🟠 High   ⏱ 5–30 min  Last verified: 29 May 2026
Affected versions: Windows Server 2022

πŸ“– ~1 min read

Table of contents
  1. Symptom & Impact
  2. Environment & Reproduction
  3. Root Cause Analysis
  4. Quick Triage
  5. Step-by-Step Diagnosis
  6. Solution β€” Primary Fix
  7. Solution β€” Alternative Approaches
  8. Verification & Acceptance Criteria
  9. Rollback Plan
  10. Prevention & Hardening
  11. Related Errors & Cross-Refs
  12. References & Further Reading

Symptom & Impact

RDP is reachable from unintended source ranges, increasing attack surface.

Environment & Reproduction

Windows Server 2022 build 20348 with overlapping local and domain firewall rules.

Get-NetFirewallRule -DisplayGroup 'Remote Desktop'
Test-NetConnection server01 -Port 3389
Get-NetFirewallAddressFilter -AssociatedNetFirewallRule (Get-NetFirewallRule -DisplayGroup 'Remote Desktop')

Root Cause Analysis

A broad allow rule has higher effective precedence than intended restricted rules.

Quick Triage

List all 3389 inbound rules and associated remote addresses.

Get-NetFirewallPortFilter -Protocol TCP | Where-Object LocalPort -eq 3389
Get-NetFirewallRule -Direction Inbound | Where-Object DisplayName -match 'RDP|Remote Desktop'

Step-by-Step Diagnosis

Map active policy store entries to their source GPO/local stores.

Get-NetFirewallRule -PolicyStore ActiveStore | Where-Object DisplayName -match 'Remote Desktop' | Select DisplayName,Enabled,Profile,Action
Get-WinEvent -LogName Security -MaxEvents 80 | Where-Object Id -eq 4624
Illustrative mockup for windows-server-2022 β€” terminal_or_powershell
RDP firewall rule audit commands β€” Illustrative mockup β€” Progressive Robot

Solution β€” Primary Fix

Disable broad rules and enforce source-restricted RDP allow policy.

Still having issues? Our IT Solutions & Services team can diagnose and resolve this for you. Get in touch for a free consultation.

Disable-NetFirewallRule -DisplayName 'Remote Desktop - User Mode (TCP-In)'
New-NetFirewallRule -DisplayName 'RDP from Mgmt VLAN' -Direction Inbound -Protocol TCP -LocalPort 3389 -RemoteAddress 10.10.50.0/24 -Action Allow -Profile Domain
Set-NetFirewallProfile -Profile Domain -DefaultInboundAction Block
Illustrative mockup for windows-server-2022 β€” event_or_log_viewer
RDP connection and firewall logs β€” Illustrative mockup β€” Progressive Robot

Solution β€” Alternative Approaches

Use RD Gateway and block direct RDP from all non-gateway networks.

New-NetFirewallRule -DisplayName 'Allow RDP from RDG' -Direction Inbound -Protocol TCP -LocalPort 3389 -RemoteAddress 10.10.60.10 -Action Allow
New-NetFirewallRule -DisplayName 'Block direct RDP internet' -Direction Inbound -Protocol TCP -LocalPort 3389 -RemoteAddress Any -Action Block

Verification & Acceptance Criteria

Only authorized management source range should reach TCP 3389.

Test-NetConnection server01 -Port 3389
Get-NetFirewallRule | Where-Object DisplayName -match 'RDP' | Select DisplayName,Enabled,Action

Rollback Plan

Re-enable previous rule set if emergency access is lost.

Enable-NetFirewallRule -DisplayName 'Remote Desktop - User Mode (TCP-In)'
Remove-NetFirewallRule -DisplayName 'RDP from Mgmt VLAN'

Prevention & Hardening

Pair firewall restrictions with NLA, MFA, and account lockout policies.

Set-ItemProperty 'HKLM:SystemCurrentControlSetControlTerminal ServerWinStationsRDP-Tcp' -Name UserAuthentication -Value 1
auditpol /set /subcategory:'Logon' /success:enable /failure:enable

Related to RDP brute-force attempts and exposed management plane services.

Related tutorial: View the step-by-step tutorial for Windows Server 2022.

View all Windows Server 2022 tutorials on the Tutorials Hub β†’

Browse all common problems & solutions on the Tutorials Hub.

References & Further Reading

Microsoft Learn hardening guidance for RDP and Windows Defender Firewall.

Need Expert Help?

If you cannot resolve this yourself, our team offers hands-on Server Management, Managed IT Services, and flexible Support Plans. Contact us today β€” we respond within one business day.