How to Configure Windows Server 2016 Remote Desktop

Remote Desktop Protocol (RDP) allows administrators to connect to a Windows Server 2016 machine remotely using a graphical interface. By default, RDP is disabled on a fresh installation of Windows Server 2016. This guide explains how to enable Remote Desktop, configure firewall rules, restrict access to specific users and groups, set the RDP port, and apply security best practices.

Step 1: Enable Remote Desktop via PowerShell

The quickest way to enable RDP is through PowerShell. Open PowerShell as Administrator and run:

# Enable Remote Desktop by setting the registry value to 0
Set-ItemProperty -Path "HKLM:SystemCurrentControlSetControlTerminal Server" `
    -Name "fDenyTSConnections" -Value 0

# Verify the setting
(Get-ItemProperty -Path "HKLM:SystemCurrentControlSetControlTerminal Server").fDenyTSConnections
# Should return: 0

Step 2: Allow RDP Through Windows Firewall

Enabling RDP in the registry alone is not sufficient — Windows Firewall must also allow the RDP traffic. Enable the built-in firewall rules:

# Enable the Remote Desktop firewall rules for all profiles
Enable-NetFirewallRule -DisplayGroup "Remote Desktop"

# Verify the rules are enabled
Get-NetFirewallRule -DisplayGroup "Remote Desktop" | Select-Object DisplayName, Enabled, Direction

Step 3: Enable Remote Desktop via Server Manager (GUI)

Alternatively, enable RDP through the graphical interface. Open Server Manager, click “Local Server” in the left pane, then click “Remote Desktop: Disabled”. In the System Properties window that opens, select “Allow remote connections to this computer” and click OK. The firewall rules are automatically updated when you do this through the GUI.

Step 4: Configure Network Level Authentication

Network Level Authentication (NLA) requires users to authenticate before a full RDP session is established. This reduces exposure to denial-of-service attacks. NLA is recommended for all RDP deployments:

# Enable NLA via registry
Set-ItemProperty -Path "HKLM:SystemCurrentControlSetControlTerminal ServerWinStationsRDP-Tcp" `
    -Name "UserAuthentication" -Value 1

# Verify
(Get-ItemProperty -Path "HKLM:SystemCurrentControlSetControlTerminal ServerWinStationsRDP-Tcp").UserAuthentication
# Should return: 1

Step 5: Add Users to the Remote Desktop Users Group

By default, only members of the local Administrators group can connect via RDP. To allow non-administrator users to connect, add them to the “Remote Desktop Users” local group:

# Add a local user to Remote Desktop Users group
Add-LocalGroupMember -Group "Remote Desktop Users" -Member "JohnDoe"

# Add a domain user to Remote Desktop Users group
Add-LocalGroupMember -Group "Remote Desktop Users" -Member "CORPJohnDoe"

# Add a domain security group
Add-LocalGroupMember -Group "Remote Desktop Users" -Member "CORPRDP_Allowed_Users"

# List members of the Remote Desktop Users group
Get-LocalGroupMember -Group "Remote Desktop Users"

Step 6: Change the Default RDP Port

The default RDP port is 3389. Changing it to a non-standard port reduces the volume of automated brute-force attacks. After changing the port, update the firewall rule accordingly:

# Change RDP port to 33890 (example)
$NewPort = 33890
Set-ItemProperty -Path "HKLM:SystemCurrentControlSetControlTerminal ServerWinStationsRDP-Tcp" `
    -Name "PortNumber" -Value $NewPort

# Add a new firewall rule for the custom port
New-NetFirewallRule -DisplayName "Custom RDP Port $NewPort" `
    -Direction Inbound `
    -Protocol TCP `
    -LocalPort $NewPort `
    -Action Allow `
    -Profile Domain,Private

# Disable the default RDP firewall rule to close port 3389
Disable-NetFirewallRule -DisplayGroup "Remote Desktop"

# Restart the Remote Desktop service to apply the port change
Restart-Service -Name "TermService" -Force

Step 7: Configure RDP Session Limits

To prevent stale sessions from consuming server resources, configure RDP session time limits using Group Policy or the registry:

# Set maximum active session time to 8 hours (480 minutes = 28800000 ms)
$TSPath = "HKLM:SOFTWAREPoliciesMicrosoftWindows NTTerminal Services"
New-Item -Path $TSPath -Force | Out-Null

# Disconnect idle sessions after 30 minutes (1800000 ms)
Set-ItemProperty -Path $TSPath -Name "MaxIdleTime" -Value 1800000

# Set maximum session time to 8 hours
Set-ItemProperty -Path $TSPath -Name "MaxConnectionTime" -Value 28800000

# Reset disconnected sessions after 2 hours (7200000 ms)
Set-ItemProperty -Path $TSPath -Name "MaxDisconnectionTime" -Value 7200000

Step 8: Limit Concurrent RDP Connections

Windows Server 2016 (without Remote Desktop Services licensing) allows only two concurrent RDP administrative sessions. To allow more, Remote Desktop Services (RDS) licensing must be configured. To check how many sessions are currently active:

# List active Remote Desktop sessions
query session /server:localhost

# Or using WMI
Get-WmiObject -Class Win32_LogonSession | Where-Object { $_.LogonType -eq 10 }

# Log off a specific disconnected session (session ID 2 as example)
logoff 2

Step 9: Test Remote Desktop Connection

After enabling RDP, test connectivity from a remote machine. On a Windows client, open the Run dialog (Win+R) and type mstsc to launch the Remote Desktop Connection client. Enter the server’s IP address or hostname and click Connect.

From PowerShell on the client, you can test whether the RDP port is open before attempting to connect:

# Test RDP port connectivity from a remote machine
Test-NetConnection -ComputerName 192.168.1.10 -Port 3389

# If using a custom port
Test-NetConnection -ComputerName 192.168.1.10 -Port 33890

Step 10: Enable Remote Desktop Encryption

Ensure RDP sessions are encrypted with the highest level of security. Configure this via the registry or Group Policy:

# Set RDP security layer to 2 (SSL/TLS)
Set-ItemProperty -Path "HKLM:SystemCurrentControlSetControlTerminal ServerWinStationsRDP-Tcp" `
    -Name "SecurityLayer" -Value 2

# Set encryption level to High (3)
Set-ItemProperty -Path "HKLM:SystemCurrentControlSetControlTerminal ServerWinStationsRDP-Tcp" `
    -Name "MinEncryptionLevel" -Value 3

With Remote Desktop properly configured, administrators can securely manage Windows Server 2016 from any location on the network. Always use strong passwords, enable NLA, restrict RDP access to known IP ranges through the firewall, and consider using a VPN for additional protection when accessing RDP over the internet.