RDP to Blue Iris over LAN – can it be done securely?

N

NVR990

Young grasshopper
Apr 28, 2017
80
17
I want to RDP to my Blue Iris PC, but only within my LAN. RDP opens port 3389 on the “target” PC, and I’ve read that having this port open is not great security practice, because all LAN devices can see this open port, including those that could be malicious/compromised. If understand correctly, it’s not the port# that is the issue, but rather the service associated with a given port (in this case RDP).

Microsoft website has an article showing Windows Firewall config to allow RDP connections only when connections are secure and from a whitelisted IP address. I haven’t yet tried these firewall tweaks with RDP, because I’m wondering if the gurus on this site think that the tweaks are sufficient.

Or are there other concerns with RDP in this use case? (The additional load on the server CPU is not something I’m worried about.)

Thanks!
 
Last edited:
psycik said:
If you don't already have vpn (and even then I'd shy away from that as it means exposing ports) in favour of tailscale. Connect to tailscale, then connect to rdp.
Click to expand...

Thanks, but there is no need for VPN or tailscale if I am connecting from within my LAN.
 
NVR990 said:
Thanks, but there is no need for VPN or tailscale if I am connecting from within my LAN.
Click to expand...
Oh are you only interested in locally? most of these types of queries relate to access from the internet.

I mean you can lock your machine down....but if someones already in your network (assuming you're not in a shared network - flatmates school) then you have bigger problems.
 
psycik said:
if someones already in your network (assuming you're not in a shared network - flatmates school) then you have bigger problems.
Click to expand...
Agreed. I guess I was thinking that if a LAN gets compromised, then having a device running RDP might make a bad problem worse.
 
looktall said:
Exposing port 3389 to the internet is a bad idea.
Exposing it inside your own lan is fine.
Click to expand...
Thanks, I agree that exposing RDP/3389 to the Internet is hazardous. But then it's only "fine" on the LAN, if we assume a secure LAN -- which is hard to be sure of.

So, in an environment where you can't be 100% certain, is it "safer" to expose RDP (port 3389) or to expose http service (typically port 80) by running the BI webserver?
 
I guess it would be less potential exposure since 80 is only to a web server. But it's also much more limited in terms of what you can do with it. Depends on what you want/need. I run a few other servers on my BI server that I also need to access at times and I want access to the machine at a lower level so I can do things if BI goes down and/or I need to look at services/folders/logs/etc., on that machine for whatever reason. So I do both. But I'm the only one on my internal network.
 
  • Like
Reactions: NVR990
Keep in mind that if you have another local machine running some sort of virus, it likely would not use RDP to do it's damage. There are much simpler ways to get access to your network once hackers pwn another machine on the local network.

Long story short, your concerns are pretty unfounded. DON'T expose your RDP port to the internet by using port forwarding on your router/firewall device and you will be fine.
 
  • Like
Reactions: Valiant and looney2ns
The Automation Guy said:
Keep in mind that if you have another local machine running some sort of virus, it likely would not use RDP to do it's damage. There are much simpler ways to get access to your network once hackers pwn another machine on the local network.

Long story short, your concerns are pretty unfounded. DON'T expose your RDP port to the internet by using port forwarding on your router/firewall device and you will be fine.
Click to expand...
Precisely. 3389 usually gets hammered non stop by various tools that are readily accessible and just waiting for that 1:19B mistake. I go back to school dqys and start custom port allocation at 10,000 but the last time I've needed to solve for port(3389)&svc(RDP)dest(NVR) is never.

As sysadmin for 2 decades, just don't do it. Find some other way to solve your problem that doesn't involve a port below 1000, always checking for documentation of use sub 10k.

NAT is barely alive at the need level, doesn't exist within ipv6 so find the solution now pre-mplementation before ignoring networking 101 explained numerous times by numerous people
 
You must log in or register to reply here.
Top Bottom