A Windows VPS with RDP exposed to the internet is one of the most common attack targets in the world. The moment your server goes live with Remote Desktop Protocol on the default port, automated scanners find it — often within minutes. An unsecured Windows VPS with default RDP on port 3389 sees thousands of brute-force login attempts within the first few hours.

This is not theoretical. Botnets continuously scan the entire IPv4 address space for open RDP ports, then launch credential-stuffing attacks using databases of leaked passwords. If your server has a weak password and default settings, it is not a question of whether it will be compromised — it is a question of when.

The good news is that securing a Windows VPS is straightforward if you follow a systematic approach. This guide walks through every step, from basic RDP hardening to infrastructure-level protection that stops attacks before they reach your server.

Step 1: Change the Default RDP Port

The single most effective thing you can do immediately is move RDP from port 3389 to a different port number. This eliminates the vast majority of automated attacks, because most bots only scan for the default port.

This does not make your server "invisible" — a determined attacker can find any open port with a full port scan. But it removes your server from the low-hanging fruit that automated tools target, which accounts for 95%+ of all RDP attack traffic.

How to Change the RDP Port

  1. Connect to your Windows VPS via RDP using the current default settings.
  2. Open Registry Editor by pressing Win + R, typing regedit, and pressing Enter.
  3. Navigate to the following registry key: 
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp
  4. Find the entry named PortNumber in the right pane. Double-click it.
  5. Select Decimal as the base, then enter your new port number. Choose something above 10000 and below 65535. For example, 41592. Avoid common alternative ports like 3390 or 8080 — pick something genuinely random.
  6. Click OK and close Registry Editor.

Important: Before restarting the RDP service, you must update Windows Firewall to allow the new port. If you skip this step, you will lock yourself out of the server.

Update the Firewall Rule for the New Port

  1. Open Windows Firewall with Advanced Security (search for "Windows Defender Firewall with Advanced Security" in the Start menu).
  2. Click Inbound Rules in the left panel.
  3. Click New Rule in the right panel.
  4. Select Port, click Next.
  5. Select TCP, enter your new port number (e.g., 41592), click Next.
  6. Select Allow the connection, click Next.
  7. Check all profiles (Domain, Private, Public), click Next.
  8. Name the rule something descriptive like "RDP Custom Port 41592", click Finish.

Now restart the Remote Desktop Services service (or restart the entire server). When reconnecting, use your server IP followed by a colon and the new port number in your RDP client — for example, 203.0.113.50:41592.

Step 2: Enable Network Level Authentication (NLA)

Network Level Authentication requires the connecting user to authenticate before the RDP session is established. Without NLA, the server presents a login screen to anyone who connects — this consumes server resources and exposes the login interface to potential exploits.

With NLA enabled, the user's credentials are verified at the network level before the graphical session begins. This blocks many classes of attacks and reduces the server resources consumed by unauthorized connection attempts.

How to Enable NLA

  1. Open System Properties by pressing Win + R, typing sysdm.cpl, and pressing Enter.
  2. Go to the Remote tab.
  3. Under "Remote Desktop", ensure "Allow connections only from computers running Remote Desktop with Network Level Authentication" is checked.
  4. Click OK.

NLA should be enabled on every Windows VPS. The only reason to disable it is if you are connecting from very old RDP clients that do not support NLA — which in 2026 should not be the case for any modern device.

Step 3: Configure Windows Firewall Properly

Windows Firewall is surprisingly capable when configured correctly. The default configuration allows too many inbound connections. Lock it down to only what your server actually needs.

Block Everything, Then Whitelist

The safest approach is to start from a deny-all posture and only allow specific traffic:

  1. Open Windows Defender Firewall with Advanced Security.
  2. Click on Windows Defender Firewall Properties at the top.
  3. For each profile (Domain, Private, Public), set Inbound connections to Block.
  4. Leave Outbound connections set to Allow (unless you have specific reason to restrict outbound traffic).
  5. Click OK.

Now create inbound allow rules for only the ports your server needs:

Restrict RDP to Known IP Addresses

If you or your team connect from a consistent set of IP addresses, you can restrict RDP access to only those IPs. This is the strongest network-level defense against brute-force attacks.

  1. In the Inbound Rules, find your custom RDP port rule.
  2. Double-click it and go to the Scope tab.
  3. Under "Remote IP address", select "These IP addresses" and add the IPs you want to allow.
  4. Click OK.

If your IP address changes frequently (common with residential internet), you may need to use a VPN with a static IP instead. See Step 8 for details.

Step 4: Set Up Account Lockout Policies

Account lockout policies automatically disable an account after a specified number of failed login attempts. This is your primary defense against brute-force password attacks that manage to reach your RDP service.

How to Configure Account Lockout

  1. Open Local Security Policy by pressing Win + R, typing secpol.msc, and pressing Enter.
  2. Navigate to Account Policies > Account Lockout Policy.
  3. Set the following values:
    • Account lockout threshold: 5 invalid login attempts
    • Account lockout duration: 30 minutes
    • Reset account lockout counter after: 30 minutes
  4. Click OK on each setting.

With these settings, after 5 failed login attempts, the account is locked for 30 minutes. This makes brute-force attacks impractical — an attacker can only attempt 5 passwords every 30 minutes, making it effectively impossible to guess a strong password through trial and error.

Important: Make sure your own password is strong and that you remember it. If you lock yourself out, you will need to wait 30 minutes or access the server through an alternative method (such as the VPS provider's console access) to unlock the account.

Step 5: Disable the Default Administrator Account

The built-in "Administrator" account is the first target for every brute-force attack. Attackers know the username, so they only need to guess the password. By disabling this account and using a custom-named administrator account instead, you force attackers to guess both the username and the password.

How to Create a New Admin and Disable the Default

  1. First, create a new administrator account with a non-obvious name. Open Computer Management (right-click Start > Computer Management).
  2. Navigate to Local Users and Groups > Users.
  3. Right-click in the right panel and select New User.
  4. Enter a username that is not "admin", "administrator", "root", or anything similarly obvious. Use something like your name or a custom identifier.
  5. Set a strong password (at least 16 characters, mix of uppercase, lowercase, numbers, and special characters).
  6. Uncheck "User must change password at next logon" and check "Password never expires" (for server accounts).
  7. Click Create.
  8. Now add this user to the Administrators group. Double-click the new user, go to the Member Of tab, click Add, type "Administrators", click OK.
  9. Log out and log back in with the new account to verify it works and has admin privileges.
  10. Once confirmed, go back to Local Users and Groups, right-click the built-in Administrator account, select Properties, and check "Account is disabled".

MassiveGRID provides two concurrent RDP sessions on every Windows VPS, which means you can keep your existing session open while testing the new account in a second session — reducing the risk of locking yourself out during this process.

Step 6: Enable Automatic Windows Updates

Unpatched Windows servers are a leading cause of security breaches. Microsoft releases security patches regularly, and exploits for known vulnerabilities often appear within days of disclosure. Keeping your server updated is non-negotiable.

How to Configure Automatic Updates

  1. Open Settings > Update & Security > Windows Update.
  2. Click Advanced options.
  3. Ensure updates are set to install automatically.
  4. Configure Active hours to define when you typically use the server — Windows will avoid restarting during these hours.
  5. Consider enabling "Receive updates for other Microsoft products when you update Windows" to also patch Microsoft SQL Server, .NET Framework, and other Microsoft components.

For production servers, some administrators prefer to delay updates by a few days to ensure a patch does not cause compatibility issues. This is a reasonable approach for non-critical systems, but security updates should always be applied promptly — within a week at most.

Step 7: Configure Windows Defender and Antivirus

Windows Server includes Windows Defender, which provides baseline antivirus and anti-malware protection. For most VPS use cases, Defender is sufficient when properly configured.

Verify Defender Is Active and Configured

  1. Open Windows Security from the Start menu.
  2. Click Virus & threat protection.
  3. Ensure Real-time protection is turned on.
  4. Ensure Cloud-delivered protection is turned on for the latest threat intelligence.
  5. Under Virus & threat protection settings, click Manage settings and verify Automatic sample submission is enabled.

For servers running sensitive workloads (financial data, customer records, healthcare information), consider enterprise-grade antivirus solutions like CrowdStrike, SentinelOne, or Bitdefender GravityZone. These provide advanced threat detection, behavioral analysis, and centralized management that go beyond what Defender offers.

Step 8: Use RDP over VPN for Maximum Security

The most secure approach to RDP access is to not expose the RDP port to the public internet at all. Instead, connect to a VPN running on your server first, then access RDP through the VPN tunnel. This means the RDP port is only accessible to authenticated VPN users.

VPN Options for Windows VPS

Once VPN is configured, update your Windows Firewall rules to only allow RDP connections from the VPN subnet (typically 10.x.x.x or 172.16.x.x). Remove the rule that allows RDP from any IP. This makes your RDP service completely invisible to the public internet.

Step 9: Use MassiveGRID's Cluster Firewall as Your First Defense Line

Everything described in Steps 1-8 happens on your server. By the time Windows Firewall processes a connection attempt, the traffic has already reached your VPS. This means your server is still consuming resources handling (and rejecting) malicious traffic.

MassiveGRID's Cluster Firewall operates at the network edge — at the infrastructure level before traffic reaches your VPS. This is a fundamentally different layer of protection that you cannot replicate with any amount of Windows configuration.

What the Cluster Firewall Does

This is layered security in practice. The Cluster Firewall stops the bulk of malicious traffic, your custom RDP port eliminates most automated scanners, NLA blocks unauthenticated connections, account lockout stops brute-force attempts, and your strong password with a custom username handles the rest. Each layer reduces the attack surface further.

On top of the Cluster Firewall, every MassiveGRID VPS is protected by 12 Tbps DDoS protection via XDP technology. DDoS attacks against RDP servers are common — attackers sometimes flood the RDP port to deny service to legitimate users. This protection ensures your server remains accessible even during volumetric attacks.

Step 10: Set Up Automated Backups for Disaster Recovery

Security is not just about preventing attacks — it is about recovering when something goes wrong. Even with all the hardening above, you should have automated backups as your last line of defense.

What to Back Up

MassiveGRID offers backup services that integrate directly with the infrastructure. Your VPS data already lives on Ceph distributed storage with 3x replication, but additional scheduled backups give you point-in-time recovery options.

If the worst happens — a ransomware infection, an accidental misconfiguration, or a failed update — you can restore from a clean backup rather than starting from zero. Think of backups as security insurance.

Infrastructure-Level Security: What MassiveGRID Provides by Default

Beyond the steps you configure yourself, MassiveGRID's infrastructure provides several security layers that are always active:

This means that even a misconfigured Windows Firewall cannot expose you to the same level of risk as a server hosted on consumer-grade infrastructure. The infrastructure-level protections act as a safety net beneath your server-level security configuration.

Why Security Is Especially Critical for Specific Windows VPS Workloads

The security steps above apply to every Windows VPS, but certain workloads carry additional risk that makes thorough hardening non-negotiable:

For all of these workloads, the High Availability architecture at MassiveGRID adds another dimension of security: resilience. If something goes wrong — ransomware, a failed update, accidental misconfiguration — the 3x replicated Ceph storage and HA failover mean your data survives hardware failures. Combined with regular backups, you can recover from even severe incidents without permanent data loss.

MassiveGRID's independent resource scaling also plays a role in security. Running antivirus scans, monitoring tools, and security services consumes CPU and RAM. With independent scaling, you can add the resources these security tools need without over-provisioning your entire server. Add 1-2 GB of RAM for Windows Defender and monitoring agents without changing your CPU allocation.

MassiveGRID Windows VPS Security Includes

  • Windows Server license included in every plan
  • 2x concurrent RDP sessions
  • High Availability with automatic failover
  • 12 Tbps DDoS protection and Cluster Firewall
  • Independent resource scaling (CPU, RAM, storage)
  • 4 global datacenter locations
  • 24/7 human support rated 9.5/10

Don't Want to Handle Security Yourself?

If this guide feels overwhelming, or if you simply don't want the responsibility of maintaining server security, MassiveGRID offers fully managed options where the security team handles everything for you.

With a Managed Cloud Server, MassiveGRID's team handles OS updates, security patching, firewall configuration, monitoring, and incident response. You get a secure Windows server without needing to follow any of the steps above — the security team configures and maintains it to enterprise standards.

Choosing the Right MassiveGRID Product for Your Security Needs

Security Checklist Summary

Here is the complete checklist. Work through it in order for a properly hardened Windows VPS:

  1. Change the default RDP port from 3389 to a custom high-numbered port
  2. Enable Network Level Authentication (NLA)
  3. Configure Windows Firewall to block all unused inbound ports
  4. Restrict RDP access to known IP addresses where possible
  5. Set account lockout policy (5 attempts, 30-minute lockout)
  6. Disable the default Administrator account; use a custom-named admin
  7. Enable automatic Windows Updates
  8. Verify Windows Defender is active and properly configured
  9. Consider RDP over VPN for maximum security
  10. Configure MassiveGRID Cluster Firewall rules
  11. Set up automated backups
  12. Use a strong, unique password (16+ characters)

Further Reading

Ready to get started? Configure your Windows VPS with enterprise-grade security built into the infrastructure from day one.