Savacu Blog

Savacu Blog

Uncategorized

Step-by-Step Guide to Configuring Admin RDP on Windows Servers

Remote Desktop Protocol (RDP) is one of the most widely used methods for administrators to manage and troubleshoot Windows Servers remotely. By enabling Admin RDP on Windows Servers, you can remotely access the server’s desktop environment, making it easier to perform system administration tasks.

In this step-by-step guide, we’ll walk you through the process of configuring Admin RDP on Windows Servers, ensuring secure access and optimal settings for your environment.

What You’ll Need

  • A Windows Server (2012, 2016, 2019, or 2022) with administrator privileges admin rdp.
  • A client machine capable of using RDP (Windows, macOS, or Linux with an RDP client).
  • Network access to the server (ensure firewall settings are configured appropriately).
  • RDP license or remote access rights for users.

Step 1: Check System Requirements

Before proceeding with RDP configuration, ensure that your system meets the following requirements:

  1. Windows Server Edition: RDP is supported in all Windows Server editions (Standard, Datacenter, etc.).
  2. Network Configuration: Ensure the server is reachable via network, and ports like TCP/3389 are open in the firewall.
  3. Administrator Access: You must be logged in as an administrator on the server.

Step 2: Enable Remote Desktop on the Server

  1. Open Server Manager:
    • Press Windows + R, type servermanager, and press Enter.
  2. Navigate to System Properties:
    • In the Server Manager window, click on Local Server in the left pane.
    • Look for the Remote Desktop setting under the “Properties” section. By default, it may be disabled.
    • Click on the Disabled link next to Remote Desktop.
  3. Enable Remote Desktop:
    • In the System Properties window that opens, select the option Allow remote connections to this computer.
    • Ensure the option Allow connections only from computers running Remote Desktop with Network Level Authentication (recommended) is checked. This provides additional security by requiring users to authenticate before the RDP session starts.
    • Click Apply and then OK.

Step 3: Configure Firewall Settings

By default, Windows Firewall blocks RDP connections. You need to allow the RDP port (TCP 3389) through the firewall:

  1. Open Windows Firewall:
    • Open the Control Panel and navigate to System and Security > Windows Defender Firewall.
  2. Allow an App or Feature through the Firewall:
    • Click Allow an app or feature through Windows Defender Firewall on the left.
    • Ensure that Remote Desktop is listed and allowed on both Private and Public networks. If it’s not listed, you can manually add a rule in the next step.
  3. Create a Custom Inbound Rule (if necessary):
    • Open Advanced Settings on the left side of the Firewall window.
    • In Inbound Rules, click New Rule on the right-hand side.
    • Choose Port as the rule type and enter 3389 as the specific local port for RDP.
    • Allow the connection and ensure it applies to both Domain, Private, and Public profiles.
    • Name the rule (e.g., “Allow RDP”) and click Finish.

Step 4: Configure User Access for RDP

To allow a user to connect via RDP, they need to be part of the Remote Desktop Users group:

  1. Add User to Remote Desktop Users Group:
    • Open Control Panel and go to Administrative Tools > Computer Management.
    • In the left pane, navigate to Local Users and Groups > Groups.
    • Double-click on Remote Desktop Users to open the group properties.
    • Click Add, then type the username of the account you wish to grant RDP access to. Click Check Names and OK.
  2. Configure User Permissions (Optional):
    • You can also set permissions at the User level to allow or restrict their access.

Step 5: Configure RDP Session Settings (Optional)

You can customize several settings for RDP sessions, such as session timeouts, resolution, and user experience settings. Here’s how:

  1. Open Local Group Policy Editor:
    • Press Windows + R, type gpedit.msc, and press Enter.
    • In the Group Policy Editor, navigate to:
      • Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Session Time Limits.
  2. Configure Time Limits and Session Settings:
    • You can configure options such as:
      • Set time limit for active but idle Remote Desktop Services sessions.
      • Set time limit for disconnected sessions.
      • End session when time limits are reached.
  3. Enable Multiple RDP Sessions (if necessary):
    • If you need to allow multiple administrators to connect simultaneously, you can configure this in the RDS (Remote Desktop Services) licensing settings, but be aware that this may require additional licenses.

Step 6: Test Remote Desktop Access

Once you’ve enabled Remote Desktop and configured necessary settings, it’s time to test access:

  1. From a Remote Machine:
    • Open the Remote Desktop Connection application (type mstsc in the Run dialog or search bar).
    • Enter the IP address or hostname of the server and click Connect.
  2. Login:
    • When prompted, enter the credentials of a user that has RDP access (i.e., an account in the Remote Desktop Users group).
    • If everything is configured correctly, you should be logged in to the server’s desktop.

Step 7: Secure RDP Access

For enhanced security, consider implementing the following measures:

  1. Use Strong Passwords: Ensure that accounts with RDP access have strong, complex passwords.
  2. Change the Default RDP Port: The default RDP port (TCP 3389) is commonly targeted by attackers. Consider changing it to a non-standard port:
    • Open Registry Editor (regedit).
    • Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp.
    • Find the value for PortNumber and change it to a random port number (e.g., 33890).
    • After modifying the registry, restart the server.
  3. Enable Network Level Authentication (NLA): This is already enabled by default and ensures that only authenticated users can establish an RDP connection.
  4. Use VPN or IP Whitelisting: Consider requiring a VPN connection before RDP access, or configure IP whitelisting to restrict who can connect.
  5. Use Two-Factor Authentication (2FA): For an extra layer of security, consider enabling 2FA on the RDP login.
  6. RDP Gateway: For organizations with large infrastructures, an RDP Gateway server can centralize RDP access and provide additional security features like encryption and multi-factor authentication.

Step 8: Monitor and Audit RDP Sessions

To ensure the security and stability of your Windows Server, it’s essential to monitor RDP sessions:

  1. Enable RDP Logging:
    • Use Event Viewer (eventvwr.msc) to monitor RDP login attempts and session information.
    • Look under Windows Logs > Security for successful and failed login attempts.
  2. Audit Failed Logins:
    • Ensure auditing is enabled for login failures, and monitor any unusual patterns indicating potential security threats.

Conclusion

Enabling and configuring Remote Desktop Protocol (RDP) on Windows Servers is an essential skill for system administrators. By following this guide, you can set up secure, reliable RDP access to your servers, ensuring that you can manage and troubleshoot your systems effectively from anywhere.