Expose remote desktop directly to the internet

remote desktopSecurity

I have a small server behind my router which runs Windows 10. It's pretty easy to set up remote desktop directly to the internet and expose the required port by changing the configuration of the router.

Question: Do I have to be aware of security issues refering to that? I mean my server is at least accessable by everyone who knows a valid username/password combination.

MS just says

If you want to restrict who can access your PC, choose to allow access only with Network Level Authentication (NLA). When you enable this option, users have to authenticate themselves to the network before they can connect to your PC. Allowing connections only from computers running Remote Desktop with NLA is a more secure authentication method that can help protect your computer from malicious users and software. To learn more about NLA and Remote Desktop, check out Configure NLA for RDS Connections.

Best Answer

No serious network administrator would directly expose an RDP server onto the Internet.

If there are any holes /backdoors in it, not only is it "game over" for part of the system (ie an inflection point/jump box), but it is an opportunity for DoS attacks and fingerprinting desktop(s) on the LAN giving unneccessary information away.

Depending on the RDP server and client, it may also be possible to do a MITM (man in the middle) attack. There are various ways this might be done including forcing a protocol downgrade or relying on insecure cryptography. You might find https://labs.portcullis.co.uk/blog/ssl-man-in-the-middle-attacks-on-rdp/ interesting.

A prudent operator might set up a VPN and only allow remote RDP access over that to provide another layer of security, access management, auditing and control.