LiveChat 
Support 
How to Enable RDP in Windows Firewall (the Safe Way)
Remote Desktop is one of the most useful tools Windows gives you. It lets you sign in to a server or PC from anywhere, as if you were sitting right in front of it. But before you can connect, you need to do two things: turn Remote Desktop on, and enable RDP in Windows Firewall so the connection is actually allowed through.
The good news is that this is genuinely easy. The part that matters most, and the part I want to walk you through carefully, is doing it *safely*. RDP is powerful, which is exactly why attackers love it. So let’s enable it the right way, with protection built in from the start. You can absolutely use Remote Desktop with confidence, as long as you set it up thoughtfully.
Key Takeaways
• Enabling RDP takes two steps: turn on Remote Desktop in Settings, then allow it through the Windows Firewall (Windows usually creates this rule for you automatically).
• RDP uses TCP port 3389 by default, and an open 3389 facing the internet is one of the most attacked surfaces online.
• Never expose RDP to the entire internet. Scope the firewall rule to trusted IPs, or far better, reach RDP only through a VPN or RD Gateway.
• Pair the firewall rule with Network Level Authentication (NLA), strong passwords, and account lockout for layered protection.
What does “enable RDP in Windows Firewall” actually mean?
There are two separate switches at play here, and people often confuse them.
The first is Remote Desktop itself, the Windows feature that listens for incoming connections. The second is the Windows Firewall, the gatekeeper that decides whether traffic is allowed in or out of your machine. Even if Remote Desktop is turned on, the firewall can still block the connection. So to connect successfully, both must agree: Remote Desktop is on, and the firewall allows Remote Desktop traffic.
When this connection arrives, it travels over TCP port 3389, the default port that Remote Desktop Protocol uses. Keep that number in mind, because it shows up everywhere in firewall rules, and it’s the number attackers scan for constantly.
How do you turn on Remote Desktop first?
Before touching the firewall, enable Remote Desktop on the machine you want to connect *to*.
On modern Windows, go to Settings > System > Remote Desktop, and switch Remote Desktop to On. Confirm the prompt. That’s it.
If you prefer the classic route, open System Properties (you can search for “Allow remote access”), go to the Remote tab, and select Allow remote connections to this computer. While you’re there, make sure Network Level Authentication is required. I’ll come back to why that matters, but tick it now.
Here’s the reassuring part: when you flip Remote Desktop on through Settings, Windows usually creates the firewall rule for you automatically. So in many cases, you’re already done. But it’s worth verifying, and worth understanding the manual path too, especially on servers where defaults vary.
How do you allow RDP through the Windows Firewall?
If you want to confirm or create the firewall rule yourself, here are the three reliable ways to do it.
The easy way: allow the app through the firewall
- Open Windows Defender Firewall (search for it in the Start menu).
- Click Allow an app or feature through Windows Defender Firewall.
- Click Change settings, then scroll to Remote Desktop.
- Check the box for Remote Desktop, choosing Private networks and leaving Public unchecked where possible.
- Click OK.
This uses the built-in rule Windows already ships with, so you’re not inventing anything new.
The manual rule: allow inbound TCP 3389
If you need precise control, create the inbound rule yourself:
- Open Windows Defender Firewall with Advanced Security.
- Select Inbound Rules > New Rule.
- Choose Port, then TCP, and enter port 3389.
- Select Allow the connection.
- Apply it to the appropriate profile (Domain, Private, ideally not Public).
- Name it clearly, like “RDP – Trusted Access,” and finish.
The command line: quick and scriptable
You can also enable the built-in rule group with a single elevated PowerShell command:
“`powershell Enable-NetFirewallRule -DisplayGroup “Remote Desktop” “`
Here’s a quick comparison of the three approaches so you can pick what fits.
| Method | Best for | Control level | Effort |
|---|---|---|---|
| Allow app through firewall | Most desktops, beginners | Uses built-in rule | Very low |
| Manual inbound TCP 3389 rule | Servers, custom scoping | Full control | Medium |
| PowerShell command | Scripting, multiple machines | Built-in rule group | Low |
Why is an open RDP port so dangerous?
This is the part I never let anyone skip.
RDP is one of the most exploited entry points on the internet. The moment port 3389 is reachable from the open web, automated bots begin probing it, hammering it with brute-force login attempts around the clock. Successful break-ins through exposed RDP have been a leading way that ransomware gets onto servers. This isn’t fear for its own sake, it’s simply the reality of what an exposed port invites.
So the rule I want you to hold onto is simple: enabling RDP is easy, but enabling it *safely* is what actually matters.
The safest pattern is to keep RDP off the open internet entirely. Don’t think of the goal as “open port 3389 carefully.” Think of it as “never let the public internet reach 3389 at all.” Connect through a VPN or SSH tunnel so RDP only becomes reachable *after* you’re already on the trusted network, or at minimum scope the firewall rule to your specific trusted IP addresses. That’s the whole philosophy: convenience without exposure. You get all the usefulness of Remote Desktop, and attackers get a closed door they can’t even see.
How do you enable RDP through the firewall *securely*?
Let’s turn that philosophy into concrete settings. Here’s how to keep RDP usable but protected.
Scope the firewall rule to trusted IPs
If RDP must traverse a network boundary, don’t allow it from “any” address. In the inbound rule’s Scope tab, restrict the Remote IP address to only the specific IPs or ranges you trust, such as your office network or your own static IP. Everything else gets blocked by default. This single change removes you from the view of the internet’s automated scanners.
Better still: use a VPN, SSH tunnel, or RD Gateway
The strongest setup keeps port 3389 invisible to the public. Connect to a VPN first, then reach the server’s RDP over that private tunnel. An SSH tunnel achieves a similar result. On Windows server environments, RD Gateway lets RDP travel inside HTTPS so it’s never directly exposed. With any of these, your firewall only needs to allow RDP from the internal or VPN network, never from the wider internet.
Require Network Level Authentication
Network Level Authentication (NLA) forces a user to authenticate *before* a full session is established. That means an attacker can’t even reach the login screen without valid credentials first, which blocks a whole class of attacks. Keep it required.
Use strong passwords and account lockout
Brute-force attacks rely on weak credentials and unlimited guesses. Defeat both: enforce strong, unique passwords, and configure an account lockout policy so repeated failed logins temporarily lock the account. Slowing attackers down dramatically reduces their odds.
Consider changing the default port
Moving RDP off 3389 to another port won’t stop a determined attacker, but it quietly sidesteps the flood of bots scanning for the default. Treat it as a small bonus layer, never as your only defense.
Putting it together: a safe enablement checklist
- Turn on Remote Desktop (Settings > System > Remote Desktop).
- Confirm Windows created the firewall rule, or create it yourself.
- Scope the rule to trusted IPs, never “any.”
- Require NLA and enforce strong passwords.
- Set up an account lockout policy.
- Where possible, place RDP behind a VPN or RD Gateway so 3389 is never internet-facing.
Work down that list and you’ve gone from “RDP is on” to “RDP is on and genuinely defended.” For more on the broader picture, see .
Securing remote access on your own server?
If you run a Windows or Linux server, DarazHost VPS and dedicated plans give you the full control needed to set up remote access the safe way: define precise firewall rules, restrict access to trusted IPs, and stand up a VPN so RDP or SSH is never directly exposed. You also get server-level firewall protection layered on top. And if you ever want a second set of eyes while locking things down, our team is available 24/7 to help you secure your remote access properly. Convenience without exposure, with support behind you.
Frequently asked questions
Does enabling Remote Desktop automatically open the firewall?
Usually, yes. When you turn on Remote Desktop through Settings > System > Remote Desktop, Windows typically creates the matching firewall rule for you. It’s still worth verifying in Windows Defender Firewall, especially on servers, since defaults can vary.
What port does RDP use in the Windows Firewall?
RDP uses TCP port 3389 by default. Firewall rules for Remote Desktop allow inbound traffic on that port. You can change the port for a small amount of extra obscurity, but that alone is not real security.
Is it safe to open port 3389 to the internet?
No. An open 3389 facing the open internet is one of the most attacked surfaces online and a common path for brute-force attacks and ransomware. Instead, scope the rule to trusted IPs or, better, reach RDP only through a VPN or RD Gateway.
What is Network Level Authentication and should I use it?
Network Level Authentication (NLA) requires the user to authenticate before a full Remote Desktop session is created. It blocks attackers from even reaching the login screen without valid credentials. Yes, you should keep it required.
Can I use RDP safely without a VPN?
You can, but it takes care. Scope the firewall rule to your specific trusted IP addresses, require NLA, enforce strong passwords, and enable account lockout. That said, a VPN or RD Gateway is the safer default whenever it’s an option.
