How to Secure a Windows VPS: 10 Essential Security Settings

by

How to Secure a Windows VPS: 10 Essential Security Settings

A freshly provisioned Windows VPS comes with default settings that are convenient for setup but insecure for production use. Attackers actively scan the internet for exposed Windows servers with weak configurations. This guide provides ten essential security settings you should apply immediately after deploying your Windows VPS.

1. Rename the Default Administrator Account

The built-in Administrator account is a known target for brute-force attacks. Create a new local admin account with a different name, add it to the Administrators group, then disable the original Administrator account.

PowerShell command:

# Create a new admin account
New-LocalUser -Name "ops-admin" -Password (Read-Host -AsSecureString)
Add-LocalGroupMember -Group "Administrators" -Member "ops-admin"

# Disable the default Administrator account
Disable-LocalUser -Name "Administrator"

2. Enforce Strong Password Policies

Weak passwords are the most common entry point for server compromises. Configure password policies that require complexity, minimum length, and regular rotation.

Navigate to Local Security Policy → Account Policies → Password Policy and set:

  • Minimum password length: 14 characters
  • Password must meet complexity requirements: Enabled
  • Maximum password age: 60 days
  • Minimum password age: 1 day
  • Enforce password history: 5 passwords remembered

3. Change the Default RDP Port

RDP runs on port 3389 by default, making it a prime target for automated scanners. Changing the port reduces attack surface significantly. This requires a registry modification:

# Change RDP port (e.g., to 3390)
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" -Name "PortNumber" -Value 3390

# Restart the service
Restart-Service TermService -Force

# Add firewall rule
New-NetFirewallRule -DisplayName "RDP-3390" -Direction Inbound -LocalPort 3390 -Protocol TCP -Action Allow

Remember to update your RDP client to connect to the new port (ServerIP:3390).

4. Enable Network Level Authentication (NLA)

NLA requires users to authenticate before a full RDP session is established, reducing the risk of denial-of-service attacks and credential harvesting. Enable it via:

System Properties → Remote → Remote Desktop → Advanced — check “Require computers to use Network Level Authentication to connect.”

Or via PowerShell:

Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" -Name "UserAuthentication" -Value 1

5. Configure Windows Firewall Properly

Windows Firewall with Advanced Security provides host-based filtering. Configure it to block all inbound traffic except the minimum required services:

  • Allow RDP only from your office IP range or VPN subnet
  • Block all ICMP (ping) requests from the public internet
  • If running IIS, restrict port 80/443 to all but enable application-layer filtering
  • Log blocked connections for monitoring (enable firewall logging via Group Policy)

6. Install and Configure Windows Defender Antivirus

Windows Server comes with Windows Defender built in, but it may not be fully enabled by default. Verify it is active:

# Check Defender status
Get-MpComputerStatus | Select-Object AntivirusEnabled, RealTimeProtectionEnabled, AMServiceEnabled

# Ensure real-time protection is on
Set-MpPreference -DisableRealtimeMonitoring $false

Schedule weekly quick scans and monthly full scans using Task Scheduler. Keep virus definitions updated automatically via Windows Update.

7. Enable Windows Update and Configure Automatic Patching

Unpatched vulnerabilities are the leading cause of server compromises. Configure Windows Update to install security patches automatically:

  1. Open Settings → Update & Security → Windows Update.
  2. Set active hours for business continuity.
  3. Configure automatic download and install of updates.
  4. Enable “Receive updates for other Microsoft products” to patch .NET, SQL Server, and IIS.
  5. Consider using WSUS (Windows Server Update Services) if managing multiple servers.

8. Remove Unnecessary Windows Roles and Features

Every installed Windows component is a potential attack vector. Remove roles and features you do not need:

# List installed roles and features
Get-WindowsFeature | Where-Object Installed

# Remove features (example: remove Print and Document Services)
Remove-WindowsFeature -Name Print-Services

Common roles to remove if unused: Print Server, Windows Media Services, Telnet Client, TFTP Client, Internet Storage Name Service, and XPS Viewer.

9. Configure Account Lockout Policies

Brute-force attacks rely on unlimited login attempts. Configure account lockout to stop them:

Local Security Policy → Account Policies → Account Lockout Policy:

  • Account lockout threshold: 5 invalid logon attempts
  • Account lockout duration: 30 minutes
  • Reset account lockout counter after: 30 minutes

10. Enable Auditing and Monitoring

You cannot secure what you do not monitor. Enable auditing for critical security events:

# Enable advanced audit policies
auditpol /set /subcategory:"Logon" /success:enable /failure:enable
auditpol /set /subcategory:"Account Logon" /success:enable /failure:enable
auditpol /set /subcategory:"Process Creation" /success:enable
auditpol /set /subcategory:"Registry" /failure:enable
auditpol /set /subcategory:"File System" /failure:enable

Monitor Event Viewer logs daily — pay attention to Event ID 4625 (failed logins), Event ID 4648 (explicit credential use), and Event ID 1102 (security log cleared). Set up email alerts for these events using Task Scheduler triggers.

Additional Recommendations

Beyond these ten settings, consider these advanced measures:

  • Set up a VPN — Use a VPN as a gateway before allowing RDP access. This keeps RDP off the public internet entirely.
  • Use RDP Gateway — Microsoft RD Gateway provides SSL-encrypted RDP access with centralized authentication and connection logging.
  • Enable BitLocker — Encrypt your Windows VPS drives to protect data at rest, especially if your provider handles physical disk decommissioning.
  • Configure backup and disaster recovery — Regular automated backups (image-level, not just file-level) ensure you can recover from ransomware or configuration errors.
  • Restrict PowerShell execution policy — Set Set-ExecutionPolicy -ExecutionPolicy RemoteSigned to prevent unsigned scripts from running.

Apply these ten security settings to every Windows VPS you deploy. They take under an hour to configure and eliminate the vast majority of common attack vectors. For a reliable Windows VPS to practice these security measures, choose a provider that offers full Administrator access and snapshots so you can revert if a configuration change causes issues.

Related Articles:

What Is a Windows VPS and How Does It Work? Technical Overview How to Connect to Ubuntu VPS from Windows How to Activate My VPS on Windows 10 Default ThumbnailRDP vs VPN: Which Is Better for Remote Windows VPS Access?

Leave a Comment