11.10.2024

1 +1

Windows

Accessing Your Windows Server with Remote Desktop (RDP): A Complete Technical Guide

Remote Desktop Protocol (RDP) is Microsoft's proprietary network protocol that enables encrypted graphical remote access to Windows servers and desktops over TCP port 3389. It transmits display output from the remote machine to the client and input (keyboard, mouse, audio) in the reverse direction, allowing full interactive control of a Windows environment from any network-connected device.

For system administrators managing a VPS Hosting environment or a Dedicated Server, RDP is the primary management interface — the Windows equivalent of SSH. Understanding it at a deeper level than "type the IP and click Connect" is what separates a competent administrator from one who gets locked out at 2 AM.

Prerequisites Before You Connect

Before initiating an RDP session, confirm the following conditions are met on both the client and the server side:

On the Windows Server:

RDP is explicitly enabled in System Properties
The Windows Firewall (and any external firewall or security group) permits inbound TCP traffic on port 3389
The target user account has been granted "Allow log on through Remote Desktop Services" rights
Network Level Authentication (NLA) status is known — it affects which clients can connect
The server has a reachable public IPv4 (or IPv6) address

On the Client Machine:

The Remote Desktop Connection client (mstsc.exe) is available (built into all Windows editions except Home, by default)
You have the server's public IP address, a valid username, and the corresponding password
Your local network does not block outbound TCP 3389 (some corporate firewalls do)

Step-by-Step: Connecting via Remote Desktop Connection (mstsc)

Step 1: Open the RDP Client

Press Win + R to open the Run dialog, type mstsc, and press Enter. This launches the Remote Desktop Connection window. Alternatively, search for "Remote Desktop Connection" in the Start menu.

For a direct one-liner connection from the command line or a script:

mstsc /v:YOUR_SERVER_IP

To specify a non-standard port (e.g., 3390):

mstsc /v:YOUR_SERVER_IP:3390

Step 2: Enter the Server's IP Address

In the Computer field, enter the public IP address of your Windows server. If your hosting provider assigned a hostname (e.g., server1.example.com), that works equally well as long as DNS resolves correctly.

Click Show Options before connecting — this exposes critical settings most guides skip entirely:

General tab: Save connection credentials to an .rdp file for reuse
Display tab: Set resolution and color depth (lower both to improve performance on slow links)
Local Resources tab: Control clipboard sharing, printer redirection, and local drive mapping
Experience tab: Choose a connection speed profile to disable visual effects that consume bandwidth
Advanced tab: Configure server authentication behavior and RDP gateway settings

Step 3: Authenticate with Username and Password

Click Connect. A credential prompt will appear. Enter:

Username: Typically Administrator for a fresh Windows Server instance, or a domain account in the format DOMAINusername
Password: The password set by your hosting provider or configured during server provisioning

If you want to pre-specify the username to avoid the prompt:

mstsc /v:YOUR_SERVER_IP /u:Administrator

Step 4: Handle the Certificate Warning

On first connection, you will almost certainly see a certificate trust warning. This occurs because the server's TLS certificate is self-signed rather than issued by a trusted Certificate Authority. The warning reads: *"The identity of the remote computer cannot be verified."*

What this means technically: RDP uses TLS to encrypt the session. The server presents a certificate to prove its identity. A self-signed certificate is not inherently insecure for a known server you control — but you should verify the certificate's thumbprint against what your provider issued before clicking Yes.

For production environments where security posture matters, consider binding a trusted certificate to the RDP listener. This eliminates the warning and provides verifiable identity. Pairing this with a proper SSL Certificate strategy for your infrastructure is a sound practice.

Step 5: You Are Connected

After authentication, the remote desktop session opens in a window (or full screen, depending on your display settings). You now have full interactive access to the Windows Server desktop environment — identical to sitting in front of the physical machine.

Enabling RDP on the Windows Server (If Not Already Active)

If RDP is disabled — common on freshly provisioned servers or after OS hardening — enable it through one of these methods:

Method 1: GUI (System Properties)

Open Control Panel > System and Security > System
Click Remote settings in the left pane
Under the Remote Desktop section, select Allow remote connections to this computer
Optionally uncheck Allow connections only from computers running Remote Desktop with Network Level Authentication if you need to support legacy clients (not recommended for internet-facing servers)
Click Apply, then OK

Method 2: PowerShell (Preferred for Remote or Scripted Enablement)

# Enable RDP
Set-ItemProperty -Path 'HKLM:SystemCurrentControlSetControlTerminal Server' -Name "fDenyTSConnections" -Value 0

# Allow RDP through Windows Firewall
Enable-NetFirewallRule -DisplayGroup "Remote Desktop"

# Confirm the service is running
Get-Service -Name TermService | Start-Service

Method 3: Registry (When PowerShell Is Unavailable)

The controlling registry key is:

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal Server

Set fDenyTSConnections to 0 (DWORD) to enable RDP, or 1 to disable it.

Firewall Configuration for RDP Access

Windows Firewall

The PowerShell command above handles the built-in Windows Firewall. To verify the rule is active:

Get-NetFirewallRule -DisplayGroup "Remote Desktop" | Select-Object DisplayName, Enabled, Direction

External Firewall / Cloud Security Groups

If your server sits behind an external firewall (common with VPS Hosting and Dedicated Servers), you must also open inbound TCP 3389 at the network perimeter. The exact interface varies by provider, but the rule parameters are always:

Protocol: TCP
Port: 3389 (or your custom port)
Source: Restrict to your management IP range, not 0.0.0.0/0

Exposing RDP to the entire internet on the default port is one of the most exploited attack surfaces in existence. Brute-force campaigns targeting port 3389 are continuous and automated.

RDP Security Hardening: What Most Guides Omit

A basic connection guide that stops at "click Yes and you're in" leaves your server dangerously exposed. The following hardening steps are non-negotiable for any internet-facing Windows server.

Change the Default RDP Port

Changing from 3389 to a non-standard port (e.g., 33890 or 52100) dramatically reduces automated scan noise. This is security through obscurity — not a substitute for authentication hardening — but it eliminates the lowest-effort attacks.

# Change RDP port to 52100 (example)
Set-ItemProperty -Path 'HKLM:SYSTEMCurrentControlSetControlTerminal ServerWinStationsRDP-Tcp' -Name PortNumber -Value 52100

# Update the firewall rule
New-NetFirewallRule -DisplayName "RDP Custom Port" -Direction Inbound -Protocol TCP -LocalPort 52100 -Action Allow
Remove-NetFirewallRule -DisplayGroup "Remote Desktop"

# Restart the Terminal Services
Restart-Service -Name TermService -Force

After this change, connect using mstsc /v:YOUR_SERVER_IP:52100.

Enforce Network Level Authentication (NLA)

NLA requires the client to authenticate before a full RDP session is established, which prevents unauthenticated users from reaching the Windows login screen. Enable it via PowerShell:

Set-ItemProperty -Path 'HKLM:SystemCurrentControlSetControlTerminal ServerWinStationsRDP-Tcp' -Name UserAuthentication -Value 1

Restrict RDP Access by IP Address

Use Windows Firewall to whitelist only known management IPs:

Set-NetFirewallRule -DisplayGroup "Remote Desktop" -RemoteAddress "203.0.113.10","198.51.100.5"

Enable Account Lockout Policies

Configure lockout thresholds via Group Policy (gpedit.msc) or the Local Security Policy:

Account lockout threshold: 5 invalid attempts
Lockout duration: 30 minutes
Reset counter after: 15 minutes

Use an RDP Gateway or VPN

For the highest security posture, do not expose RDP directly to the internet at all. Place it behind:

Remote Desktop Gateway (RD Gateway): Tunnels RDP over HTTPS (port 443), providing certificate-based authentication and centralized logging
VPN: Require VPN connectivity before RDP access is possible, restricting the attack surface to authenticated VPN users only

RDP Client Options Beyond mstsc

mstsc.exe is the default Windows client, but it is not the only option. Understanding alternatives matters when connecting from non-Windows systems or when you need advanced features.



Client
Platform
Key Strengths
Limitations








—
—
—
—








`mstsc.exe` (built-in)
Windows
Native, no install needed, `.rdp` file support
Windows only








Microsoft Remote Desktop
macOS, iOS, Android
Official Microsoft app, NLA support
Fewer advanced options than mstsc








FreeRDP
Linux, macOS, Windows
Open-source, highly configurable, scriptable
CLI-heavy, steeper learning curve








Remmina
Linux
Multi-protocol (RDP, VNC, SSH), GUI-based
Linux only








Royal TSX
macOS
Enterprise credential management, tabbed sessions
Paid for full features








MobaXterm
Windows
Combines RDP, SSH, X11 in one tool
Primarily SSH-focused





For Linux administrators managing a Windows server alongside Linux workloads, FreeRDP or Remmina are the standard choices. A FreeRDP connection from a Linux terminal looks like:
xfreerdp /v:YOUR_SERVER_IP /u:Administrator /p:'YourPassword' /cert:ignore /dynamic-resolution
Performance Optimization for RDP Sessions
RDP performance degrades noticeably on high-latency or low-bandwidth connections. These settings make a measurable difference:
Reduce color depth and resolution:
In the mstsc Display tab, set color depth to 16-bit and resolution to the minimum needed for your work.
Disable visual effects via Experience tab:
Select "Modem (56 Kbps)" or manually uncheck: Desktop background, Font smoothing, Desktop composition, Show window contents while dragging, Menu and window animation.
Enable RemoteFX or H.264/AVC compression:
On Windows Server 2016 and later, RDP supports H.264/AVC 444 mode for significantly better visual quality at lower bandwidth. Enable via Group Policy:
Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Remote Session Environment

Set Use hardware graphics adapters for all Remote Desktop Services sessions and Prioritize H.264/AVC 444 graphics mode to Enabled.

For GPU-accelerated workloads where RDP performance is critical, consider a GPU Hosting environment with RemoteFX or NVIDIA GRID/vGPU support.

Saving and Reusing RDP Connection Profiles

Rather than re-entering settings every session, save them to an .rdp file:

In the mstsc window, click Show Options > Save As
Name the file (e.g., prod-server.rdp) and save it to a secure location
Double-click the file to launch the session with all saved parameters

An .rdp file is a plain-text configuration file. A minimal example:

full address:s:203.0.113.50:3389
username:s:Administrator
screen mode id:i:2
desktopwidth:i:1920
desktopheight:i:1080
session bpp:i:32
authentication level:i:2
enablecredsspsupport:i:1

Security note: Never save passwords inside .rdp files on shared or unencrypted systems. The password field is obfuscated, not encrypted, and is trivially reversible.

Common RDP Connection Errors and How to Fix Them

Error	Root Cause	Resolution
—	—	—
"Remote Desktop can't connect to the remote computer"	RDP disabled, firewall blocking `3389`, wrong IP	Verify RDP is enabled; check firewall rules; confirm IP address
"The connection was denied because the user account is not authorized"	User not in Remote Desktop Users group	Add user via `lusrmgr.msc` or `net localgroup "Remote Desktop Users" username /add`
"An authentication error has occurred (CredSSP)"	CredSSP encryption oracle remediation mismatch	Update both client and server, or adjust Group Policy setting `Encryption Oracle Remediation` to Vulnerable temporarily
"Remote Desktop Services is currently busy"	Session limit reached (2 concurrent sessions on standard Server licenses)	Disconnect idle sessions; consider RDS CALs for more sessions
Connection drops repeatedly	MTU mismatch, unstable network, or aggressive idle timeout	Adjust MTU; set `Keep-Alive` in RDP-Tcp registry settings
Certificate warning on every connection	Self-signed cert not trusted by client	Import server cert to client's Trusted Root store, or deploy a CA-signed cert

Managing RDP Through a Control Panel

If you prefer a graphical management layer over raw PowerShell and registry edits, a server control panel simplifies RDP configuration, user management, and firewall rules significantly. Explore VPS Control Panels for options that integrate with Windows Server environments, or consider a VPS with cPanel if your workload includes web hosting alongside remote administration.

Technical Decision Matrix: Key Choices When Configuring RDP

Use this checklist when setting up or auditing RDP access on any Windows server:

Port: Changed from default 3389 to a non-standard port? If not, document the reason.
NLA: Enabled? If disabled, justify why (legacy client requirement) and compensate with other controls.
Firewall scope: Is inbound RDP restricted to specific source IPs? 0.0.0.0/0 is unacceptable for production.
Account lockout: Configured and tested? Verify with a deliberate failed-login sequence.
Certificate: Self-signed or CA-issued? Self-signed is acceptable for internal use; CA-issued is required for compliance environments.
Session limits: Are idle sessions timing out? Configure via Group Policy under Session Time Limits.
Logging: Is RDP logon/logoff auditing enabled? Check under Security Policy > Audit logon events.
Gateway or VPN: Is direct internet exposure necessary? If not, route through RD Gateway or VPN.
Backup access method: If RDP fails (misconfigured firewall, service crash), do you have an out-of-band console (KVM, IPMI, provider's VNC console)?

FAQ

What is the default port for RDP, and should I change it?

The default RDP port is TCP 3389. You should change it on any internet-facing server. Automated scanners continuously probe port 3389 for brute-force opportunities. Changing to a high-numbered, non-standard port does not replace strong authentication but eliminates the majority of automated noise.

Why does RDP show a certificate warning every time I connect?

The server is presenting a self-signed TLS certificate that your client does not recognize as trusted. To permanently suppress the warning, export the server's self-signed certificate and import it into your client machine's Trusted Root Certification Authorities store, or replace the self-signed cert with one issued by a trusted CA.

How many simultaneous RDP sessions does Windows Server support?

Standard Windows Server (without Remote Desktop Services licensing) supports exactly two concurrent administrative RDP sessions. Adding a Remote Desktop Services role with appropriate Client Access Licenses (CALs) removes this limit for multi-user scenarios.

Can I use RDP on a non-Windows client to connect to a Windows server?

Yes. Microsoft publishes official Remote Desktop clients for macOS, iOS, and Android. On Linux, FreeRDP and Remmina are the most capable open-source options. All support NLA and standard RDP encryption.

What should I do if I accidentally lock myself out of RDP?

First, check whether your hosting provider offers an out-of-band console (VNC or KVM access through their control panel). From there, you can correct the firewall rule, re-enable the RDP service, or fix a misconfigured registry key without needing an active RDP session. This is why out-of-band access is a mandatory part of any server management strategy — configure it before you need it.

Save 15% on All Hosting Services