It seems simple to set up your own Windows Remote Desktop server, until you’re three hours into firewall configurations and certificate errors. This guide takes you through the entire process so you know exactly what is involved, what can go wrong and when does it make more sense to simply buy RDP server access from a managed provider instead.
What You’ll Need Before You Begin
You need these necessary steps before you start adjusting settings:
● A version of Windows Server (2016, 2019, or 2022). Windows 10/11 Pro supports RDP but only 1 connection at a time.
● Static IP address or dynamic DNS service for remote access
● Administrator access to the machine
● A router with port forwarding for residential use
● General knowledge of Windows Server administration
If you are running this on a cloud VPS then your provider will handle the static IP. If you want to access your home/office setup, ask your ISP for a static IP, or use a dynamic DNS service like No-IP or DuckDNS.
Step 1: Enable Remote Desktop in Windows Settings
On Windows Server 2019/2022:
1) Launch Server Manager, and click Add Roles and Features.
- Choose Role-based or feature-based installation
- Select your server from the server pool
- Select Remote Desktop Services under Server Roles
- Add sub-roles where necessary: Remote Desktop Session Host (mandatory), Remote Desktop Licensing, and Remote Desktop Gateway for secure access from outside
- Finish the wizard and restart when prompted
On Windows 10/11 Pro for single user RDP only:
- Go to Settings > System > Remote Desktop
- Set Enable Remote Desktop to On 3. Note the PC name shown. You’ll need this to connect.
Step 2: Configure Windows Firewall
Remote Desktop by default uses TCP port 3389. You have to open this through the firewall:
- Open the Windows Defender Firewall with Advanced Security
- Click Inbound Rules, and then New Rule
- Choose Port and select TCP and type in 3389
- Allow connection
- Apply to all profiles (Domain, Private, Public) or limit to Private/Domain for improved security
Note on security: Exposing port 3389 to the public internet is a huge security risk. “Thousands of automated bots scour for open RDP ports every day. Always pair this with a strong password, Network Level Authentication, and preferably an IP whitelisting or VPN gateway.
Step 3: Set Up Network Level Authentication
NLA adds an extra authentication layer before the remote desktop session loads. It is a meaningful security improvement and should always be enabled.
- Right-click This PC, then Properties, then Remote Settings
- Under Remote Desktop, check “Allow connections only from computers running Remote Desktop with Network Level Authentication”
- Click Apply
NLA requires that connecting clients use compatible Remote Desktop clients. The Windows built-in client works fine with older versions sometimes requiring updates.
Step 4: Configure Router Port Forwarding for Home or Office Setup
If your server is behind a home or office router, you need to forward external traffic to the server’s local IP:
- Log into your router’s admin panel, typically at 192.168.1.1 or 192.168.0.1
- Locate the Port Forwarding section
- Create a rule: External port 3389 to the internal IP of your server, internal port 3389
- Save and re-start the router if necessary
Open a command prompt and run ipconfig to find your server’s local IP. Get the IPv4 address from the active network adapter.
Consider changing the outside port from 3389 to something less common like 52389 and then forwarding that to internal port 3389. This greatly reduces noise from automated scanning.
Step 5: Set Up Remote Desktop Licensing for Multi-User Access
Windows Server allows two concurrent administrative RDP sessions by default. If you need more users, you need Remote Desktop Services Client Access Licenses (RDS CALs):
- Open Remote Desktop Licensing Manager.
- Right-click your server and select Activate Server.
- Follow the activation wizard. You will need a Microsoft account and need to purchase the appropriate CALs.
- After activation, install the CALs through the same wizard.
RDS CALs are purchased per-user or per-device and are a recurring Microsoft licensing cost. This is one of the hidden expenses that makes self-managed RDP significantly more expensive than it initially appears.
Step 6: Create and Manage User Accounts
For each person who needs RDP access:
- Open Computer Management, then Local Users and Groups, then Users
- Right-click Users and select New User
- Set a strong password and configure settings as needed
- Add the user to the Remote Desktop Users group
To add to the group, right-click the user, go to Properties, then Member Of, then Add, type Remote Desktop Users and click Check Names, then OK.
Limit who has RDP access. Every additional user account is a potential attack vector.
Step 7: Test Your Connection
From a different machine:
- Open Remote Desktop Connection by searching for mstsc in the Start menu
- Enter the public IP address and port of your server. If non-standard, format as ip:port
- Type your Username and Password
- Accept the certificate warning or install a proper SSL certificate to get rid of it
If you cannot connect, check the firewall rules, port forwarding settings, NLA compatibility and the Remote Desktop Services role is running in Server Manager.
What Can Go Wrong (And Often Does)
There are a few ongoing responsibilities that come with self-managing an RDP server:
Windows Updates: The consequences of leaving RDP flaws unfixed can be disastrous. Install updates promptly and test after each patch cycle.
Brute force attacks: Public RDP endpoints are continuously targeted by automated credential stuffing attacks even with NLA. You require account lockout policies and ideally fail2ban-equivalent tools.
Performance tuning: Windows Server is not tuned by default for remote desktop performance. You spend time adjusting visual settings, disabling unneeded services and tuning network parameters.
Licensing costs: RDS CALs, Windows Server licenses and SSL certificates represent significant ongoing costs beyond the base server fee.
Uptime Responsibility : When the server crashes you are the one fixing it at whatever hour it happens .
When to Skip the DIY Route
If all you want is a reliable Windows remote desktop that is available 24/7, the self-managed route has a high overhead to benefit ratio. For most users running trading bots, SEO tools or automation scripts, it makes way more sense to buy managed RDP server access directly.
With a managed RDP service, you get full admin access and instant activation, while the provider takes care of security and uptime with no configuration steps required. Providers such as SpeedRDP handle everything from Windows licensing to firewall configuration so you spend your time actually using the desktop instead of maintaining it.
Conclusion
If you have the skills and time to manage it properly, self-hosted RDP is a great option for IT professionals and system administrators. This will provide you with a working setup. But before you go the DIY route, think about the ongoing maintenance, licensing fees, security responsibilities and troubleshooting time. For everyone else, managed RDP is the quicker, more affordable, and almost safer way to a dependable Windows remote desktop environment.
