How to Secure Your RDP Server: 2026 Hardening Checklist

Step 1: Strong Administrator Password

The single most important RDP security control is a strong administrator password. Most compromised RDP servers were running easy-to-guess passwords like "Admin123!", "Password1", or "Welcome2024".

Use a 16+ character random password generated by a password manager (1Password, Bitwarden, Dashlane). Never reuse it from another service. Never write it on a sticky note. Store it in your password manager and copy-paste it into RDP via clipboard sharing.

If you are using the default 'Administrator' account, consider creating a new admin user with a different name and disabling the built-in Administrator account. Every brute-force attempt in the world targets 'Administrator' — using a custom username instantly removes you from automated attack lists.

Verify the policy: open Local Security Policy → Account Policies → Password Policy. Set minimum password length to 14, complexity requirements to enabled, and password history to 24.

Step 2: Change the Default RDP Port

RDP listens on TCP port 3389 by default. Every RDP scanner on the internet targets 3389. Changing it to a random high port (e.g., 49382) instantly drops 90% of brute-force attempts.

Open Registry Editor and navigate to HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp. Find the PortNumber DWORD, change its base to Decimal, and enter your new port number. Click OK.

Open Windows Defender Firewall with Advanced Security and create a new inbound rule allowing TCP traffic on the new port. Disable or delete the default RDP rule on port 3389.

Reboot the server. From your client, connect using IP:NEWPORT format (e.g., 203.0.113.5:49382 in Remote Desktop Connection).

Note: this is security through obscurity — it doesn't make RDP unbreakable, but it removes you from the bottom 90% of automated attacks. Combine it with the other steps in this checklist.

Step 3: Enforce Network Level Authentication (NLA)

Network Level Authentication requires the user to authenticate before a full RDP session is established. Without NLA, every connection attempt opens a graphical login screen on the server, which can be exploited by RDP-protocol vulnerabilities (BlueKeep, DejaBlue, etc.).

Open System Properties → Remote tab. Under 'Allow connections from computers running any version of Remote Desktop' select the option 'Allow connections only from computers running Remote Desktop with Network Level Authentication (recommended)'. Click OK.

Verify via Group Policy: Computer Configuration → Administrative Templates → Windows Components → Remote Desktop Services → Remote Desktop Session Host → Security. Set 'Require user authentication for remote connections by using Network Level Authentication' to Enabled.

BearHost RDP plans ship with NLA enabled by default — but it's worth verifying.

Step 4: Tight Windows Firewall Rules

Windows Defender Firewall should allow inbound RDP only from specific IP addresses or ranges, not from the entire internet. If you connect from a fixed home or office IP, lock the firewall down to that IP.

Open Windows Defender Firewall with Advanced Security. Find your custom-port RDP inbound rule. On the Scope tab, under 'Remote IP address', select 'These IP addresses' and add your home or office IP (find it via whatismyip.com).

If you have a dynamic IP at home, use a /16 or /24 range covering your ISP's typical pool, or use a Dynamic DNS service combined with a script that updates the firewall rule.

For mobile workers, this is impractical — that's where you graduate to RDS Gateway or VPN-only access (see steps 8 and 9).

Test: try to connect from a coffee shop or mobile hotspot — you should be blocked. Then connect from your trusted IP — you should succeed.

Step 5: Brute-Force Defence (Fail2Ban for Windows)

Linux has fail2ban. Windows has several equivalents that watch the Security event log for failed RDP logins and automatically block offending IP addresses at the firewall level.

Cyberarms IDDS (free for personal use) is a popular Windows brute-force defence tool. Install, configure to monitor RDP failed logins, and set a threshold like 5 failures in 10 minutes triggers a 24-hour IP block.

IPBan (open source, GitHub) is a lighter-weight alternative that does the same thing without a GUI. Install via PowerShell, configure thresholds in an XML file, and let it run as a Windows service.

EvlWatcher is another open-source option specifically for failed RDP logins.

Whichever tool you pick, verify it's working: try to connect with a wrong password 6 times from a test IP. After the threshold, your IP should be auto-blocked. Check the firewall to confirm the block rule was added.

Step 6: Account Lockout Policy

Independent of any third-party brute-force tool, Windows itself can lock accounts after N failed login attempts. This stops a determined attacker from grinding through password attempts even from a different IP.

Open Local Security Policy → Account Policies → Account Lockout Policy. Set 'Account lockout threshold' to 5 invalid logon attempts. Set 'Account lockout duration' to 30 minutes. Set 'Reset account lockout counter after' to 30 minutes.

After 5 wrong passwords, the account locks for 30 minutes. An attacker would need to maintain a sustained, multi-day campaign to make any progress, which most automated attacks won't bother with.

Caveat: lockout policies can be used as a denial-of-service against you if an attacker knows your username and just keeps deliberately failing logins. Mitigate by combining with custom username (Step 1) and IP-based brute-force defence (Step 5).

Step 7: Two-Factor Authentication for RDP

Two-factor authentication (2FA) on RDP is the single biggest jump in security after a strong password. Even if your password leaks, an attacker needs the second factor.

Duo Security (Cisco) offers free 2FA for up to 10 users with a Windows agent that integrates directly with RDP. Install Duo Authentication for Windows Logon, configure it to require 2FA for RDP sessions, and enroll your phone.

When you connect via RDP, you authenticate with username + password as normal, then your phone gets a Duo push notification you must approve before the session opens.

Microsoft also offers Windows Hello for Business and Azure MFA, but these are heavier setups that make sense for organisations on Microsoft 365 / Entra ID.

For a single user with a free Duo account, the whole 2FA setup takes about 20 minutes and is the highest-impact security upgrade you can make.

Step 8: Remote Desktop Gateway (for Teams)

If your RDP server is used by 3+ people, putting Remote Desktop Gateway in front of it is a major security upgrade. RDS Gateway terminates RDP connections at a hardened front door, encrypts everything inside HTTPS on port 443, and only forwards authenticated traffic to the internal RDP host.

Benefits: you don't expose port 3389 (or any custom RDP port) to the internet. Outside attackers see only an HTTPS endpoint, which is far less attractive than a raw RDP port. Connection policies let you control who connects to what at a fine-grained level.

Install on Windows Server via Server Manager → Add Roles → Remote Desktop Services → Remote Desktop Gateway. Configure a connection authorisation policy and a resource authorisation policy.

On the client side, configure Remote Desktop Connection Settings → Advanced → Connect from Anywhere and enter your RDS Gateway URL.

RDS Gateway requires Remote Desktop Services CALs, which add cost but are worth it for any team-shared RDP setup.

Step 9: VPN-Only Access (Highest Sensitivity)

For workloads with regulatory or financial sensitivity (healthcare data, large brokerage accounts, sensitive corporate data), the strongest configuration is to take RDP off the public internet entirely. Run a VPN server (WireGuard, OpenVPN, or commercial like Tailscale or Twingate), and only allow RDP from the VPN private IP range.

Setup: install WireGuard on the RDP server, generate a peer config for your laptop and phone, set the Windows Firewall to allow RDP only from the WireGuard subnet (e.g., 10.10.10.0/24), and disable RDP from the public internet.

Now to connect, you first establish the VPN tunnel, then RDP to the server's private IP. Outside attackers cannot probe RDP at all — they hit the VPN, which (when properly configured) gives them no information about what's behind it.

Tailscale and Twingate offer 'zero-trust' wrappers that make this even simpler, with mobile clients and per-user access controls. Free tiers are sufficient for individual or small-team use.

Step 10: Keep Windows Updates Current

Microsoft regularly patches RDP-related CVEs. BlueKeep (CVE-2019-0708), DejaBlue (CVE-2019-1181/1182), and several Spectre/Meltdown-class issues over the years all required prompt patching to remain safe.

Configure Windows Update to apply security updates automatically. Open Settings → Update & Security → Windows Update → Advanced Options. Set 'Restart this device as soon as possible when a restart is required' (with active hours configured around your trading or business hours so you're not interrupted).

For trading workloads where reboots are disruptive, set updates to download but not auto-install, and reboot the server during the weekend market close. Just don't skip updates entirely — running an unpatched RDP server in 2026 is asking for trouble.

Check the patch level monthly. Microsoft's monthly Patch Tuesday usually contains an RDP-related fix.

Bonus: Audit and Monitoring

Enable RDP logon auditing in Group Policy: Computer Configuration → Windows Settings → Security Settings → Advanced Audit Policy → Logon/Logoff. Enable success and failure auditing for logon events.

Review the Security event log weekly. Filter to Event ID 4624 (successful logon) and 4625 (failed logon). Look for unusual source IPs, off-hours logins, or repeated failures from the same address.

For automated alerting, integrate Windows Event Forwarding with a SIEM tool (Wazuh free tier, Graylog, or Elastic Security). At minimum, configure email alerts on multiple consecutive failed logon events.

Monitor your VPS provider's security dashboard if available. BearHost provides DDoS protection, network-level firewall capabilities, and abuse alerting on every /rdp-server plan.

Final Checklist Recap

• Strong 16+ character admin password, custom username (not 'Administrator')
• RDP port changed from 3389 to a random high port
• Network Level Authentication (NLA) enforced
• Windows Firewall locked to specific source IPs
• Brute-force defence tool installed (Cyberarms / IPBan / EvlWatcher)
• Account lockout policy: 5 failures, 30-minute lock
• Two-factor authentication enabled (Duo or equivalent)
• RDS Gateway in front for team-shared servers
• VPN-only access for highest-sensitivity workloads
• Windows Updates applying automatically (or scheduled weekend reboots)
• Logon auditing enabled and reviewed weekly