Is RDP in a local network a risk

  • SpinRite v6.1 Release #3
    Guest:
    The 3rd release of SpinRite v6.1 is published and may be obtained by all SpinRite v6.0 owners at the SpinRite v6.1 Pre-Release page. (SpinRite will shortly be officially updated to v6.1 so this page will be renamed.) The primary new feature, and the reason for this release, was the discovery of memory problems in some systems that were affecting SpinRite's operation. So SpinRite now incorporates a built-in test of the system's memory. For the full story, please see this page in the "Pre-Release Announcements & Feedback" forum.
    /Steve.
  • Be sure to checkout “Tips & Tricks”
    Dear Guest Visitor → Once you register and log-in please checkout the “Tips & Tricks” page for some very handy tips!

    /Steve.
  • BootAble – FreeDOS boot testing freeware

    To obtain direct, low-level access to a system's mass storage drives, SpinRite runs under a GRC-customized version of FreeDOS which has been modified to add compatibility with all file systems. In order to run SpinRite it must first be possible to boot FreeDOS.

    GRC's “BootAble” freeware allows anyone to easily create BIOS-bootable media in order to workout and confirm the details of getting a machine to boot FreeDOS through a BIOS. Once the means of doing that has been determined, the media created by SpinRite can be booted and run in the same way.

    The participants here, who have taken the time to share their knowledge and experience, their successes and some frustrations with booting their computers into FreeDOS, have created a valuable knowledgebase which will benefit everyone who follows.

    You may click on the image to the right to obtain your own copy of BootAble. Then use the knowledge and experience documented here to boot your computer(s) into FreeDOS. And please do not hesitate to ask questions – nowhere else can better answers be found.

    (You may permanently close this reminder with the 'X' in the upper right.)

greif

Member
Oct 30, 2020
9
5
I use Remote Desktop (yes, the highly vulnerable Windows RDP) to access other machines around the house, but I am wondering that if my router ends up being breached, I have now made it easy to get into my computers. My router has the newest firmware available.

What say you all, big risk or small?
 
If your router gets breached, then you have way bigger problems than your use of RDP. The safest configuration is with a proper firewall configured to not allow any outside source to pass packets into your network for services you don't want coming in (such as for RDP, SMB, etc.) If your router has a stateful packet inspection (SPI) firewall, then it's supplying you some protection with the default rules. If you're simply relying on NAT, that is some protection, but it's not foolproof, especially if UPnP is enabled.

The problem with a real firewall, is that it can be real work to setup and maintain. It is normally configured to block everything unless told otherwise. That can get to be a significant hassle, especially if you have devices in your network like a Playstation/XBox or media devices (Chromecast or Roku) or IoT devices. The proposal by Steve is to use multiple routers. Put your PCs behind a router and then your other devices behind a different router and put both routers into yet a third router. (He called this the Three Dumb Routers configuration... you can probably Google for it.) While this configuration will be fairly simple to set up and maintain, it will be potentially slower than just one router because there are more buffer bloat and slowish (for cheap routers) CPUs between your gear and your network.

The Ubiquity Edge Router-X is pretty cheap ($60US or so) for this purpose, and is well regarded by Steve. (I have concerns about their most recent behaviour when they suffered a breach and tried to cover it up, coverage of that elsewhere on the site.) One thing to note about these devices is they can really slow down network packets unless hardware assist is enabled, and it doesn't arrive enabled out of the box. Again, Google is your friend if you go that router. (Lots of YouTube videos about the ERX.)
 
I use Remote Desktop (yes, the highly vulnerable Windows RDP) to access other machines around the house, but I am wondering that if my router ends up being breached, I have now made it easy to get into my computers. My router has the newest firmware available.

What say you all, big risk or small?

Assuming you aren't publishing your RDP over the internet, I don't see any particular issue with using RDP on your LAN; if possible avoid saving credentials inside RDP files so that they can't be used w/o interaction, then as Paul correctly pointed out, if someone/something breaks into your router, you'll have biggest problems than just the RDP access

My 2 cents
 
  • Like
Reactions: fcgreg
Run ShieldsUP to make sure your router is configured well, and don't worry about about it (low risk). UNLESS you are rich and famous. If you are a target like that then you need professional help, and RDP is probably not your problem.
 
Run ShieldsUP to make sure your router is configured well, and don't worry about about it (low risk). UNLESS you are rich and famous. If you are a target like that then you need professional help, and RDP is probably not your problem.
I won't count on the fact that one isn't "rich and famous", the RDP port is amongst the targets of most automated scanners (bots), and those don't care if you're famous or not, as long as they find the RDP port open, they'll start trying to bruteforce it; that's also why, if one really wants to publish a "naked" RDP on the internet, it will be a good idea changing the port from 3389 to something else, not that it will add any security, but it will at least skip a number of bots scanning
 
You run ShieldsUp to make sure you're not running RDP naked on the internet. If you have to get behind a NAT router or some other firewall to just see the RDP port, then you'll fall under the targeted attack.
 
ShieldsUp will tell you if any "well known port" is open, but will tell you nothing if you (e.g.) place your RDP on (say) 15389/tcp :D

Not saying it isn't useful, an easy to run portscanner, even with the implicit limitations, is useful, but don't think it's the "cure for all evils".

That being said, if one wants to be overcautious, and given that the RDP access is only over a local network, changing the RDP port to something else than 3389 and not saving the logon credentials inside the RDP file will help for sure
 
  • Like
Reactions: MichaelRSorg
There are options in ShieldsUp to scan any range of ports actually. I'm not sure if there's a limit, but if not, you could scan all the ports!

Does it work with IPv6? Can anyone test that?
 
if you're worried that RDP on your internal network is a risk, you want to think about what else could be up should someone have a foothold in there.

turn off uPnP on the router, check for port forwarding rules on the router. You might also want to double-NAT because you are not sure what posture your provider equipment has.....I do this too. And then if you have IoT devices, connect them to the provider box at your perimeter, outside your cosy network :)
 
There are options in ShieldsUp to scan any range of ports actually. I'm not sure if there's a limit, but if not, you could scan all the ports!

Does it work with IPv6? Can anyone test that?
ShieldsUp does not work with IPv6.
It does not work with UDP either.
The option to scan a range of ports, scans 1 out of every 65 TCP ports.
Full WAN port scanning needs to be done before a router is connected to the Internet.

ShieldsUp should have ruled the world, but the ports it scans by default have not changed in a decade or so and the world, meanwhile, has changed.
 
You might also want to double-NAT because you are not sure what posture your provider equipment has.....I do this too. And then if you have IoT devices, connect them to the provider box at your perimeter, outside your cosy network :)
Double NATing is indeed a great idea to protect a group of devices behind a second firewall. You put the important devices behind an inner router and the un-important ones connect to the outside router. Higher end routers offer VLANs which are way more flexible.
 
I have used RDP to access other computers on my network for decades. Never had an issue. There is no port forwarding enabled on my router, for anything. Oh, and passwords...

There is common sense and paranoia. I won't inconvenience myself to the point I need to go to the basement to check on something on the PC that is managing my personal weather station, and keeping my weather related website current.

Router is also running, Firewall, Threat Prevention and Safe Browsing apps, plus being locked down as far as security, with services disabled, passwords, etc.

The only foolproof/bulletproof solution is to pull the plug...
 
If you wanted a different solution that RDP (but probably less convenient), there are a number of systems that use RPi's as cheaper IP based KVM devices. That combined with an actual old school KVM can allow you to have better access to a "remote" machine. They can actually allow you to enter the BIOS, for example. A friend built one of these https://pikvm.org/ and has had nothing but good things to say about the effectiveness (granted he's an Apple/Mac user mostly, but he does have some Linux in his setup.)
 
Just like everybody else has said above, any remote access carries it own set of risks. RDP on an internal network is fairly safe but depends on the security of that internal network (other devices, firewall setup, NAT config, etc). RDP historically has had remote code executions so you either secure your internal network, or disable RDP and use another solution. It all depends on your comfort level of risk.