{"id":427,"date":"2025-10-28T15:00:51","date_gmt":"2025-10-28T06:00:51","guid":{"rendered":"https:\/\/www.winserver.net\/blog\/?p=427"},"modified":"2026-03-17T10:59:00","modified_gmt":"2026-03-17T01:59:00","slug":"secure-rdp-2025","status":"publish","type":"post","link":"https:\/\/www.winserver.net\/blog\/secure-rdp-2025\/","title":{"rendered":"Secure RDP in 2025: Surviving Today\u2019s Scanning Spikes"},"content":{"rendered":"

TL;DR:<\/strong> Treat public RDP as an exception. Put RDP behind a VPN or RD Gateway, enforce phishing-resistant MFA, allowlist source IPs, and monitor aggressively.<\/p>\n

The 2025 reality<\/h2>\n

Always-on internet scanning means any exposed 3389\/TCP gets hit\u2014often within minutes. Less exposure, more layers, and better identity controls are your best risk reducers.<\/p>\n

Do this first (30 minutes)<\/h2>\n
    \n
  1. Close public 3389<\/strong><\/span> at the edge. If you must keep it, set strict source IP allowlists.<\/li>\n
  2. Front RDP with RD Gateway + MFA.<\/strong><\/span> Use NPS\/Entra ID (or equivalent) and avoid SMS factors.<\/li>\n
  3. Force Network Level Authentication (NLA)<\/strong><\/span> and modern encryption. Disable weak ciphers.<\/li>\n<\/ol>\n

    If you\u2019re planning to hide RDP behind a VPN, but you\u2019re not yet familiar with how to set up a client VPN on Windows, the step-by-step SoftEther guide below is a good starting point.<\/p>\n

    Reference architecture that works<\/h2>\n

    User \u2192 VPN (or ZTNA) \u2192 RD Gateway (with MFA) \u2192 Target host via RDP<\/em>. This removes direct internet exposure and centralizes auditing and policy.<\/p>\n

    If you need to connect an entire branch office network to your Japan-based Windows VPS \u2014 not just individual admin PCs \u2014 the site-to-site SoftEther bridge pattern below is a practical option.<\/p>\n\t\t\t

    \n\t\t\t\t
    \n\t\t\t\t\t\u3042\u308f\u305b\u3066\u8aad\u307f\u305f\u3044<\/span>\n\t\t\t\t\t
    \"\"<\/figure><\/div>\t\t\t\t\t
    \n\t\t\t\t\t\tSoftEther VPN on Windows: Site-to-Site Bridge from Overseas to Japan<\/a>\n\t\t\t\t\t\tFor global businesses, connecting an overseas branch office to a Japan VPS securely is essential. Applications such as ERP, VoIP, file sharing, and remote de...<\/span>\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t\n

    This removes direct internet exposure and centralizes auditing and policy.<\/p>\n

    If you still need a basic walkthrough of how to connect to your Windows VPS over Remote Desktop once your secure access path is in place, the guide below covers the fundamentals.<\/p>\n\t\t\t

    \n\t\t\t\t
    \n\t\t\t\t\t\u3042\u308f\u305b\u3066\u8aad\u307f\u305f\u3044<\/span>\n\t\t\t\t\t
    \"\"<\/figure><\/div>\t\t\t\t\t
    \n\t\t\t\t\t\tRemote Desktop Setup Guide for Your Windows VPS<\/a>\n\t\t\t\t\t\tOne of the key advantages of using a Windows VPS is the ability to access your server remotely via Remote Desktop Protocol (RDP). Whether you're managing bus...<\/span>\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t\n

    Hardening checklist<\/h2>\n