Why RDP Servers Are Targeted
Remote Desktop Protocol on port 3389 is the most commonly scanned and attacked service on internet-facing Windows servers. Automated tools continuously scan the entire IPv4 address space — billions of addresses — looking for open port 3389. When found, they attempt credential attacks: cycling through millions of common username/password combinations. A Windows Server with RDP exposed to all IPs and a weak administrator password can be compromised within hours of going online.
The good news: the five controls described below reduce this risk to near-zero. They are configuration changes, not additional software purchases. All are implemented by M A Global Network on every hosted server.
Control 1 — IP-Whitelisting: Eliminate the Attack Surface
The most effective single control. Configure the server's firewall to accept RDP connections only from specific IP addresses: your office connection, authorised staff home IPs, and any branch office IPs. Every other source IP — including all automated scanning bots — is blocked at the network level before the connection reaches Windows.
Without IP whitelisting: your RDP server receives 3,000–15,000 connection attempts per day from automated scanners. With IP whitelisting: it receives exactly the connections from your authorised IP addresses, and zero from everything else. The attack surface shrinks from "the entire internet" to "your specific authorised IPs."
Important detail: IP whitelisting should be implemented at the network firewall level — at the router or cloud firewall, before traffic reaches the Windows Firewall. Windows Firewall operates after the network stack processes the connection — a network-level block is cleaner and more effective.
Dynamic IP management: Many Indian ISPs assign dynamic IP addresses that change periodically. M A Global Network's support team updates the IP whitelist whenever your office or home IP changes — a quick support request, typically actioned within 30 minutes.
Control 2 — Network Level Authentication
Network Level Authentication (NLA) requires the connecting user to authenticate before a full Remote Desktop session is established. Without NLA, the server presents the Windows login screen to any connecting client — exposing the OS interface before any authentication check. With NLA enabled, the server demands credentials before displaying anything — unauthenticated connections are rejected at the protocol level.
NLA is enabled on all M A Global Network hosted servers. It provides an additional barrier against certain attack categories that bypass credential prompts.
Control 3 — Account Lockout Policy
Account lockout prevents brute-force password attacks by locking an account after a specified number of failed login attempts.
| Setting | Recommended Value | Effect |
|---|---|---|
| Lockout threshold | 5 failed attempts | Account locked after 5 wrong passwords |
| Lockout duration | 30 minutes | Locked account unlocks automatically after 30 min |
| Reset counter after | 30 minutes | Failed attempt counter resets after 30 min of no attempts |
With this policy active, an automated attack attempting 1,000 passwords per minute can test only 5 credentials before triggering a 30-minute lockout — effectively making brute-force infeasible against any reasonable password.
Control 4 — Rename Default Administrator Account
Automated credential attacks target "Administrator" as the default Windows administrator username. Renaming this account to a non-obvious username means attacks using "Administrator" as the username fail at the account lookup stage, before even attempting the password. Combined with IP whitelisting, this makes automated account attacks effectively impossible.
The renamed account still has full administrator privileges — the change is purely in the account name, which eliminates the assumption that attackers make about the account's existence.
Control 5 — Strong, Unique Credentials per User
Each staff member should have a unique Windows account with a strong password. Guidelines:
- Minimum 12 characters — each additional character exponentially increases brute-force resistance
- Mix of uppercase, lowercase, numbers, and symbols
- Unique per user — no shared accounts where multiple people know the same credentials
- Not reused from other services
- Changed when there is any possibility of compromise
Two-factor authentication (2FA) can be added to Windows login for environments requiring enhanced security. With 2FA, even correct credentials are insufficient without the second factor — credential theft becomes meaningless. M A Global Network can configure 2FA on request.
Additional Hardening: Non-Standard RDP Port
Changing RDP from the default port 3389 to a non-standard port (e.g., 52891) reduces automated scanning hits because most scanners specifically target port 3389. This is a "security through obscurity" measure — it does not make the server more secure if discovered, but it eliminates exposure to scanners that only target the default port. M A Global Network can configure a non-standard RDP port on request.
Note: non-standard port requires the RDP client to specify the port when connecting (e.g., server.ip.address:52891). Most RDP clients support this with simple configuration.
Frequently Asked Questions
The staff member contacts M A Global Network's support team with their new IP address (easily found at whatismyip.com). Our team updates the firewall whitelist — typically within 30 minutes. As a temporary measure while waiting, the staff member can connect from another authorised location (office, another whitelisted IP). For users with frequently changing IPs, we can whitelist an IP range rather than a specific address, providing flexibility without compromising security.
Yes. All five controls described in this guide — IP whitelisting, NLA enforcement, account lockout policy, renamed administrator account, and strong credential requirements — are configured on every M A Global Network hosted server as part of the standard managed service. These are not optional extras or add-on security packages. They are the baseline configuration for every server we provision.
All 5 RDP Security Controls — Standard on Every Plan
IP-whitelisting · NLA · Account lockout · Renamed admin · Strong credentials. ₹700/user/month + 18% GST. 7-day risk-free guarantee.