Restrict RDP Access by IP Address with Windows Firewall

You can restrict Remote Desktop access to your server either with an IP address or range of IP addresses using windows firewall, following the instructions below.

Create Firewall Rule

To maintain your existing Remote Desktop connection to the server an Allow rule needs to be created first, and the IP restriction rules added. Once these have been created the rule will then be switched to block all IPs specified in your restriction rules.

  1. Connect to your server via RDP.
  2. Open Windows Firewall with Advanced Security.
  3. Click on Inbound Rules in the left pane.
  4. In the Actions menu click on New Rule.
  5. Select the Port radio button and click Next.


6. Select the Specific local ports radio button and enter 3389 into the box

Firewall27. Click Next
8. Leave the Allow the connection radio button on the Action screen selected and click Next
9. On the Profile screen leave Domain, Private and Public checked and click Next.
10. On the Name screen give your new rule a name such as “CUSTOM RDP BLOCK”.
11. Click Finish.

The new firewall rule has now been created and the IP restrictions need to be added.

Creating Your IP Restrictions

  1. Right click on the new firewall rule you just created above and click properties
  2. Click on scope tab.
  3. Under the Remote IP address section select the These IP addresses option.
  4. Click the Add .. button
  5. Select either This IP address or you can use a range.
  6. If range is selected Enter your range into the from and To boxes.

ipaddress range

7. Add IP ranges to allow all the IPs required.

ipaddress scope

8. When all your IP addresses/ ranges are entered click the OK button.

Your IP Restriction rules are now in place to allow all IP addresses outside of the addresses / ranges that were added. The Firewall rule now needs to be switched from Allow to Block.

Switch Firewall Rule From Allow to Block

  1. Right Click on your Firewall rule and select properties.
  2. On the General tab under the Action switch the radio button from Allow the connection to Block the connection.
  3. Click OK.

If you are still connected to the server via Remote Desktop after switching the Firewall rule to Block the connection your rule is working correctly.


22 thoughts on “Restrict RDP Access by IP Address with Windows Firewall”

  1. Accidentally deleted the remote IP addresses added. When applied for “Any IP address” option and switched back to the manual entries all went deleted. Is there any scope to retrieve the whole list???

        1. One thing I do is stick the IP’s in a notepad document then you have a reference to fall back to just encase some thing like this happens again.

  2. Works like a charm. it worked for both windows 2008 and 2016 servers. Thank you very much for your great help.

    1. Thanks for the comment, glad i could help… This works on anything that has the advanced windows firewall feature which is Windows 2008 r2 and above.


  3. Hemp, I’m guessing the same thing will work for the Windows FTP Server – but would I need to specify any ports other than 21?

    Thanks… Bruce

  4. Hi,
    I’m hosting a local sql server and I want to allow certain local ip range
    starting from to
    and random remote ip range for example:,,
    on port 1433 (SQL)

    How can I achieve this?


    1. Hi Saud

      This should work for any port.

      For the local IP range when you get to point 7. do the same for the local IP addresses as stated above for the remote IP address. Adding the ranges that you want to block something like then the next range would be same goes for the remote addresses but you might want to consider just using the firewall on your router.

      hope this helps


  5. Dear

    I want to archieve to add my ISP ip adres to the scope, so the server can only accessed from my house. To stop also the failed logins each seconds showing in event viewer.
    But, my ip adress is a dynamic ip adres, I do have and implemented a dynamic name that is linked to my ISP modem/router.

    Is it possible to add my dynamic name in the scope field This Ip adresss?
    or is there another work arround ? Just to make sure I don’t block my self once the ISP Ip adress changes…. .

    1. Hi Momo Thanks for your comment,

      There is no way to add a domain name to these settings in windows firewall but you probably could do this from the firewall on your router.

      Or even better would be to close off the open RDP port and use a secure VPN to connect to your remote server.


    1. Hi MVDK thanks for your comment.

      you still need to have a rule blocking all other IP addresses, otherwise you are just allowing all and might as well not bother with any rules..

      In reality its not a good idea to expose RDP to the internet, a better option would be to connect via a VPN first.

      Hemp 🙂

  6. So this is like the reverse of what you would normally do? (normally, you block ALL ip addresses, then add authorized ip addresses) – MS needs to rethink this – it’s overly complicated. On most firewalls, you have a list for blocked ips (usually * ), and you have a list for allowed ips. That would be a lot simpler than having to specify a range, then a gap, then another range.

    1. Hi Dave

      Thanks for your comment.

      I agree, but in reality you probably should be using your routers firewall rules to block any open ports exposed to the internet. However, this is more of a backup solution if for what ever reason you do not have any access to the router and you still want to lock down the ports.


Leave a Reply

Your email address will not be published. Required fields are marked *