Windows Admin

Set up Remote Desktop securely

Practical Windows guide: set up Remote Desktop securely without the usual guesswork.

14 min read Intermediate Updated 9 Jun 2026
Windows library Start the guide

Step-by-step guide

Work through each section in order. Stop when your issue is resolved — you do not need every step for every situation.

Warning

Exposing Remote Desktop to the internet without a VPN or zero-trust gateway invites brute-force attacks. Enable NLA, use strong passwords, and prefer VPN-first access.

What you will achieve

Enable Remote Desktop on Windows Pro/Enterprise with Network Level Authentication, restricted users, and firewall rules scoped to your network.

1) Enable RDP in Settings

  1. Settings → System → Remote Desktop → toggle On.
  2. Confirm Require devices to use Network Level Authentication stays enabled.
  3. Note the PC name shown — clients need this or the IP to connect.

2) Allow users who may connect

  1. Click Remote Desktop users or run sysdm.cpl → Remote tab → Select Users.
  2. Add named accounts — do not give Everyone access. Standard users in this list can RDP; they still need a password.

3) Firewall verification

  1. wf.msc → confirm Remote Desktop - User Mode (TCP-In) is enabled for Domain/Private, disabled on Public if possible.
  2. RDP uses TCP 3389 by default — change port only with registry + firewall rule together if you must non-default.

4) Connect from another PC

  1. On the client, run mstsc.exe, enter PC-name or IP, connect with authorised credentials.
  2. For access outside the LAN, use VPN first (Settings → Network & internet → VPN) — do not port-forward 3389 to the internet bare.

5) Change default RDP port (optional obscurity)

  1. Registry: HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-TcpPortNumber DWORD.
  2. Add matching firewall inbound rule — obscurity is not security; still use VPN and NLA.

6) Audit RDP logons

  1. Event Viewer → Windows Logs → Security, Event ID 4624 Logon Type 10 = RemoteInteractive (RDP).

7) Require NLA via Group Policy

  1. Computer Configuration → Administrative Templates → Windows Components → Remote Desktop Services → Remote Desktop Session Host → Security → Require user authentication for remote connections by using Network Level Authentication → Enabled.

8) RD Gateway pattern

  1. Instead of exposing 3389, publish RD Gateway on 443 with TLS — clients set gateway in RDP file Advanced tab.
  2. Home users without server infra should use VPN then RDP on Private network only.

Verification checklist

RDP from authorised client on LAN succeeds with NLA. From unauthorised account, connection rejected. RDP from internet without VPN should fail if router forwards nothing.

  1. Reboot once after changes that affect services, drivers, or firmware.
  2. Confirm the original problem is resolved under normal daily use, not only immediately after the fix.
  3. Note date, Windows version (Settings → System → About), and what changed in your personal runbook for next time.

Related guides

desktop remote secure setup windows

Related guides

Continue with these next if you are building a fuller setup or troubleshooting path.

Admin
Group Policy basics (Pro/Enterprise)
Practical Windows guide: group Policy basics (Pro/Enterprise) without the usual guesswork.
Read guide
Admin
Manage local users and groups
Practical Windows guide: manage local users and groups without the usual guesswork.
Read guide