Yep very true, there is some level of encryption with RDP, which is definitely far better than nothing. Compared to improved levels of encryption supported by VPN tunnels when using those as a direct connection between a workstation and server, it isn't good enough anymore IMHO. At least in my mind, though that also gives me an excuse to maintain my OpenVPN Server deployment(s), RDGateway, SSL and SSH access for my various networks.
Not that users will actively pursue the encrypted connection as the weak point, but they can when there's lower levels of encryption in-use, even with VPN tunnels this is the case (looking at you PPTP... and the folks that still use that...). But rather, the server/system-side for access as the weak point. Even that doesn't change the fact that if port 3389 is wide open and the user has an easily guessed access password, it doesn't matter if it is VPN or not. Using an obscure port can only go so far too.
Using NLA and limit the account(s) that are usable with RDP, along with using complex passwords can help the access-control side of things. SSL/TLS encryption would be a good way to go too, but for many end-users isn't desirable to setup. Same with RDGateway.
For more info on RDP encryption types that
@Ahhzz and I are referring to:
https://technet.microsoft.com/en-us/library/ff458357.aspx
You can change the minimal level of RDP encryption following
this link, by default on my Windows 10 laptop in front of me is a value of 2 for MinEncryptionLevel, which is client compatible mode.
If one wants to confirm their RDP encryption, there's the
Wireshark way, which should work here. There are others when an actual RD server is in-use as well, and I'm sure other methods. That's just the one I'm most familiar with in environments where a server isn't hosting/managing RD access. Hardening RDP much beyond registry hacks to force the highest level of encryption again comes down to how you use NLA, what port(s) you decide to use and how often you change it (or not), and other best practice items like limiting your connection usage.
So, merely connecting with RDP and having my VPN running on my home server does not necessarily shut them out? I need to instead connect through VPN to my homer server from my work computer? .... would this not leave internet history on my work machine? That is why I was mainly going through my home server.
Not that I am looking at bad sites, but they block this site and a few of my knife/gun sites and the my woodworking site ... so I am just looking to browse them
So your VPN is only encrypting your traffic from point A to point B. In your case, point A is your router, point B is the server that your router connects to. Beyond that point your traffic isn't encrypted because it is no longer in the VPN tunnel, so that server's WAN/public-facing IP address is what is seen as your public IP address in many cases, but not all. So keep that in mind, when it is out of the VPN tunnel, it isn't encrypted by the VPN any longer. The trick is knowing where the VPN starts and ends.
The way I use a VPN tunnel, is I host my OpenVPN server on my PFSense gateway. I then have a user account setup with a secure password that I use the OpenVPN Windows Software (or Tunnelblick for OSX iirc) to connect to. That means, that traffic from my workstation to my router is encrypted. I then have access to my LAN and can RDP onto any system on my network I have RDP setup for rather than using a public-facing port for that, my public facing port is 1194 (well not anymore) for OpenVPN. 3389 is blocked over WAN.
I decide to run AES256 and SHA256 for crypto, an RSA 2048-bit key, along with TLS HMAC and control channel encryption. My performance is good enough to saturate my connection, and I could really amp up my keys if I felt inclined that my tunnel might be compromised.
I've seen situations where RDP user accounts have been hacked, where RD sessions have been accessed because of weak credentials, and the destruction that is caused when someone with malicious intent accesses a site that didn't manage it correctly. It is ugly, messy and you hope that they maintained backups.
Something else to keep in mind, as mentioned above if they have monitoring software on your terminal at work, then it doesn't matter if you're encrypted or not, they're able to see it because they have terminal (system access) to your workstation and can see what you're doing, and even take it over. Then add to that DPI which allows them to break down network traffic into categories, software, usage, bandwidth, etc...they can track down who is doing what in various ways. Add to that someone looking even further with Wireshark and the ability to use it correctly, finding out what's happening on a network is very accessible.
Even in my situation above where I use my VPN tunnel as a "road warrior" configuration (client to server), if I'm on a work PC that has monitoring management deployed to it, and I use my VPN connection, I'm essentially handing the keys of the castle over to those that can take control of my workstation because they have terminal access. So use what you need when you need when you need, but don't leave it enabled, don't save passwords to your remote resources, and use strong passwords.
But I'd rather have my VPN tunnel setup the way it is, or even higher levels of encryption, certs and keys to make sure that I'm not relying on the lower encryption levels of RDP nor having anymore ports than necessary open on my WAN facing side.