Best Practices for Securing Remote Desktop Access in SMB Environments

Remote Desktop Protocol (RDP) is a critical tool for IT professionals and MSPs. It provides direct access to remote systems for support, maintenance, and troubleshooting.

Security concerns remain. A 2025 GO-Global article states that attackers used RDP to exploit compromised credentials for internet access and lateral movement.

A recent Sophos report confirms that RDP remains a primary attack vector. Attackers use it for brute-force intrusions and ransomware delivery.

Small and medium-sized enterprises often lack enterprise-grade firewalls and identity systems. Securing RDP is essential for these organizations.

📌 Recommended deployment strategies:

Choose a Method	💻 Best for Individual Users	💻💻💻 Best for Enterprises
Method 1: Disable RDP if not required	✓
Method 2: Use network-level authentication		✓
Method 3: Restrict RDP access via firewalls and groups	✓	✓
Method 4: Enforce strong RDP session encryption		✓
Method 5: Configure smart lockouts and account policies		✓
Method 6: Custom RDP port + auto-disable after hours	✓	✓

🎥 The video for Best Practices for Securing Remote Desktop Access in SMB Environments covers all six methods.

How to secure remote desktop access?

Method 1: Disable RDP if not required

📌 Use Cases: Great for local-only admin stations or shared public-access computers that don’t require remote access

📌 Prerequisites:

• Local or domain admin access
• PowerShell or Registry Editor
• Group Policy Editor (for GPO method)
• It is highly recommended that you back up your Windows Registry before proceeding.

Steps:

1. For PowerShell

1. Open PowerShell.
2. Execute the following command:

Set-ItemProperty -Path ‘HKLM:\System\CurrentControlSet\
Control\Terminal Server\’ -Name fDenyTSConnections -Value 1

2. For Command Prompt

1. Open Command Prompt as an administrator.
2. Execute the following command:

reg add “HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server”
/v fDenyTSConnections /t REG_DWORD /d 1 /f

3. For Group Policy

1. Press Win + R, type gpedit.msc, and click Enter.
2. Navigate to the following path:  Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Connections
3. Set “Allow users to connect remotely using Remote Desktop Services” to Disabled.

Method 2: Use network-level authentication

Establishing NLA ensures that remote users must authenticate before a session is established.

📌 Use Cases: Recommended for systems that need remote access but should authenticate users before session load.

📌 Prerequisites: 

• Windows 10/11 Pro, Enterprise, or Server 2016+
• Registry or Group Policy Editor.
• You must have admin access.
• It is highly recommended that you back up your Windows Registry before proceeding.

Steps:

1. For PowerShell

1. Open PowerShell.
2. Execute the following command:

Set-ItemProperty -Path “HKLM\SYSTEM\CurrentControlSet\Control\Terminal
Server\WinStations\RDP-Tcp” -Name UserAuthentication -Value 1

2. For Command Prompt

1. Open Command Prompt as an administrator.
2. Execute the following command:

reg add “HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\
WinStations\RDP-Tcp” /v UserAuthentication /t REG_DWORD /d 1 /f

3. For Group Policy

1. Press Win + R, type gpedit.msc, and click Enter.
2. Navigate to the following path:  Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security
3. Enable “Require user authentication for remote connections by using NLA”.

Method 3: Restrict RDP access via firewall and local groups

📌 Use Cases: This method reduces exposure by allowing RDP access only from trusted IPs and user groups.

📌 Prerequisites:

• You must have admin access.
• You need to have PowerShell and firewall management rights.
• Access to the Remote Desktop Users group.

Steps:

1. Open PowerShell.
2. Execute the following commands, as needed.

1. Restrict firewall scope

This restricts the scope of the RDP rule to specific IPs/subnets.

An example:

Set-NetFirewallRule -DisplayName “Remote Desktop –
User Mode (TCP-In)” -RemoteAddress “192.168.1.0/24”

💡Change the remote address as needed.

2. Control group access

This removes generic groups like “Everyone” or unneeded users.

LocalGroupMember -Group “Remote Desktop Users” -Member “JohnDoe”

💡Make sure to change “JohnDoe” to your desired user or IT admin.

Method 4: Enforce strong RDP session encryption

📌 Use Cases: Ideal for systems accessed over VPN or semi-trusted networks requiring encrypted sessions,

📌 Prerequisites:

• You must have admin rights.
• You need to have Registry or GPO access.
• It is highly recommended that you back up your Windows Registry before proceeding.

Steps:

1. For Group Policy

1. Press Win + R, type gpedit.msc, and click Enter.
2. Go to: Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security
3. Set the client connection encryption level to High

2. For Registry Editor

1. Press Win + R, type regedit, and click Enter.
2. Execute this command:

Set-ItemProperty -Path “HKLM\SYSTEM\CurrentControlSet\Control
\Terminal Server\WinStations\RDP-Tcp” -Name MinEncryptionLevel -Value 3

Method 5: Configure smart lockouts and account lock policies

📌 Use Cases: Prevents brute-force login attempts by locking out accounts after repeated failures.

📌 Prerequisites:

• You must have Group Policy or Local Security Policy access.
• You must have admin privileges.

Steps:

1. Go to the following GPO path: Computer Configuration > Windows Settings > Security Settings > Account Policies > Account Lockout Policy
2. Recommended settings:
   • Account lockout threshold: 5
   • Lockout duration: 15 minutes
   • Reset counter after: 15 minutes

PowerShell example:

net accounts /lockoutthreshold:5 /lockoutduration:15 /lockoutwindow:15

💡 Note: This is only a recommended command. Feel free to adjust the number (i.e., 15) to the number of seconds you prefer.

Method 6: Custom RDP port + auto-disable after hours

📌 Use Cases: This method is useful for reducing attacks from automated scanners and preventing access during off-hours.

📌 Prerequisites:

• You must have Registry and PowerShell access.
• Have access to Task Scheduler (optional)
• You need administrator privileges.

Steps:

1. To change the RDP port

1. Press Win + R, type regedit, and click Enter.
2. Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\PortNumber
3. Set to an unused port like 3395.
4. Reboot the machine.

2. Monitor the new port

1. Open Command Prompt.
2. Execute the command: netstat -an | find “3395”

3. Disable RDP after hours (manually or via automation)

1. Open PowerShell
2. Execute the command:

Stop-Service -Name TermService

💡 Tip: You can automate this with Task Scheduler to stop the Remote Desktop Services (TermService) after business hours and re-enable it in the morning if needed.

⚠️ Things to look out for

Risks	Potential Consequences	Reversals
Disabling RDP on critical systems	May prevent remote access for support or patching	Use tools like NinjaOne or local access to re-enable RDP or adjust policy.
Misconfigured firewall rules	Legitimate users could be locked out	Use IP scope testing, document changes, and allow temporary broader access if troubleshooting.
Over-aggressive lockout thresholds	Could result in user lockouts, increasing Help Desk volume	Monitor audit logs; increase thresholds slightly if too many false positives occur.
Changing the RDP port	May break scripts, monitoring tools, or integrations	Inform relevant stakeholders; update all documentation and tools with the new port.
Disabling RDP after hours	Could interrupt overnight maintenance or automated tasks	Create exceptions for maintenance windows; schedule reactivation if necessary.
Inconsistent NLA configuration	Clients are unable to connect if they don’t support NLA	Ensure endpoints are updated or temporarily switch encryption level to “Client Compatible”.

Additional considerations when securing remote desktop access

Use an RDP gateway

Implementing a Remote Desktop Gateway allows you to centralize RDP access management. It adds a secure HTTPS tunnel, supports multi-factor authentication (MFA), and gives you better control over logging, auditing, and session restrictions.

💡 Tip: Read How to set up Remote Desktop Gateway.

Combine RDP with VPN access

It is highly recommended that you require all remote connections to go through a VPN first. Keep in mind that this will not eliminate the risk of ransomware, but it can definitely reduce it.

Limit device redirection

Prevent data leakage by disabling the clipboard and any printer and drive redirection during RDP sessions. Use Group Policy:

Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Device and Resource Redirection

Audit RDP logins and failures

We suggest using PowerShell to monitor for successful (Event ID 4624) and failed (Event ID 4625) login attempts:

Get-WinEvent -LogName “Security” | Where-Object { $_.Id -eq 4624 -or $_.Id -eq 4625 }

Set up alerts for abnormal activity like brute-force patterns or unusual login times.

Restrict RDP access by time

Use Task Scheduler or PowerShell scripts to disable RDP during non-business hours. Alternatively, use firewall rules with scheduled activation windows to block RDP traffic after hours.

Troubleshooting common issues

What may happen	Why it happens	How to resolve it
Users can’t connect	NLA mismatch or blocked port	Verify NLA setting, check port (default or custom) in the firewall
High failed logins	Brute-force attack underway	Enforce account lockout policy; limit IP ranges
RDP encryption mismatch	Legacy RDP client or outdated OS	Lower encryption temporarily to “Client Compatible”
RDP service won’t start	Port conflict or TermService error	Restart the TermService; inspect event logs or port conflicts
Port change not working	Firewall or NAT device not updated	Update firewall rules, NAT port forwarding, and client configs

How NinjaOne helps you secure RDP

NinjaOne, the automated endpoint management software trusted by 30,000+ customers worldwide, helps you secure RDP by:

• Remotely enabling/disabling RDP based on device group, user role, or policy
• Rotating RDP ports or blocking default ports across entire environments.
• Scheduling RDP service shutdowns after hours or on unused endpoints.
• Receiving alerts on failed login spikes or unusual remote access attempts.
• Auditing RDP exposure (both internal and external) with real-time inventory reports.
• Automating firewall rule deployments and session restrictions with custom scripts.

NinjaOne uses a zero-trust remote access model across all endpoints. This approach does not disrupt users or increase administrative workload. It allows teams to focus on core operations without added risk.

Experience better RDP security

RDP is a critical tool for organizations. Weak security turns it into a direct entry point for attackers.

Apply the secure remote desktop access strategies in this guide. These measures reduce your attack surface. They are especially important for SMB environments without layered security.

Related topics:

• What Is Remote Desktop Protocol (RDP)?
• How To Set Up Remote Desktop Gateway
• Enable or Disable Remote Desktop Protocol (RDP) on Workstations Using PowerShell
• Understanding Remote Access Protocols
• Remote Access Best Practices for MSPs and IT Pros
• IT Guide: How to Delete Saved RDP Credentials in Windows
• Automating Remote Desktop Shortcut Creation Using PowerShell