RDP to Blue Iris over LAN – can it be done securely?

[NVR990]

I want to RDP to my Blue Iris PC, but only within my LAN. RDP opens port 3389 on the “target” PC, and I’ve read that having this port open is not great security practice, because all LAN devices can see this open port, including those that could be malicious/compromised. If understand correctly, it’s not the port# that is the issue, but rather the service associated with a given port (in this case RDP).

Microsoft website has an article showing Windows Firewall config to allow RDP connections only when connections are secure and from a whitelisted IP address. I haven’t yet tried these firewall tweaks with RDP, because I’m wondering if the gurus on this site think that the tweaks are sufficient.

Or are there other concerns with RDP in this use case? (The additional load on the server CPU is not something I’m worried about.)

Thanks!

 

[looktall]

Exposing port 3389 to the internet is a bad idea.
Exposing it inside your own lan is fine.

 

[psycik]

If you don't already have vpn (and even then I'd shy away from that as it means exposing ports) in favour of tailscale. Connect to tailscale, then connect to rdp.

 

[NVR990]

If you don't already have vpn (and even then I'd shy away from that as it means exposing ports) in favour of tailscale. Connect to tailscale, then connect to rdp.

Thanks, but there is no need for VPN or tailscale if I am connecting from within my LAN.

 

[psycik]

Thanks, but there is no need for VPN or tailscale if I am connecting from within my LAN.

Oh are you only interested in locally? most of these types of queries relate to access from the internet.

I mean you can lock your machine down....but if someones already in your network (assuming you're not in a shared network - flatmates school) then you have bigger problems.

 

[NVR990]

if someones already in your network (assuming you're not in a shared network - flatmates school) then you have bigger problems.

Agreed. I guess I was thinking that if a LAN gets compromised, then having a device running RDP might make a bad problem worse.

 

[NVR990]

Exposing port 3389 to the internet is a bad idea.
Exposing it inside your own lan is fine.

Thanks, I agree that exposing RDP/3389 to the Internet is hazardous. But then it's only "fine" on the LAN, if we assume a secure LAN -- which is hard to be sure of.

So, in an environment where you can't be 100% certain, is it "safer" to expose RDP (port 3389) or to expose http service (typically port 80) by running the BI webserver?

 

[Mike A.]

I guess it would be less potential exposure since 80 is only to a web server. But it's also much more limited in terms of what you can do with it. Depends on what you want/need. I run a few other servers on my BI server that I also need to access at times and I want access to the machine at a lower level so I can do things if BI goes down and/or I need to look at services/folders/logs/etc., on that machine for whatever reason. So I do both. But I'm the only one on my internal network.

 

[IAmATeaf]

You can change the port number used for RDP, none of home boxes use the standard 3389

 

[The Automation Guy]

Keep in mind that if you have another local machine running some sort of virus, it likely would not use RDP to do it's damage. There are much simpler ways to get access to your network once hackers pwn another machine on the local network.

Long story short, your concerns are pretty unfounded. DON'T expose your RDP port to the internet by using port forwarding on your router/firewall device and you will be fine.