Ensure that RDP access from the Internet is evaluated and restricted

The potential security problem with using RDP over the Internet is that attackers can use various brute force techniques to gain access to Azure Virtual Machines. Once the attackers gain access, they can use a virtual machine as a launch point for compromising other machines on an Azure Virtual Network or even attack networked devices outside of Azure.

Risk Level: High
Cloud Entity: Network security group
CloudGuard Rule ID: D9.AZU.NET.26
Covered by Spectral: Yes
Category: Networking & Content Delivery

GSL LOGIC

NetworkSecurityGroup should not have inboundSecurityRules contain [ destinationPortRanges contain [ destinationPort<=3389 and destinationPortTo>=3389 ] and protocol in ('TCP','All') and action='ALLOW' and sourceAddressPrefixes contain [ '0.0.0.0/0' ] ]

REMEDIATION

Azure Console:

  1. Navigate to the 'All services'
  2. Navigate to the Networking, and select 'Network security groups'
  3. Select the Network security group to be modified
  4. Under Settings, select 'Inbound security rules'
  5. Select the rule to be modified and edit it to allow only specific IP addresses or protocols

Network security group

You can filter network traffic to and from Azure resources in an Azure virtual network with a network security group. A network security group contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources.

Compliance Frameworks

  • AZU PCI-DSS 4.0
  • Azure CIS Foundations v. 1.1.0
  • Azure CIS Foundations v. 1.2.0
  • Azure CIS Foundations v. 1.3.0
  • Azure CIS Foundations v. 1.3.1
  • Azure CIS Foundations v. 1.4.0
  • Azure CIS Foundations v. 1.5.0
  • Azure CIS Foundations v.2.0
  • Azure CloudGuard Best Practices
  • Azure CloudGuard CheckUp
  • Azure HITRUST v9.5.0
  • Azure NIST 800-53 Rev 5
  • CloudGuard Azure All Rules Ruleset
  • Microsoft Cloud Security Benchmark