Ensure That RDP Access Is Restricted From the Internet

Risk Level: High
Cloud Entity: GCP Security Group
CloudGuard Rule ID: D9.GCP.NET.13
Covered by Spectral: Yes
Category: Networking & Content Delivery

GSL LOGIC

GcpSecurityGroup should not have inboundRules contain [ destinationPort=3389 and source='0.0.0.0/0' ]

REMEDIATION

From Portal

Go to VPC Network.
Go to the Firewall Rules.
Click the Firewall Rule you want to modify.
Click Edit.
Modify Source IP ranges to specific IP.
Click Save.

From TF
Set deny bucket to be equal to protocol:tcp, port:3389:

resource 'google_compute_firewall' 'default' {
	...
	deny {
		protocol = 'tcp'
		ports    = ['3389']
	}
	...
}

From Command Line
Run

gcloud compute firewall-rules update FIREWALL_NAME --rules=PROTOCOL:PORT-PORT

References

GCP Security Group

Google Cloud Platform (GCP) firewall rules let you allow or deny traffic to and from your virtual machine (VM) instances based on a configuration you specify. GCP firewall rules are applied at the virtual networking level, so they provide effective protection and traffic control regardless of the operating system your instances use.
The concept of security group is created in Dome9 compliance engine as a more flexible firewall grouping mechanism. Firewall rules can be assigned in one of the following modes: all instances in the network; instances by target tags; instances by target service account. In the compliance engine we grouped these rules by tags.

Compliance Frameworks

CloudGuard GCP All Rules Ruleset
GCP CIS Controls V 8
GCP CIS Foundations v. 1.0.0
GCP CIS Foundations v. 1.1.0
GCP CIS Foundations v. 1.2.0
GCP CIS Foundations v. 1.3.0
GCP CIS Foundations v. 2.0
GCP CloudGuard Best Practices
GCP CloudGuard Network Security
GCP GDPR Readiness
GCP HIPAA
GCP ISO 27001:2013
GCP LGPD regulation
GCP MITRE ATT&CK Framework v12.1
GCP NIST 800-53 Rev 4
GCP NIST 800-53 Rev 5
GCP NIST CSF v1.1
GCP PCI-DSS 3.2
GCP PCI-DSS 4.0

Updated 7 months ago