How to Configure Remote Desktop (RDP) on Windows Server

Overview

Remote Desktop Protocol (RDP) is how most people manage a Windows Server without being physically in front of it. Whether you’re spinning up a new Dedicated Server or troubleshooting an existing VPS, you’ll need RDP configured correctly before you can do anything else through a GUI.

Out of the box, Windows Server ships with Remote Desktop disabled. Microsoft made this decision intentionally — RDP has historically been a major attack vector, so they don’t enable it until you explicitly say so. That means after provisioning a new server, you’ll need to turn it on, open the right firewall port, and optionally restrict who can connect.

This guide covers Windows Server 2019 and 2022. Most steps are identical between the two. Where there’s a difference, I’ll call it out.

Prerequisites

• Administrator access to the Windows Server (local console or out-of-band access like IPMI/iDRAC)
• The server’s public IP address — available in your Host & Tech client portal
• An RDP client: built-in on Windows (mstsc.exe), Microsoft Remote Desktop on macOS/iOS, or Remmina on Linux
• Windows Server 2019 or 2022 (steps are largely the same for 2016)
• If connecting through a corporate network, confirm port 3389 isn’t blocked outbound by your local firewall or ISP

Step-by-Step: Enable and Configure RDP

Step 1 — Enable Remote Desktop via Server Manager

1. Open Server Manager (it launches automatically on login, or press Win + R and type servermanager).
2. In the left panel, click Local Server.
3. Find the Remote Desktop property — it’ll read Disabled by default. Click it.
4. In the System Properties dialog that opens, select Allow remote connections to this computer.
5. Keep Allow connections only from computers running Remote Desktop with Network Level Authentication (NLA) checked. Don’t uncheck this unless you have a specific reason — NLA requires authentication before a full session is established, which reduces your exposure to brute-force and credential-stuffing attacks.
6. Click Apply, then OK. Windows will warn you that it’s going to add a firewall rule automatically. Let it.

📝 Note: You can also enable RDP from the command line, which is useful if you’re scripting server provisioning or working headlessly via WinRM.

reg add "HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
netsh advfirewall firewall set rule group="remote desktop" new enable=Yes

The first command flips the registry flag that controls whether RDP connections are accepted. The second opens the Windows Firewall rule group that covers port 3389.

Step 2 — Verify the Firewall Rule

When you enable Remote Desktop through Server Manager, Windows should auto-create an inbound rule for TCP 3389. Verify it actually exists:

1. Open Windows Defender Firewall with Advanced Security (search for it in the Start menu or run wf.msc).
2. Click Inbound Rules in the left panel.
3. Look for a rule named Remote Desktop – User Mode (TCP-In). It should have a green tick and show Enabled: Yes.

If it’s missing or disabled, create it manually:

netsh advfirewall firewall add rule name="RDP TCP 3389" protocol=TCP dir=in localport=3389 action=allow

⚠ Warning: If your server is hosted at Host & Tech (or any cloud/dedicated provider), there’s also a network-level firewall sitting in front of your server — separate from Windows Firewall. Log into your client portal and confirm port 3389 is open in your server’s firewall ruleset there too. This catches a lot of people. Windows says RDP is enabled, they can’t connect, and it turns out the port is blocked upstream.

Step 3 — Add a User to the Remote Desktop Users Group

The local Administrator account can connect via RDP by default. For any other account, you need to explicitly grant access:

1. Right-click This PC on the desktop and choose Properties.
2. Click Remote settings on the left.
3. In the Remote Desktop section, click Select Users…
4. Click Add, type the username, click Check Names, then OK.

Or from PowerShell, which is faster if you’re managing multiple accounts:

Add-LocalGroupMember -Group "Remote Desktop Users" -Member "yourusername"

Step 4 — (Optional) Change the Default RDP Port

Port 3389 is scanned constantly by bots. It won’t stop a determined attacker, but changing the default port cuts down on automated noise significantly. I’d recommend doing this on any public-facing server.

⚠ Warning: Do this step carefully. If you change the port and don’t update the firewall rule before disconnecting, you’ll lock yourself out. Make sure you have out-of-band console access (IPMI/iDRAC or your hosting panel’s VNC console) as a fallback.

1. Open Registry Editor (regedit).
2. Navigate to: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal ServerWinStationsRDP-Tcp
3. Double-click PortNumber, switch to Decimal, and enter your new port (e.g. 33890). Avoid well-known ports below 1024.
4. Click OK.
5. Update your firewall rule to allow the new port, then remove the old 3389 rule:

netsh advfirewall firewall add rule name="RDP Custom Port" protocol=TCP dir=in localport=33890 action=allow
netsh advfirewall firewall delete rule name="RDP TCP 3389"

6. Restart the Remote Desktop Services service for the port change to take effect:

net stop TermService && net start TermService

When connecting with a custom port, append it to the hostname in your RDP client: 203.0.113.45:33890.

Step 5 — Test the Connection

From your local machine, open your RDP client and connect to the server’s IP (and port if changed). On Windows:

mstsc /v:203.0.113.45:3389

Log in with your Administrator credentials. If the connection succeeds and you see the Windows desktop, you’re done.

Common Issues & Troubleshooting

“Remote Desktop can’t connect to the remote computer”

This generic error covers a lot of ground. Work through these in order:

• Confirm RDP is actually enabled (Step 1 above).
• Check both Windows Firewall and your hosting provider’s network firewall — both need port 3389 (or your custom port) open inbound.
• Ping the server IP to confirm basic network reachability. If ping fails, it’s a network/firewall issue, not an RDP issue.
• Run netstat -an | findstr 3389 on the server — if nothing shows, the service isn’t listening on that port.

“The connection was denied because the user account is not authorized for remote login”

The account you’re using hasn’t been added to the Remote Desktop Users group (or isn’t a local Administrator). Follow Step 3 above. This is separate from whether the account exists or has a valid password — Windows is specifically checking group membership.

RDP connects but disconnects immediately after login

This is usually caused by a corrupt or misconfigured user profile, or a Group Policy that’s terminating sessions. Check the Event Viewer under Windows Logs > Application for errors with source User Profile Service. If you see Event ID 1500 or 1521, the user profile is the culprit. Creating a new test account and connecting with that will confirm it.

“An authentication error has occurred. The function requested is not supported” (CredSSP error)

This one is annoyingly common after Windows Updates and the official Microsoft docs aren’t always clear about it. It’s caused by a mismatch in CredSSP encryption versions between your client machine and the server — usually after a security patch was applied to one but not the other.

The proper fix is to install the latest Windows Updates on both machines. The quick workaround (not recommended for production) is to temporarily disable NLA on the server via Group Policy:

1. Run gpedit.msc on the server.
2. Navigate to: Computer Configuration > Administrative Templates > System > Credentials Delegation
3. Open Encryption Oracle Remediation and set it to Vulnerable.
4. Run gpupdate /force and retry the connection.

⚠ Warning: Revert this policy setting once both machines are patched. Leaving it on Vulnerable permanently undermines the security of your RDP setup.

RDP is slow or laggy

By default, RDP tries to render at full colour depth with visual effects enabled. On a server with limited bandwidth or a high-latency connection, drop the display settings: in mstsc.exe, click Show Options > Experience tab and select Low-speed broadband or Modem. Also reduce the colour depth to 16-bit. For dedicated servers with consistent low-latency connections this is usually a non-issue, but it makes a real difference on transatlantic connections.

FAQ