Since the release of Windows Server 2025, many customers have reported being locked out of their VPS when using Remote Desktop (RDP). This issue usually presents as the following error:
“As a security precaution, the user has been locked because there were too many login attempts. Wait a while before trying again.”
While this can be frustrating, this is part of Microsoft’s efforts to harden security against brute-force attacks. This article explains what changed between Windows Server 2022 and 2025, why you can still access your VPS via the mPanel console, and what you can do to prevent repeat lockouts.
TABLE OF CONTENTS
What Changed Between Windows Server 2022 and 2025?
Administrator Account Lockouts Enabled
In October 2022, Microsoft released a cumulative update for Windows Server 2022 introducing support for locking out the built-in Administrator account when repeated failed login attempts occur over the network. Previously, this account could not be locked out via RDP or SMB network logons - meaning it was vulnerable to brute-force attacks.
From Windows Server 2025 onwards, this behaviour is enabled by default and integrated into the security baseline.
More Aggressive Lockout Policy
Windows Server 2025 ships with a stricter security baseline that reduces the number of failed attempts allowed before the account is locked.
| Setting | Windows Server 2022 (Typical) | Windows Server 2025 (Default) |
|---|---|---|
| Lockout Threshold | ~10 attempts | 3 attempts |
| Lockout Duration | 15 minutes | 15 minutes |
| Counter Reset After | 15 minutes | 15 minutes |
| Console Logon Allowed? | Yes | Yes |
This means even a small number of failed login attempts from bots scanning the internet can trigger a lockout, which is why customers may experience repeated interruptions when RDP is exposed on the default port (3389).
Why does console access still work?
When the Administrator account is locked due to failed network logons, it is only blocked for network authentication. Direct console logons such as those available via the BinaryLane mPanel web console are still allowed. This makes it possible to log in and resolve the issue even if RDP access is blocked.
Recommended Steps
1. Unlock the Administrator Account
Log in to your server using the mPanel console.
Open lusrmgr.msc (Local Users and Groups).
Navigate to Users, right-click on Administrator, and select Properties.
Untick Account is locked out and apply the changes.
This will immediately restore the ability to log in via RDP, however, the brute force attempts may resume after making this change.
2. Change the RDP Listening Port
Changing the default RDP port can dramatically reduce automated brute-force attempts. Follow Microsoft’s official guide here: Change the listening port for Remote Desktop
Important: Ensure you update your Windows Defender Firewall to allow inbound connections over the newly specified Remote Desktop Port. You can quickly enable this connection by using the following PowerShell command (ensure to replace PORT_NUMBER with the actual port number you specified to use for the Remote Desktop Connection):New-NetFirewallRule -DisplayName "RDP Custom Port" -Direction Inbound -Protocol TCP -LocalPort PORT_NUMBER -Action Allow
3. Restrict RDP Access with mPanel Firewall Rules
To block unwanted login attempts entirely, restrict RDP access to trusted IP addresses using BinaryLane’s External Firewall feature, e.g., create a new firewall rule allowing TCP traffic to port 3389 (or your custom RDP port) only from the IP ranges you specify - such as your office or home IP: External Firewall
This is the most effective way to prevent brute-force attempts from the internet and avoid repeated lockouts.
If you require assistance, feel free to submit a support ticket at our helpdesk here: Submit a ticket | BinaryLane