Share via

How to restrict server RDP to all users and only accept RDP from a single source (IP, host)

brichardi 361 Reputation points
2025-10-03T18:48:14.2033333+00:00

Hello,

We’re in the process of implementing a Privileged Access Management (PAM) solution and would like to restrict direct Windows RDP access for users. Specifically, we want to ensure that users can only initiate RDP sessions through the PAM server and not connect directly to any other servers.

Is there a way to enforce this restriction using Group Policy (GPO)? Ideally, we’d like to block all direct RDP access to servers and allow RDP connections only when they originate from the PAM server.

Note: We’re aware that firewall rules could achieve this, but in our environment, firewalls are currently disabled on all servers.

Any guidance on how GPO can help enforce this kind of access control would be greatly appreciated.

Thank you!

Windows for business | Windows Server | Directory services | Deploy group policy objects
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Joseph Tran 3,965 Reputation points Independent Advisor
    2025-10-03T19:22:22.92+00:00

    Hi, There

    You can enforce this with GPO, but without firewalls it’s limited. There’s a simple approach for you to try it out:

    1. Restrict RDP logins

    • In GPO > Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment > Allow log on through Remote Desktop Services
    • Remove general users and only allow the PAM service account or a PAM group.
    • This blocks direct logins for regular users.

    2. Restrict RDP by source IP (needs firewall)

    • Enable Windows Defender Firewall via GPO.
    • Create an inbound rule allowing RDP (port 3389) only from the PAM server’s IP.
    • This ensures RDP only works via PAM.

    Note: Without enabling firewall, you can only block via accounts, not IP. For full control, combine both.

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.