How to Secure Remote Desktop in Windows

Protect your Windows PC by configuring Remote Desktop securely. Follow these steps to enable NLA, change port settings, and restrict access.

1. Enforce Network Level Authentication. Open Settings, navigate to System, and select Remote Desktop. Click the arrow next to Remote Desktop to expand options and toggle on 'Require devices to use Network Level Authentication to connect'. This forces the client to authenticate before a full session is established, mitigating exposure to pre-authentication exploits.
2. Limit User Access Permissions. Within the same Remote Desktop settings menu, click 'Remote users' to open the Remote Desktop Users window. Remove any unnecessary accounts and ensure only the specific, standard user account required for remote access is present. Avoid using the primary Administrator account for remote connections.
3. Change the Default RDP Port. Press Win + R, type 'regedit', and navigate to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp. Locate 'PortNumber', double-click it, select 'Decimal', and change the value from 3389 to a non-standard port between 50000 and 60000. Restart the machine to apply the changes.
4. Update Windows Firewall Rules. Open Windows Defender Firewall with Advanced Security. Select 'Inbound Rules', find 'Remote Desktop - User Mode (TCP-In)', and modify the port to match the new value set in the registry. Restrict the rule scope by setting the Remote IP address to specific known IP addresses instead of 'Any IP address'.
5. Review Account Lockout Policies. Run 'secpol.msc' and navigate to Account Policies > Account Lockout Policy. Set 'Account lockout threshold' to 5 invalid logon attempts. This prevents brute-force attacks from successfully guessing your password over time.