How to Restrict RDP Access to Specific IP or Subnet for Enhanced Security


2 views

Restricting Remote Desktop Protocol (RDP) access to specific IP addresses or subnets is a fundamental security practice. When you expose RDP to the internet without restrictions, you're essentially painting a target on your servers for brute force attacks and unauthorized access attempts.

The most straightforward method is using Windows Firewall with Advanced Security:

# PowerShell command to allow RDP from specific subnet
New-NetFirewallRule -DisplayName "Allow RDP from Home Network" 
    -Direction Inbound 
    -LocalPort 3389 
    -Protocol TCP 
    -Action Allow 
    -RemoteAddress 192.168.1.0/24

For additional security, implement restrictions at your network perimeter:

  1. Configure your firewall to drop all RDP traffic except from your home subnet
  2. Set up VPN access instead of direct RDP exposure
  3. Consider port knocking for additional security

If your servers are in Azure, use NSGs:

# Azure CLI command to create NSG rule
az network nsg rule create \
    --resource-group MyResourceGroup \
    --nsg-name MyNSG \
    --name AllowRDPFromHome \
    --access Allow \
    --protocol Tcp \
    --direction Inbound \
    --priority 100 \
    --source-address-prefix 192.168.1.0/24 \
    --source-port-range "*" \
    --destination-address-prefix "*" \
    --destination-port-range 3389

For maximum protection, consider implementing:

  • Two-factor authentication for RDP
  • Changing the default RDP port
  • Implementing account lockout policies
  • Regularly updating your systems

When managing remote servers, exposing RDP (Remote Desktop Protocol) to the entire internet is a significant security risk. The Windows Firewall with Advanced Security provides granular control over RDP access through network-level restrictions.

Here's how to configure Windows Firewall to only allow RDP connections from your home subnet (e.g., 192.168.1.0/24):

# PowerShell command to modify RDP firewall rule
Set-NetFirewallRule -DisplayName "Remote Desktop - User Mode (TCP-In)" -RemoteAddress 192.168.1.0/24

For domain-joined servers, you can enforce these restrictions through Group Policy:

  1. Open Group Policy Management Console
  2. Navigate to: Computer Configuration > Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security
  3. Modify the "Remote Desktop - User Mode (TCP-In)" rule

After implementation, test the restriction from both allowed and blocked IP addresses. Use this PowerShell command to verify the rule:

Get-NetFirewallRule -DisplayName "Remote Desktop - User Mode (TCP-In)" | 
Get-NetFirewallAddressFilter | Format-List RemoteAddress

For environments requiring access from multiple networks, specify comma-separated subnets:

Set-NetFirewallRule -DisplayName "Remote Desktop - User Mode (TCP-In)" 
    -RemoteAddress "192.168.1.0/24,10.0.0.0/8,172.16.0.0/12"
  • Always maintain a local console access method as backup
  • Consider implementing VPN as an additional security layer
  • Regularly audit your firewall rules
  • Document all changes for future reference