Secure Remote Desktop

Remote Desktop (RDP) is the main entry point to a Windows VPS. Without hardening, it is targeted by automated scans. This guide applies effective measures on a HolyCloud Windows VPS.

Prerequisites

• Windows Server VPS with administrator access
• Active RDP session (keep an IPMI/KVM console or second channel before changing the port)
• Note current values (port, accounts)

Enable Network Level Authentication (NLA)

NLA requires authentication before a full session opens.

GUI: sysdm.cpl → Remote tab → check Allow connections only from computers running Remote Desktop with Network Level Authentication.

PowerShell:

Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -Name UserAuthentication -Value 1

Verify:

(Get-ItemProperty 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp').UserAuthentication

Change the RDP port (example: 3390)

Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -Name PortNumber -Value 3390

Firewall: remove the generic 3389 rule and add the new port:

Remove-NetFirewallRule -DisplayName 'Remote Desktop*' -ErrorAction SilentlyContinue
New-NetFirewallRule -DisplayName 'RDP Custom 3390' -Direction Inbound -Protocol TCP -LocalPort 3390 -Action Allow -Profile Any

Restart the service:

Restart-Service TermService -Force

Client connection:

mstsc /v:PUBLIC_IP:3390

Open the same port in the HolyCloud firewall (client area) if network filtering is active.

Accounts and passwords

• Rename or disable the Administrator account after creating a dedicated admin:

$Password = Read-Host -AsSecureString 'Mot de passe fort'
New-LocalUser -Name 'adm-votreorg' -Password $Password -FullName 'Admin VPS'
Add-LocalGroupMember -Group 'Administrators' -Member 'adm-votreorg'

• Password policy: length 16+, complexity via secpol.msc → Account Policies.
• Never share the same password across clients.

Limit users allowed for RDP

net localgroup "Remote Desktop Users" "adm-votreorg" /add

Remove unnecessary accounts. Verify:

net localgroup "Remote Desktop Users"

Firewall: restrict by IP (recommended)

If your admin IP is fixed:

New-NetFirewallRule -DisplayName 'RDP depuis bureau' -Direction Inbound -Protocol TCP -LocalPort 3390 -RemoteAddress VOTRE.IP.PUBLIQUE -Action Allow
New-NetFirewallRule -DisplayName 'RDP block autres' -Direction Inbound -Protocol TCP -LocalPort 3390 -Action Block

Rule order: the Allow rule must be evaluated before Block (priority in Windows Firewall with Advanced Security).

Lockout after failed attempts

secpol.msc → Account Lockout Policy:

• Account lockout threshold: 5 attempts
• Account lockout duration: 30 minutes

Logging

Get-WinEvent -LogName 'Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational' -MaxEvents 20

Watch for repeated connection failure event IDs.

Troubleshooting

| Problem | Solution |

|----------|----------|

| RDP unreachable after port change | IPMI/KVM console, revert to 3389 in the registry |

| « CredSSP » / NLA | Update the Windows RDP client |

| Account lockout | Wait for the duration or unlock via admin |

Need help?

HolyCloud support can help with network blocks, without resetting your passwords over unsecured chat by default.