How to Set Up Remote Desktop (RDP) Access on a Windows VPS

Search for how to secure RDP and half the results will tell you to change the port from 3389 to something else. It is the first advice everyone gives.

It is also close to worthless, and believing in it is how Windows servers end up encrypted by ransomware. We’ll get to why. First, let’s get you logged in.

Getting to the Desktop

A Linux VPS you drive from a terminal. A Windows Server VPS you drive from its desktop, and the road there is Remote Desktop Protocol. Most providers ship it already enabled, so the fastest path is simply to try connecting.

On Windows, press Win + R, type mstsc, hit Enter. Type your server’s IP. Connect. Enter the administrator username and password your host gave you. Accept the certificate warning, which is expected on a fresh server using a self-signed certificate.

Not on Windows?

  • macOS: install Microsoft Remote Desktop from the App Store, add a PC, enter the IP
  • Linux: sudo apt install remmina remmina-plugin-rdp, create an RDP profile, enter the server details

If that connected, skip ahead to the security section, because that is the part that will actually cost you something if you get it wrong.

If It Didn’t Connect

RDP has to be enabled on the server, and port 3389 has to be open in two separate firewalls. The second one is what people miss.

To enable RDP, get to the desktop through your provider’s console or VNC access, then:

  1. Open Server Manager and click Local Server
  2. Find Remote Desktop, which will read “Disabled”. Click it
  3. Choose Allow remote connections to this computer
  4. Tick Allow connections only from computers running Remote Desktop with Network Level Authentication. Leave this on. It is the single most valuable checkbox on the page
  5. Apply, OK

Windows Firewall usually opens 3389 for you when you do this. Your hosting provider’s firewall will not. That is a separate layer sitting in front of the VPS, configured in your provider’s control panel, and until you allow inbound TCP 3389 there, nothing you change inside Windows makes any difference.

Only One of You Can Be Logged In

A standard Windows Server VPS permits exactly one interactive administrator session. Your colleague connects, and you get thrown out. That is not a bug and no setting will fix it.

Multiple simultaneous users requires the Remote Desktop Services role plus Client Access Licenses from Microsoft, both of which cost money. People coming from Linux expect RDP to behave like SSH, where twenty people can be logged in at once without anyone noticing. It does not, and the licensing is where that difference bites.

Now the Part That Matters

RDP is one of the most attacked services on the internet. Not because it is badly built, but because it hands an attacker a full desktop with administrator rights the moment they guess a password. Every major ransomware family in the last decade has had “exposed RDP with a weak password” as a favoured way in.

So, back to the port advice.

Moving RDP off 3389 buys you almost nothing. The bots scanning the internet do not check one port, they sweep all of them. Moving to port 33890 means they find you a few minutes later instead of immediately. You have not locked the door, you have moved it slightly to the left, and now you have to remember where you put it.

What actually works, in order of how much it helps:

  • Restrict source IP in your provider’s firewall. Allow port 3389 only from your office or home IP. Everyone else is refused before they reach Windows at all. This single change eliminates the entire brute-force threat, because attackers cannot knock on a door they cannot see
  • Put RDP behind a VPN or an RD Gateway so it is never exposed to the open internet. This is the professional answer, and if you have any way to do it, do it
  • Use a long, unique administrator password. Bots try thousands of common passwords an hour. Length beats complexity here
  • Leave Network Level Authentication on. It forces authentication before a session is even established, which shuts down a whole class of attack
  • Change the port, last and least, and only to reduce log noise. It is a tidiness measure, not a security control

Whether you run Windows or Linux, the principle is identical: never expose an administrative service to the whole internet when you can expose it to one IP address. If you are still choosing between the two platforms, our comparison of Linux vs Windows servers and the deeper look at Linux vs Windows security both go further.

Four Errors and What They Really Mean

  • “This computer can’t connect to the remote computer”: a firewall. Nearly always the provider’s, not Windows’
  • Correct password, login refused: the account may be locked out from too many failed attempts, which is itself a signal that bots have been trying. Check Caps Lock too, before assuming the worst
  • Connection keeps dropping: usually the network between you and the server, not the server itself. Try from a different connection before you start changing settings
  • “No Remote Desktop License Servers available”: the grace period for multi-user sessions has expired. You need a licensed RDS deployment, not a configuration tweak

Before You Walk Away From This Server

Open your provider’s firewall right now and restrict port 3389 to your own IP address. It takes two minutes and it is worth more than every other hardening step on this page combined.

If you cannot do that because you connect from changing locations, then a VPN is not optional for you. It is the job.