Is RDP in a local network a risk

  • Be sure to checkout “Tips & Tricks”
    Dear Guest Visitor → Once you register and log-in:

    This forum does not automatically send notices of new content. So if, for example, you would like to be notified by mail when Steve posts an update to his blog (or of any other specific activity anywhere else), you need to tell the system what to “Watch” for you. Please checkout the “Tips & Tricks” page for details about that... and other tips!

    /Steve.

greif

Member
Oct 30, 2020
8
4
I use Remote Desktop (yes, the highly vulnerable Windows RDP) to access other machines around the house, but I am wondering that if my router ends up being breached, I have now made it easy to get into my computers. My router has the newest firmware available.

What say you all, big risk or small?
 

PHolder

Well-known member
Sep 16, 2020
719
2
353
Ontario, Canada
If your router gets breached, then you have way bigger problems than your use of RDP. The safest configuration is with a proper firewall configured to not allow any outside source to pass packets into your network for services you don't want coming in (such as for RDP, SMB, etc.) If your router has a stateful packet inspection (SPI) firewall, then it's supplying you some protection with the default rules. If you're simply relying on NAT, that is some protection, but it's not foolproof, especially if UPnP is enabled.

The problem with a real firewall, is that it can be real work to setup and maintain. It is normally configured to block everything unless told otherwise. That can get to be a significant hassle, especially if you have devices in your network like a Playstation/XBox or media devices (Chromecast or Roku) or IoT devices. The proposal by Steve is to use multiple routers. Put your PCs behind a router and then your other devices behind a different router and put both routers into yet a third router. (He called this the Three Dumb Routers configuration... you can probably Google for it.) While this configuration will be fairly simple to set up and maintain, it will be potentially slower than just one router because there are more buffer bloat and slowish (for cheap routers) CPUs between your gear and your network.

The Ubiquity Edge Router-X is pretty cheap ($60US or so) for this purpose, and is well regarded by Steve. (I have concerns about their most recent behaviour when they suffered a breach and tried to cover it up, coverage of that elsewhere on the site.) One thing to note about these devices is they can really slow down network packets unless hardware assist is enabled, and it doesn't arrive enabled out of the box. Again, Google is your friend if you go that router. (Lots of YouTube videos about the ERX.)
 

ObiWan

There's no try, just do or don't
May 14, 2021
3
2
I use Remote Desktop (yes, the highly vulnerable Windows RDP) to access other machines around the house, but I am wondering that if my router ends up being breached, I have now made it easy to get into my computers. My router has the newest firmware available.

What say you all, big risk or small?

Assuming you aren't publishing your RDP over the internet, I don't see any particular issue with using RDP on your LAN; if possible avoid saving credentials inside RDP files so that they can't be used w/o interaction, then as Paul correctly pointed out, if someone/something breaks into your router, you'll have biggest problems than just the RDP access

My 2 cents
 
  • Like
Reactions: fcgreg

nilsonaj

Member
Sep 30, 2020
5
1
Run ShieldsUP to make sure your router is configured well, and don't worry about about it (low risk). UNLESS you are rich and famous. If you are a target like that then you need professional help, and RDP is probably not your problem.
 

ObiWan

There's no try, just do or don't
May 14, 2021
3
2
Run ShieldsUP to make sure your router is configured well, and don't worry about about it (low risk). UNLESS you are rich and famous. If you are a target like that then you need professional help, and RDP is probably not your problem.
I won't count on the fact that one isn't "rich and famous", the RDP port is amongst the targets of most automated scanners (bots), and those don't care if you're famous or not, as long as they find the RDP port open, they'll start trying to bruteforce it; that's also why, if one really wants to publish a "naked" RDP on the internet, it will be a good idea changing the port from 3389 to something else, not that it will add any security, but it will at least skip a number of bots scanning
 

miquelfire

I like red!
Sep 26, 2020
51
5
www.miquelfire.red
You run ShieldsUp to make sure you're not running RDP naked on the internet. If you have to get behind a NAT router or some other firewall to just see the RDP port, then you'll fall under the targeted attack.
 

ObiWan

There's no try, just do or don't
May 14, 2021
3
2
ShieldsUp will tell you if any "well known port" is open, but will tell you nothing if you (e.g.) place your RDP on (say) 15389/tcp :D

Not saying it isn't useful, an easy to run portscanner, even with the implicit limitations, is useful, but don't think it's the "cure for all evils".

That being said, if one wants to be overcautious, and given that the RDP access is only over a local network, changing the RDP port to something else than 3389 and not saving the logon credentials inside the RDP file will help for sure
 
  • Like
Reactions: MichaelRSorg

miquelfire

I like red!
Sep 26, 2020
51
5
www.miquelfire.red
There are options in ShieldsUp to scan any range of ports actually. I'm not sure if there's a limit, but if not, you could scan all the ports!

Does it work with IPv6? Can anyone test that?
 

Lob

What could possibly go wrong?
Nov 7, 2020
74
15
if you're worried that RDP on your internal network is a risk, you want to think about what else could be up should someone have a foothold in there.

turn off uPnP on the router, check for port forwarding rules on the router. You might also want to double-NAT because you are not sure what posture your provider equipment has.....I do this too. And then if you have IoT devices, connect them to the provider box at your perimeter, outside your cosy network :)
 

MichaelRSorg

Well-known member
Nov 1, 2020
76
7
RouterSecurity.org
There are options in ShieldsUp to scan any range of ports actually. I'm not sure if there's a limit, but if not, you could scan all the ports!

Does it work with IPv6? Can anyone test that?
ShieldsUp does not work with IPv6.
It does not work with UDP either.
The option to scan a range of ports, scans 1 out of every 65 TCP ports.
Full WAN port scanning needs to be done before a router is connected to the Internet.

ShieldsUp should have ruled the world, but the ports it scans by default have not changed in a decade or so and the world, meanwhile, has changed.
 

MichaelRSorg

Well-known member
Nov 1, 2020
76
7
RouterSecurity.org
You might also want to double-NAT because you are not sure what posture your provider equipment has.....I do this too. And then if you have IoT devices, connect them to the provider box at your perimeter, outside your cosy network :)
Double NATing is indeed a great idea to protect a group of devices behind a second firewall. You put the important devices behind an inner router and the un-important ones connect to the outside router. Higher end routers offer VLANs which are way more flexible.
 

Roger Rabbit

Member
Jan 3, 2021
16
5
I have used RDP to access other computers on my network for decades. Never had an issue. There is no port forwarding enabled on my router, for anything. Oh, and passwords...

There is common sense and paranoia. I won't inconvenience myself to the point I need to go to the basement to check on something on the PC that is managing my personal weather station, and keeping my weather related website current.

Router is also running, Firewall, Threat Prevention and Safe Browsing apps, plus being locked down as far as security, with services disabled, passwords, etc.

The only foolproof/bulletproof solution is to pull the plug...
 

PHolder

Well-known member
Sep 16, 2020
719
2
353
Ontario, Canada
If you wanted a different solution that RDP (but probably less convenient), there are a number of systems that use RPi's as cheaper IP based KVM devices. That combined with an actual old school KVM can allow you to have better access to a "remote" machine. They can actually allow you to enter the BIOS, for example. A friend built one of these https://pikvm.org/ and has had nothing but good things to say about the effectiveness (granted he's an Apple/Mac user mostly, but he does have some Linux in his setup.)
 

BP9906

New member
Nov 25, 2020
1
0
Just like everybody else has said above, any remote access carries it own set of risks. RDP on an internal network is fairly safe but depends on the security of that internal network (other devices, firewall setup, NAT config, etc). RDP historically has had remote code executions so you either secure your internal network, or disable RDP and use another solution. It all depends on your comfort level of risk.