This is a comprehensive guide on how to secure remote desktop access in SMB environments. To recap, Remote Desktop Protocol (RDP) is one of the most powerful tools for IT professionals and MSPs, offering seamless access to remote systems for support, maintenance, and troubleshooting. However, IT experts still debate its security. According to a 2025 GO-Global article, “RDP was used to leverage compromised credentials for internet access and lateral movement.”
A recent Sophos report confirms this, indicating that RDP remains a top attack vector for brute-force intrusions and ransomware delivery. For small to medium-sized enterprises, which often lack enterprise-grade firewalls and identity systems, securing RDP is not just smart, it’s mission-critical.
📌 Recommended deployment strategies:
Choose a Method | 💻 Best for Individual Users | 💻💻💻 Best for Enterprises |
| Method 1: Disable RDP if not required | ✓ | |
| Method 2: Use network-level authentication | ✓ | |
| Method 3: Restrict RDP access via firewalls and groups | ✓ | ✓ |
| Method 4: Enforce strong RDP session encryption | ✓ | |
| Method 5: Configure smart lockouts and account policies | ✓ | |
| Method 6: Custom RDP port + auto-disable after hours | ✓ | ✓ |
How to secure remote desktop access?
Method 1: Disable RDP if not required
📌 Use Cases: Great for local-only admin stations or shared public-access computers that don’t require remote access
📌 Prerequisites:
- Local or domain admin access
- PowerShell or Registry Editor
- Group Policy Editor (for GPO method)
- It is highly recommended that you back up your Windows Registry before proceeding.
Steps:
For PowerShell
- Open PowerShell.
- Execute the following command:
Set-ItemProperty -Path ‘HKLM:\System\CurrentControlSet\
Control\Terminal Server\’ -Name fDenyTSConnections -Value 1
For Command Prompt
- Open Command Prompt as an administrator.
- Execute the following command:
reg add “HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server”
/v fDenyTSConnections /t REG_DWORD /d 1 /f
For Group Policy
- Press Win + R, type gpedit.msc, and click Enter.
- Navigate to the following path: Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Connections
- Set “Allow users to connect remotely using Remote Desktop Services” to Disabled.
Method 2: Use network-level authentication
Establishing NLA ensures that remote users must authenticate before a session is established.
📌 Use Cases: Recommended for systems that need remote access but should authenticate users before session load.
📌 Prerequisites:
- Windows 10/11 Pro, Enterprise, or Server 2016+
- Registry or Group Policy Editor.
- You must have admin access.
- It is highly recommended that you back up your Windows Registry before proceeding.
Steps:
For PowerShell
- Open PowerShell.
- Execute the following command:
Set-ItemProperty -Path “HKLM\SYSTEM\CurrentControlSet\Control\Terminal
Server\WinStations\RDP-Tcp” -Name UserAuthentication -Value 1
For Command Prompt
- Open Command Prompt as an administrator.
- Execute the following command:
reg add “HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\
WinStations\RDP-Tcp” /v UserAuthentication /t REG_DWORD /d 1 /f
For Group Policy
- Press Win + R, type gpedit.msc, and click Enter.
- Navigate to the following path: Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security
- Enable “Require user authentication for remote connections by using NLA”.
Method 3: Restrict RDP access via firewall and local groups
📌 Use Cases: This method reduces exposure by allowing RDP access only from trusted IPs and user groups.
📌 Prerequisites:
- You must have admin access.
- You need to have PowerShell and firewall management rights.
- Access to the Remote Desktop Users group.
Steps:
- Open PowerShell.
- Execute the following commands, as needed.
Restrict firewall scope
This restricts the scope of the RDP rule to specific IPs/subnets.
An example:
Set-NetFirewallRule -DisplayName “Remote Desktop –
User Mode (TCP-In)” -RemoteAddress “192.168.1.0/24”
💡Change the remote address as needed.
Control group access
This removes generic groups like “Everyone” or unneeded users.
LocalGroupMember -Group “Remote Desktop Users” -Member “JohnDoe”
💡Make sure to change “JohnDoe” to your desired user or IT admin.
Method 4: Enforce strong RDP session encryption
📌 Use Cases: Ideal for systems accessed over VPN or semi-trusted networks requiring encrypted sessions,
📌 Prerequisites:
- You must have admin rights.
- You need to have Registry or GPO access.
- It is highly recommended that you back up your Windows Registry before proceeding.
Steps:
For Group Policy
- Press Win + R, type gpedit.msc, and click Enter.
- Go to: Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security
- Set Set client connection encryption level to High
For Registry Editor
- Press Win + R, type regedit, and click Enter.
- Execute this command:
Set-ItemProperty -Path “HKLM\SYSTEM\CurrentControlSet\Control
\Terminal Server\WinStations\RDP-Tcp” -Name MinEncryptionLevel -Value 3
Method 5: Configure smart lockouts and account lock policies
📌 Use Cases: Prevents brute-force login attempts by locking out accounts after repeated failures.
📌 Prerequisites:
- You must have Group Policy or Local Security Policy access.
- You must have admin privileges.
Steps:
- Go to the following GPO path: Computer Configuration > Windows Settings > Security Settings > Account Policies > Account Lockout Policy
- Recommended settings:
- Account lockout threshold: 5
- Lockout duration: 15 minutes
- Reset counter after: 15 minutes
PowerShell example:
net accounts /lockoutthreshold:5 /lockoutduration:15 /lockoutwindow:15
💡 Note: This is only a recommended command. Feel free to adjust the number (i.e., 15) to the number of seconds you prefer.
Method 6: Custom RDP port + auto-disable after hours
📌 Use Cases: This method is useful for reducing attacks from automated scanners and prevents access during off-hours.
📌 Prerequisites:
- You must have Registry and PowerShell access.
- Have access to Task Scheduler (optional)
- You need administrator privileges.
Steps:
To change the RDP port
- Press Win + R, type regedit, and click Enter.
- Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\PortNumber
- Set to an unused port like 3395.
- Reboot the machine.
Monitor the new port
- Open Command Prompt.
- Execute the command: netstat -an | find “3395”
Disable RDP after hours (manually or via automation)
- Open PowerShell
- Execute the command:
Stop-Service -Name TermService
💡 Tip: You can automate this with Task Scheduler to stop the Remote Desktop Services (TermService) after business hours and re-enable it in the morning if needed.
⚠️ Things to look out for
| Risks | Potential Consequences | Reversals |
| Disabling RDP on critical systems | May prevent remote access for support or patching | Use tools like NinjaOne or local access to re-enable RDP or adjust policy. |
| Misconfigured firewall rules | Legitimate users could be locked out | Use IP scope testing, document changes, and allow temporary broader access if troubleshooting. |
| Over-aggressive lockout thresholds | Could result in user lockouts, increasing Help Desk volume | Monitor audit logs; increase thresholds slightly if too many false positives occur. |
| Changing the RDP port | May break scripts, monitoring tools, or integrations | Inform relevant stakeholders; update all documentation and tools with the new port. |
| Disabling RDP after hours | Could interrupt overnight maintenance or automated tasks | Create exceptions for maintenance windows; schedule reactivation if necessary. |
| Inconsistent NLA configuration | Clients are unable to connect if they don’t support NLA | Ensure endpoints are updated or temporarily switch encryption level to “Client Compatible”. |
Additional considerations when securing remote desktop access
Use an RDP gateway
Implementing a Remote Desktop Gateway allows you to centralize RDP access management. It adds a secure HTTPS tunnel, supports multi-factor authentication (MFA), and gives you better control over logging, auditing, and session restrictions.
💡 Tip: Read How to set up Remote Desktop Gateway.
Combine RDP with VPN access
It is highly recommended that you require all remote connections to go through a VPN first. Keep in mind that this will not eliminate the risk of ransomware, but it can definitely reduce it.
Limit device redirection
Prevent data leakage by disabling the clipboard and any printer and drive redirection during RDP sessions. Use Group Policy:
Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Device and Resource Redirection
Audit RDP logins and failures
We suggest using PowerShell to monitor for successful (Event ID 4624) and failed (Event ID 4625) login attempts:
Get-WinEvent -LogName “Security” | Where-Object { $_.Id -eq 4624 -or $_.Id -eq 4625 }
Set up alerts for abnormal activity like brute-force patterns or unusual login times.
Restrict RDP access by time
Use Task Scheduler or PowerShell scripts to disable RDP during non-business hours. Alternatively, use firewall rules with scheduled activation windows to block RDP traffic after hours.
Troubleshooting common issues
| What may happen | Why it happens | How to resolve it |
| Users can’t connect | NLA mismatch or blocked port | Verify NLA setting, check port (default or custom) in the firewall |
| High failed logins | Brute-force attack underway | Enforce account lockout policy; limit IP ranges |
| RDP encryption mismatch | Legacy RDP client or outdated OS | Lower encryption temporarily to “Client Compatible” |
| RDP service won’t start | Port conflict or TermService error | Restart the TermService; inspect event logs or port conflicts |
| Port change not working | Firewall or NAT device not updated | Update firewall rules, NAT port forwarding, and client configs |
How NinjaOne helps you secure RDP
NinjaOne, the automated endpoint management software trusted by 30,000+ customers worldwide, helps you secure RDP by:
- Remotely enabling/disabling RDP based on device group, user role, or policy
- Rotating RDP ports or blocking default ports across entire environments.
- Scheduling RDP service shutdowns after hours or on unused endpoints.
- Receiving alerts on failed login spikes or unusual remote access attempts.
- Auditing RDP exposure (both internal and external) with real-time inventory reports.
- Automating firewall rule deployments and session restrictions with custom scripts.
In addition, NinjaOne implements a zero-trust remote access model across your entire fleet, without user disruption or increased admin overhead, so you can focus on your core competencies without worry.
Remotely manage and control Windows, Mac, and Linux endpoints with NinjaOne.
Learn more about NinjaOne Remote Access.
Experience better RDP security
RDP can be an essential tool for your organization, but without strong security, it can be a hacker’s playground. By following the secure remote desktop access strategies in this guide, you can significantly reduce your attack surface, especially in SMB environments where layered security isn’t always in place.
Related topics:
- What Is Remote Desktop Protocol (RDP)?
- How To Set Up Remote Desktop Gateway
- Enable or Disable Remote Desktop Protocol (RDP) on Workstations Using PowerShell
- Understanding Remote Access Protocols
- Remote Access Best Practices for MSPs and IT Pros
- IT Guide: How to Delete Saved RDP Credentials in Windows
- Automating Remote Desktop Shortcut Creation Using PowerShell
