Windows Remote Desktop Security?

I have read alot of information about remote desktop and i see it has security issuses. When users want to work from home, Administrators have to open port 3389 on there routers firewall and foward that port to the users workstation ip address. Then hackers can use NMAP to scan for the port 3389 and attack remote desktop with certain applications. My question is what if you never open port 3389 on your routers firewall and only use Remote Desktop on your Local Area Network and not over the Internet using your external IP address, are you still at risk to be attacked? And if so, How?