Ensure RDP Internet access is restricted

ID

rdp_access_restricted

Severity

critical

Vendor

Azure

Resource

Networking

Tags

reachable

Description

Remote Desktop Protocol Internet access is not restricted.

Running a well-configured RDP server is not easy. By exposing TCP port 3389 (typically used by RDP server), you may allow a bad actor to brute force into the Azure Virtual Machine and potentially get access to the entire network.

If you do need an RDP server in your container for whatever reason, restrict SSH solely to known static IP addresses. Limit the access list to include known hosts, services, or specific users only.

Examples

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [{
    "name": "bad", (1)
    "type": "Microsoft.Network/networkSecurityGroups",
    "location": "[resourceGroup().location]",
    "apiVersion": "2021-04-01",
    "properties": {
      "securityRules": [{
        "name": "insecure",
        "properties": { (2)
          "priority": 1000,
          "access": "Allow",
          "direction": "Inbound",
          "destinationPortRange": "3389",
          "protocol": "Tcp",
          "sourceAddressPrefix": "*",
          "sourcePortRange": "0-65535",
          "destinationAddressPrefix": "*"
        }
      }]
    }
  }]
}
json
1 is a resource not restricting RDP internet access.
2 properties allowing inbound Tcp connections on port 3389. 
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [{
    "name": "good", (1)
    "type": "Microsoft.Network/networkSecurityGroups/securityRules",
    "location": "[resourceGroup().location]",
    "apiVersion": "2021-04-01",
    "properties": { (2)
      "protocol": "tcp",
      "sourcePortRange": "*",
      "destinationPortRange": "3389",
      "sourceAddressPrefix": "*",
      "destinationAddressPrefix": "*",
      "access": "Allow",
      "priority": 100,
      "direction": "Inbound"
    }
  }]
}
json
1 is a resource not restricting RDP internet access.
2 properties allowing inbound Tcp connections on port 3389.

Terraform

resource "azurerm_network_security_rule" "rdp" {
  name                        = "rdp-open-to-internet"
  access                      = "Allow"
  direction                   = "Inbound"
  network_security_group_name = "group.name"
  priority                    = 100
  protocol                    = "Tcp"
  resource_group_name         = "resource_group.name"

  destination_port_range  = 3389 (1)
  source_address_prefix   = "Internet" (2)
}
go
1 RDP port (3389)
2 …​ opened to the Internet !

Mitigation / Fix

Buildtime

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [{
    "name": "good",
    "type": "Microsoft.Network/networkSecurityGroups/securityRules",
    "location": "[resourceGroup().location]",
    "apiVersion": "2021-04-01",
    "properties": {
      "protocol": "tcp",
      "sourcePortRange": "*",
      "destinationPortRange": "443",
      "sourceAddressPrefix": "[parameters('ipRange')]", (1)
      "destinationAddressPrefix": "[parameters('addressPrefix')]",
      "access": "Allow",
      "priority": 100,
      "direction": "Inbound"
    }
  }]
}
json
1 Restrict RDP solely to known static IP addresses. Limit the access list to include known hosts, services, or specific users only.

Terraform

resource "azurerm_network_security_rule" "rdp" {
  name                        = "rdp-restricted"
  access                      = "Allow"
  direction                   = "Inbound"
  network_security_group_name = "group.name"
  priority                    = 100
  protocol                    = "Tcp"
  resource_group_name         = "resource_group.name"

  destination_port_range  = 3389
  source_address_prefix   = "10.0.0.0/16" (1)
}
go
1 Fixed, limited to internal network segment

Runtime

Azure Portal

To change the policy using the Azure Portal, for each VM verify that the INBOUND PORT RULES does not have a rule for RDP.

CLI Command

List Network Security Groups with the corresponding non-default Security rules, use the following command:

$ az network nsg list --query [*].[name,securityRules]

Ensure that the Network Security Groups do not have any of the following security rules:

  • "access" : "Allow"

  • "destinationPortRange" : "3389" or "*" or "[port range containing 3389]"

  • "direction" : "Inbound"

  • "protocol" : "TCP"

  • "sourceAddressPrefix" : "*" or "0.0.0.0" or "/0" or "/0" or "internet" or "any"

See az network nsg list.