How to restrict server RDP to all users and only accept RDP from a single source (IP, host)

Question

Hello,

We’re in the process of implementing a Privileged Access Management (PAM) solution and would like to restrict direct Windows RDP access for users. Specifically, we want to ensure that users can only initiate RDP sessions through the PAM server and not connect directly to any other servers.

Is there a way to enforce this restriction using Group Policy (GPO)? Ideally, we’d like to block all direct RDP access to servers and allow RDP connections only when they originate from the PAM server.

Note: We’re aware that firewall rules could achieve this, but in our environment, firewalls are currently disabled on all servers.

Any guidance on how GPO can help enforce this kind of access control would be greatly appreciated.

Thank you!

Answer 1

Hi, There

You can enforce this with GPO, but without firewalls it’s limited. There’s a simple approach for you to try it out:

1. Restrict RDP logins

• In GPO > Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment > Allow log on through Remote Desktop Services
• Remove general users and only allow the PAM service account or a PAM group.
• This blocks direct logins for regular users.

2. Restrict RDP by source IP (needs firewall)

• Enable Windows Defender Firewall via GPO.
• Create an inbound rule allowing RDP (port 3389) only from the PAM server’s IP.
• This ensures RDP only works via PAM.

Note: Without enabling firewall, you can only block via accounts, not IP. For full control, combine both.