Best way to secure RDP?


#1

I have replaced my office computer with my Samsung note 8 and their DEX dock. It works well for most things that I need to do at the office. But there are some things that I need windows for so I have a Windows 10 VM that I currently RDP into on my home network. I have the best performance with native RDP I’m open to new solutions, but it would have to have an Android client. I want some advice on the best way to ensure that I’m doing things as secure as possible so here is a basic rundown of my network.

  • Opnsense firewall
    • OpenVPN client which all LAN traffic is routed through
      • Except a few devices managed with Aliases
    • 1 VLAN for IOT things
    • Port forwarding for a few Dockers like plex and nextcloud
    • Port forwarding for RDP to the Windows 10 VM
  • UniFi Switch 16 POE-150W
    • 3 AC PRO access points

Putting the VM on its own VLAN isn’t an option as I want access to my LAN from my VM as I need to take care of things for home from time to time when my wife or kids send request.


#2

The way I see it this wouldn’t be a problem, since you can configure your firewall to allow connections from your VM to your LAN, but you don’t have to allow connections in the opposite direction. Unless, of course, you need layer 2 access.

Just to clarify, do you want to RDP into your VM remotely or from your LAN? If remotely, how do you do it currently?


#3

I am accessing the VM remotely with port forwarding, via Microsoft’s official client for android https://play.google.com/store/apps/details?id=com.microsoft.rdc.android


#4

I read your post 3 times and yet I managed to miss that information facepalm

I believe RDP is encrypted and uses cryptographic certificates for authentication as-is, but I personally don’t trust it enough. My preferred way of logging into remote Windows machines is by using a VPN. I don’t know OPNsense, but if it’s anything like pfsense, creating an OpenVPN server should not be a problem.


#5

We never leave RDP exposed to the world. It’s not that there are any current known issues in a completely patched system, it’s about reducing the attack surface of your network. OpenVPN is well vetted and using that as the means by which you get in to your network means keeps you from worrying about a flaw that may come up in other exposed services.


#6

I’m currently using OpenVPN > RDP and it works great. RDP is pretty lightweight and as such works well over OpenVPN. Android’s OpenVPN app works great, even lets you create a shortcut to insta-connect without having to launch the app. I imported my profile, and it was off to the races!

Hardening OpenVPN is much easier than trying to harden your Windows 10 VM. So I would definitely go this route.


#7

I currently live in a country that uses DPI to block all VPN traffic. So I have a client that is connected via openvpn using XOR patch on opnsense. What I haven’t had time to test is a openvpn server running with xor options on the same box. I may give it a try next weekend.


#8

You could setup a RDS portal and launch RDP through a web browser. This will wrap it in SSL/HTTPS as well as the front-end just being a web server. Reduces the “attack surface”.