Remote Desktop Protocol (RDP) is the industry standard for managing Windows servers. Because it’s so popular, it's also a primary target for automated botnets, brute-force attackers, and ransomware gangs.
Deploying a Windows VPS is just the first step. Securing it ensures your data remains yours. Here are 5 essential best practices every administrator must implement immediately after server provision.
1. Change the Default RDP Port (3389)
Out of the box, RDP listens on port 3389. Attackers scan the entire internet for port 3389 to find vulnerable servers. By changing the port, you evade 95% of automated attacks.
How to change it:
- Open the Registry Editor (
regedit). - Navigate to:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp - Look for the
PortNumberkey, double-click it, select Decimal, and enter a new port number (between 1025 and 65535, e.g.,13389). - Crucial: Before restarting the server, allow your new port through the Windows Firewall.
- Restart the server. Now you must connect using
IP_Address:13389.
2. Implement Account Lockout Policies
If a bot finds your RDP port, it will attempt to guess your Administrator password thousands of times per minute. Stop them by enforcing a lockout policy.
- Open Local Security Policy (
secpol.msc). - Go to Account Policies -> Account Lockout Policy.
- Set Account lockout threshold to
5 invalid logon attempts. - Set Account lockout duration to
30 minutes.
3. Rename the Administrator Account
Half the battle in a brute-force attack is knowing the username. Administrator is the default. If you change it, the attacker has to guess both the username and the password.
- Open Computer Management (
compmgmt.msc). - Navigate to Local Users and Groups -> Users.
- Right-click the
Administratoraccount -> Rename. - Give it an inconspicuous name (e.g.,
SysAdminRohanorTechSupport).
4. IP Allowlisting via Advanced Windows Firewall
If you only connect to your VPS from your office or home, you shouldn't allow the entire world to see your RDP port.
- Open Windows Defender Firewall with Advanced Security.
- Go to Inbound Rules and find the Remote Desktop/RDP rule.
- Right click -> Properties -> Scope tab.
- Under "Remote IP address", select "These IP addresses" and add your local IP. (Note: Only do this if you have a static IP from your ISP, otherwise you will lock yourself out when your IP changes).
5. Enable Network Level Authentication (NLA)
Network Level Authentication requires the connecting user to authenticate themselves before a session is created on the server. This prevents denial-of-service (DoS) attacks that attempt to consume server memory by initiating thousands of unauthenticated RDP sessions.
NLA is enabled by default on modern Windows Server versions, but it's worth verifying:
- Open System Properties (
sysdm.cpl). - Go to the Remote tab.
- Ensure "Allow connections only from computers running Remote Desktop with Network Level Authentication" is checked.
Secure High-Performance Hosting
At FlashRDP, our network is protected by enterprise-grade, always-on DDoS mitigation, filtering volumetric attacks before they reach your network port. But application-layer security starts with you. Practice good hygiene, use complex passwords, and your Windows VPS will remain an impenetrable fortress.
FlashRDP Team
Editorial Team & Engineers
The official editorial team behind FlashRDP, bringing you the latest updates on Windows RDP, Linux VPS hosting, and server optimization practices.
