Windows RDP
Chapter 2 — Windows RDP
Remote Desktop Protocol is built into every modern version of Windows —
but it's disabled by default and locked to specific editions. This chapter
covers enabling it, configuring it securely with Network Level Authentication,
connecting with the mstsc client, and the most useful options:
display scaling, local drive access, clipboard sharing, and saved connection
files.
Which Windows Editions Support RDP
RDP has two sides: the client (connecting to another machine) and the host (being connected to). The client is available on all editions. The host — actually accepting incoming connections — is restricted to Pro and Server editions.
Windows 11 Pro
Host + Client ✓
Windows 10 Pro
Host + Client ✓
Windows Server
Host + Client ✓
Windows 11 Home
Client only ✗
Windows 10 Home
Client only ✗
Home edition workaround: If your target machine runs
Windows Home, you can still get RDP-like access using
RDP Wrapper (a third-party tool that unlocks the hidden
RDP service on Home editions) or switch to VNC instead. Chapter 6 covers VNC.
Enabling Remote Desktop on the Host Machine
1
Open System Properties — Remote tab
Settings → System → Remote Desktop (Windows 11)
or: right-click This PC → Properties → Remote Settings
or: right-click This PC → Properties → Remote Settings
Toggle Enable Remote Desktop to On. Windows will warn you that the PC must be discoverable on the network — confirm.
2
Keep Network Level Authentication enabled
Same panel — "Require devices to use Network Level Authentication to connect"
Leave this checked. NLA requires credentials before the remote session even starts — it significantly reduces the attack surface. Only disable it if you're connecting from a very old client that doesn't support it.
3
Add authorised users (if not connecting as admin)
Remote Desktop settings → "Select users that can remotely access this PC"
Administrators can always connect. For other accounts, click Add and type the username. On a domain machine, use
DOMAIN\username.4
Check Windows Firewall allows RDP
Windows Defender Firewall → Allow an app → Remote Desktop
Enabling Remote Desktop in Settings usually does this automatically. Verify the Remote Desktop rule is ticked for the appropriate network profile (Private for home, Domain for work). Leave Public off unless you have a specific reason.
5
Note the machine name or IP address
Settings → System → About → Device name (or run ipconfig)
You'll need either the machine's hostname (e.g.
PHILIPS-PC) or its IP address (192.168.0.50) to connect. On a local network, the hostname usually works. Over the internet, use the IP or a dynamic DNS name.
The machine must stay awake to accept connections. Go to
Power Settings and set Sleep → Never (or at least a long
timeout) on the host machine. A sleeping PC drops all RDP connections and
can't be woken remotely unless Wake-on-LAN is configured.
Enabling via PowerShell (Headless / Scripted)
# Enable Remote Desktop
Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' `
-Name "fDenyTSConnections" -Value 0
# Enable NLA (recommended)
Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' `
-Name "UserAuthentication" -Value 1
# Allow RDP through Windows Firewall
Enable-NetFirewallRule -DisplayGroup "Remote Desktop"
# Verify RDP is enabled
Get-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' `
-Name "fDenyTSConnections"
# fDenyTSConnections = 0 means RDP is enabled
Connecting with mstsc
mstsc.exe — Microsoft Terminal Services Client — is the
built-in RDP client on all Windows versions. Press
Win + R → type mstsc → Enter.
General
Display
Local Resources
Experience
Advanced
Logon settings
Computer:
192.168.0.50
Enter IP address, hostname, or hostname:port (e.g. mypc:3390 for a non-standard port)
User name:
philip
Save credentials:
Allow me to save credentials
Connection settings
Save As:
home-server.rdp
Saves all settings to a .rdp file you can double-click to connect instantly
Display tab — resolution and colour
General
Display
Local Resources
Experience
Advanced
Display configuration
Colour depth
Highest Quality (32 bit)
Drop to 16-bit on slow connections — cuts bandwidth significantly with minimal visual difference
✓
Display the connection bar when I use the full screen (allows you to minimise/disconnect)
Local Resources tab — clipboard, drives, audio
General
Display
Local Resources
Experience
Advanced
Remote audio
Play on this computer ▾
Audio from the remote machine plays through your local speakers
Keyboard
Only when using the full screen ▾
When to apply Windows key combinations (Win+D, Alt+Tab) to the remote session vs local machine
Local devices and resources
✓
Clipboard — copy/paste between local and remote machine
✓
Printers — local printers appear in the remote session
More → Drives:
✓
C: (Local Disk) — your local C: drive appears as a network drive in the remote session
Mapped as \\tsclient\C in the remote session — drag files between local and remote without needing SFTP
Saving Connections as .rdp Files
Every setting in mstsc can be saved to a .rdp
file. Double-click the file to launch the connection with all settings
pre-loaded — no re-entering hostnames or tweaking options each time.
# A .rdp file is plain text — you can edit it directly
# home-server.rdp
full address:s:192.168.0.50
username:s:philip
desktopwidth:i:1920
desktopheight:i:1080
session bpp:i:32
audiomode:i:0 # 0=play locally, 1=play on server, 2=no audio
redirectclipboard:i:1 # 1=enable clipboard sharing
redirectdrives:i:1 # 1=share local drives
drivestoredirect:s:C:\; # which drives to share
use multimon:i:1 # 1=use all monitors
screen mode id:i:2 # 1=windowed, 2=full screen
networkautodetect:i:1 # auto-tune for network speed
Keep a .rdp file per machine. Put them in a folder
(
~/RDP Connections/), pin the folder to Quick Access, and
connecting to any machine becomes a single double-click. Name them clearly:
home-server.rdp, work-laptop.rdp,
pi-desktop.rdp.
mstsc Command-Line Options
| Command | What it does |
|---|---|
| mstsc | Open the connection dialog |
| mstsc /v:hostname | Connect directly to a host |
| mstsc /v:host:3390 | Connect on a non-standard port |
| mstsc /f | Full screen mode |
| mstsc /w:1280 /h:720 | Set window width and height |
| mstsc /multimon | Use all local monitors |
| mstsc home-server.rdp | Open a saved .rdp file |
| mstsc /edit home-server.rdp | Open .rdp file in the settings dialog rather than connecting |
| mstsc /admin | Connect to admin session (bypasses session limits on Server editions) |
| mstsc /restrictedAdmin | Restricted admin mode — credentials not sent to remote host (pass-the-hash protection) |
Useful Keyboard Shortcuts Inside an RDP Session
| Shortcut | What it does (inside RDP session) |
|---|---|
| Ctrl + Alt + Break | Toggle between full screen and windowed mode |
| Ctrl + Alt + Home | Activate the connection bar (when in full screen) |
| Alt + Page Up / Down | Switch between apps on the remote machine (replaces Alt+Tab) |
| Alt + Delete | Open the remote machine's window menu (replaces Alt+F4) |
| Ctrl + Alt + End | Send Ctrl+Alt+Del to the remote machine |
| Ctrl + Alt + Minus (numpad) | Take a screenshot of the active remote window |
| Ctrl + Alt + Plus (numpad) | Take a screenshot of the entire remote desktop |
Security — Tightening Up Before You Connect
- Keep NLA enabled. Network Level Authentication requires credentials before the session opens — attackers can't even get to the login screen without valid credentials.
- Use a strong password on the account being used for RDP. Brute-force is the most common attack vector.
- Don't use port 3389 publicly. On a home network this is fine. Over the internet, use a VPN or SSH tunnel instead of opening port 3389 on your router. Chapter 8 covers this.
- Limit which users can connect. Don't leave "All users" — explicitly add only the accounts that need remote access.
- Check Windows Update before enabling RDP. RDP has a history of critical vulnerabilities; being fully patched is non-negotiable.
Never forward port 3389 on your home router to a Windows machine.
Bots scan for open RDP ports constantly. Within hours of going live, an
exposed RDP machine will be under sustained brute-force attack. If you need
RDP over the internet, always put it behind a VPN or an SSH tunnel first.