1. Home
  2. Security
  3. How to firewall the RDP (remote desktop protocol) service on a Windows 2016 Server

How to firewall the RDP (remote desktop protocol) service on a Windows 2016 Server

This article will show you how to firewall the remote desktop protocol (RDP) service on a Windows 2016 server. 
 

Step 1.  Log-in to the server as an administrator using your RDP server name, username, and password.
 
 
 
Step 2.  Click Start.
 
 
Step 3.  The start menu items are sorted by frequency of use and in alphabetical order.  Scroll down and click Windows Administrative Tools.

 
 
Step 4.  The drop-down menu will expand.  Scroll down and click on Windows Firewall with Advanced Security.
 

 
Step 5.  Click Inbound Rules.
 
 
Step 6.  By default, the Windows firewall rules will be listed by "group" alphabetical order.  Scroll down until you see the 4 firewall rules: 
  • A.  Remote Desktop – (TCP-In) [public profile]
  • B.  Remote Desktop – (TCP-In) [domain profile & private profile]
  • C.  Remote Desktop – (UDP-In) [public profile]
  • D.  Remote Desktop – (UDP-In) [domain profile & private profile]
 
 
Step 7.  Double-click on the 1st firewall rule marked in Step 6A above: Remote Desktop – User Mode (TCP-In) [public profile].  A dialog box window will appear.  Click Scope.
 
 
Step 8.  Under the Remote IP address heading, click These IP addresses:.
 
 
Step 9.  Click Add.
 
 
Step 10.  A dialog box will appear.  Enter the IP address you want to allow RDP access from and click OK.
 
 
 
Step 11.  You should see the IP address you just added in the list. 
 
 
Step 12.  Repeat Steps 9 to 11 for each additional IP address or IP address range you wish to add to the server.  You will want to add (whitelist) all IPs that you regularly connect to the server from.  To determine your IPs, visit http://whatsyourip.net from each computer, laptop, and workstation where you want to be able to RDP to your server (for example, work, a home office, home, etc.).
 
(The screenshot below is only an example.  Your actual IP address will be different than the one displayed below).
 
Step 13.  In addition to the IPs you added in Steps 9 through 11, you will also need to whitelist these IP addresses which are the office IPs of Applied Innovations support staff:
 
174.136.79.138
174.136.95.1
216.167.201.0/255.255.255.0
216.167.202.0/255.255.255.0
66.252.232.0/255.255.255.0
174.136.72.0/255.255.255.0
174.136.73.0/255.255.255.0
174.136.75.0/255.255.255.0
174.136.74.154/255.255.255.255
 
We highly recommend adding the IP addresses above, as they are necessary in order for Support to connect to your server in the event that support assistance is needed at some point in the future.  If you opt not to add these addresses, please be informed that this will prolong the amount of time it takes to troubleshoot any potential issues on the server if assistance is requested, as we will need to use alternative means to connect to the server.  We will only connect to the server if you request support help.  Removal of these IP addresses from the firewall and/or intentionally not adding the IP addresses listed above constitutes acknowledgement and consent that support engineers would not be able to RDP to the server in the future if support assistance is requested.

 
Step 14.  Next, you’ll want to whitelist the local subnet.  Click Add.
 
 
Step 15.  A dialog box will appear.  Click Predefined set of computers:.
 
 
Step 16.  Click the drop-down menu to the right of the Default gateway, and click Local subnet.
 
 
Step 17.  Click OK.
 
 
 
Step 18.  You should see the Local subnet you just added in the list.
 
 
Step 19.  Click Apply for the new IPs you just added to the firewall rule to take effect, and then click OK to save changes.
 
 
Step 20.  You will be returned to the main screen of Inbound Firewall Rules.  Double-click on the 2nd firewall rule marked as 20B below: Remote Desktop – (TCP-In) [domain profile & private profile]
  • A.  Remote Desktop – (TCP-In) [public profile]
  • B.  Remote Desktop – (TCP-In) [domain profile & private profile]
  • C.  Remote Desktop – (UDP-In) [public profile]
  • D.  Remote Desktop – (UDP-In) [domain profile & private profile]
 
 
Step 21.  A dialog box window will appear.  Click Scope.
 
 
Step 22.  Under the Remote IP address heading, click These IP addresses:.
 
 
Step 23.  Click Add.
 
 
Step 24.  A dialog box will appear.  Enter the IP address you want to allow RDP access from and click OK.
 
 
 
Step 25.  You should see the IP address you just added in the list. 
 
 
Step 26.  Repeat Steps 23 to 25 for each additional IP address or IP address range you wish to add to the server.  You will want to add (whitelist) all IPs that you regularly connect to the server from.  To determine your IPs, visit http://whatsyourip.net from each computer, laptop, and workstation where you want to be able to RDP to your server (for example, work, a home office, home, etc.).
 
(The screenshot below is only an example.  Your actual IP address will be different than the one displayed below).
 
Step 27.  In addition to the IPs you added in Steps 23 through 26, you will also need to whitelist these IP addresses which are the office IPs of Applied Innovations support staff:
 
174.136.79.138
174.136.95.1
216.167.201.0/255.255.255.0
216.167.202.0/255.255.255.0
66.252.232.0/255.255.255.0
174.136.72.0/255.255.255.0
174.136.73.0/255.255.255.0
174.136.75.0/255.255.255.0
174.136.74.154/255.255.255.255
 
We highly recommend adding the IP addresses above, as they are necessary in order for Support to connect to your server in the event that support assistance is needed at some point in the future.  If you opt not to add these addresses, please be informed that this will prolong the amount of time it takes to troubleshoot any potential issues on the server if assistance is requested, as we will need to use alternative means to connect to the server.  We will only connect to the server if you request support help.  Removal of these IP addresses from the firewall and/or intentionally not adding the IP addresses listed above constitutes acknowledgement and consent that support engineers would not be able to RDP to the server in the future if support assistance is requested.

 
Step 28.  Next, you’ll want to whitelist the local subnet.  Click Add.
 
 
Step 29.  A dialog box will appear.  Click Predefined set of computers:.
 
 
Step 30.  Click the drop-down menu to the right of the Default gateway, and click Local subnet.
 
 
Step 31.  Click OK.
 
 
 
Step 32.  You should see the Local subnet you just added in the list.
 
 
Step 33.  Click Apply for the new IPs you just added to the firewall rule to take effect, and then click OK to save changes.
 
 

Step 34.  You will be returned to the main screen of Inbound Firewall Rules.  Double-click on the 3rd firewall rule marked as 34C below: Remote Desktop – (UDP-In) [public profile]
  • A.  Remote Desktop – (TCP-In) [public profile]
  • B.  Remote Desktop – (TCP-In) [domain profile & private profile]
  • C.  Remote Desktop – (UDP-In) [public profile]
  • D.  Remote Desktop – (UDP-In) [domain profile & private profile]
 
 
Step 35.  A dialog box window will appear.  Click Scope.
 
 
Step 36.  Under the Remote IP address heading, click These IP addresses:.
 
 
Step 37.  Click Add.
 
 
Step 38.  A dialog box will appear.  Enter the IP address you want to allow RDP access from and click OK.
 
 
 
Step 39.  You should see the IP address you just added in the list. 
 
 
Step 40.  Repeat Steps 37 to 39 for each additional IP address or IP address range you wish to add to the server.  You will want to add (whitelist) all IPs that you regularly connect to the server from.  To determine your IPs, visit http://whatsyourip.net from each computer, laptop, and workstation where you want to be able to RDP to your server (for example, work, a home office, home, etc.).
 
(The screenshot below is only an example.  Your actual IP address will be different than the one displayed below).
 
Step 41.  In addition to the IPs you added in Steps 37 through 40, you will also need to whitelist these IP addresses which are the office IPs of Applied Innovations support staff:
 
174.136.79.138
174.136.95.1
216.167.201.0/255.255.255.0
216.167.202.0/255.255.255.0
66.252.232.0/255.255.255.0
174.136.72.0/255.255.255.0
174.136.73.0/255.255.255.0
174.136.75.0/255.255.255.0
174.136.74.154/255.255.255.255
 
We highly recommend adding the IP addresses above, as they are necessary in order for Support to connect to your server in the event that support assistance is needed at some point in the future.  If you opt not to add these addresses, please be informed that this will prolong the amount of time it takes to troubleshoot any potential issues on the server if assistance is requested, as we will need to use alternative means to connect to the server.  We will only connect to the server if you request support help.  Removal of these IP addresses from the firewall and/or intentionally not adding the IP addresses listed above constitutes acknowledgement and consent that support engineers would not be able to RDP to the server in the future if support assistance is requested.

 
Step 42.  Next, you’ll want to whitelist the local subnet.  Click Add.
 
 
Step 43.  A dialog box will appear.  Click Predefined set of computers:.
 
 
Step 44.  Click the drop-down menu to the right of the Default gateway, and click Local subnet.
 
 
Step 45.  Click OK.
 
 
 
Step 46.  You should see the Local subnet you just added in the list.
 
 
Step 47.  Click Apply for the new IPs you just added to the firewall rule to take effect, and then click OK to save changes.
 

 
 
Step 48.  You will be returned to the main screen of Inbound Firewall Rules.  Double-click on the 4th firewall rule marked as 48D below: Remote Desktop – (TCP-In) [domain profile & private profile]
  • A.  Remote Desktop – (TCP-In) [public profile]
  • B.  Remote Desktop – (TCP-In) [domain profile & private profile]
  • C.  Remote Desktop – (UDP-In) [public profile]
  • D.  Remote Desktop – (UDP-In) [domain profile & private profile]
 
 
Step 49.  A dialog box window will appear.  Click Scope.
 
 
Step 50.  Under the Remote IP address heading, click These IP addresses:.
 
 
Step 51.  Click Add.
 
 
Step 52.  A dialog box will appear.  Enter the IP address you want to allow RDP access from and click OK.
 
 
 
Step 53.  You should see the IP address you just added in the list. 
 
 
Step 54.  Repeat Steps 51 to 53 for each additional IP address or IP address range you wish to add to the server.  You will want to add (whitelist) all IPs that you regularly connect to the server from.  To determine your IPs, visit http://whatsyourip.net from each computer, laptop, and workstation where you want to be able to RDP to your server (for example, work, a home office, home, etc.).
 
(The screenshot below is only an example.  Your actual IP address will be different than the one displayed below).
 
Step 55.  In addition to the IPs you added in Steps 51 through 54, you will also need to whitelist these IP addresses which are the office IPs of Applied Innovations support staff:
 
174.136.79.138
174.136.95.1
216.167.201.0/255.255.255.0
216.167.202.0/255.255.255.0
66.252.232.0/255.255.255.0
174.136.72.0/255.255.255.0
174.136.73.0/255.255.255.0
174.136.75.0/255.255.255.0
174.136.74.154/255.255.255.255
 
We highly recommend adding the IP addresses above, as they are necessary in order for Support to connect to your server in the event that support assistance is needed at some point in the future.  If you opt not to add these addresses, please be informed that this will prolong the amount of time it takes to troubleshoot any potential issues on the server if assistance is requested, as we will need to use alternative means to connect to the server.  We will only connect to the server if you request support help.  Removal of these IP addresses from the firewall and/or intentionally not adding the IP addresses listed above constitutes acknowledgement and consent that support engineers would not be able to RDP to the server in the future if support assistance is requested.

 
Step 56.  Next, you’ll want to whitelist the local subnet.  Click Add.
 
 
Step 57.  A dialog box will appear.  Click Predefined set of computers:.
 
 
Step 58.  Click the drop-down menu to the right of the Default gateway, and click Local subnet.
 
 
Step 59.  Click OK.
 
 
 
Step 60.  You should see the Local subnet you just added in the list.
 
 
Step 61.  Click Apply for the new IPs you just added to the firewall rule to take effect, and then click OK to save changes.
 

 
 
Step 62.  Congratulations, you are all set!

Content retrieved from: https://support.appliedi.net/kb/a1372/how-to-firewall-the-rdp-remote-desktop-protocol-service-on-a-windows-2016-server.aspx.

Updated on November 11, 2019

Was this article helpful?

Related Articles

Need Support?
Can't find the answer you're looking for? Don't worry we're here to help!
CONTACT SUPPORT