features
• Select the Remote Desktop Services installation
• Choose Quick Start → Remote Desktop Gateway
• Complete the wizard

Configure Connection Authorization Policies:

• Open RD Gateway Manager
• Navigate to Policies → Connection Authorization Policies
• Create a new policy with specific user groups and allowed device redirections
• Navigate to Policies → Resource Authorization Policies
• Define which servers users can access through the gateway

Configuration Note: RD Gateway requires SSL certificates for secure operation. Use certificates from a trusted CA rather than self-signed certificates.

Keep Your Windows VPS Updated

It is always recommended to keep your system updated to protect against known vulnerabilities like CVE-2025-58718, a critical RDP client flaw with a CVSS score of 8.8.

You can enable automatic updates to ensure the Windows Update service (wuauserv) is set to start automatically and is currently running:

Set-Service wuauserv -StartupType Automatic
Start-Service wuauserv

Also, you can install the PSWindowsUpdate module, which checks for all available updates, installs them automatically, accepts license agreements, and reboots if necessary:

Install-Module PSWindowsUpdate -Force
Get-WindowsUpdate -Install -AcceptAll -AutoReboot

Additional Settings To Secure RDP on a Windows VPS

In this step, we want to explore some extra settings that you can use to stop attackers from guessing valid usernames and ensure that old and idle sessions don’t remain open for misuse.

1. Disable RDP User Enumeration: Prevent attackers from discovering valid usernames with the following PowerShell command:

New-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\System' -Name EnumerateLocalUsers -Value 0 -PropertyType DWORD -Force

This registry setting disables the display of local user accounts on the RDP login screen, which prevents attackers from identifying valid usernames to target.

2. Configure Session Timeouts:

• Open Group Policy Editor (gpedit.msc) and navigate to:

Computer Configuration → Administrative Templates → Windows Components → Remote Desktop Services → Remote Desktop Session Host → Session Time Limits

• Configure these settings:
  • Set time limit for disconnected sessions: 15 minutes
  • Set time limit for active but idle RDP sessions: 30 minutes

These settings automatically disconnect or log off idle RDP sessions, reducing the window of opportunity for session hijacking attacks.

3. Limit Remote Desktop Users: Only give RDP access to accounts that absolutely require it. To do this, run the commands below:

Get-LocalGroupMember -Group "Remote Desktop Users"
Remove-LocalGroupMember -Group "Remote Desktop Users" -Member "Username"

That’s it, you are done with Windows VPS RDP security guide. If you are looking for a reliable platform to host your projects, visit PerLod Hosting, which offers high-performance Windows VPS solutions that provide the speed and stability you need.

FAQs

Conclusion

Windows VPS RDP Security requires implementing multiple defensive layers. By enabling NLA, enforcing TLS encryption, changing default ports, restricting IP access, implementing strong authentication policies, and maintaining logging, you can reduce your RDP-based attacks.

We hope you enjoy this guide. Subscribe to our X and Facebook channels to get the latest updates and articles.