Virtual Network security groups should not permit ingress from ‘0.0.0.0/0’ to TCP port 3389 (RDP)¶
Description¶
The potential security problem with using RDP over the Internet is that attackers can use various brute force techniques to gain access to Azure Virtual Machines. Once the attackers gain access, they can use a virtual machine as a launch point for compromising other machines on an Azure Virtual Network or even attack networked devices outside of Azure.
Remediation Steps¶
Azure Portal¶
Navigate to Virtual Machines and select the VM that has the problem.
In the left navigation, select Networking.
Select the Inbound port rules tab and delete any inbound rules that permit ingress from ‘0.0.0.0/0’ to TCP port 3389 (RDP).
Azure CLI¶
Remove the rule(s) that permit ingress from ‘0.0.0.0/0’ to TCP port 3389 (RDP):
az network nsg rule delete -g MyResourceGroup --nsg-name MyNsg -n MyNsgRule
Azure Resource Manager¶
Ensure that a Microsoft.Network/networkSecurityGroups/securityRules or Microsoft.Network/networkSecurityGroupsdoes NOT contain all of the following:
"destinationPortRanges":
"*"
or"0.0.0.0"
or"internet"
or"any"
"destination_port_range":
"3389"
or"*"
Example Configuration¶
{
"type": "Microsoft.Network/networkSecurityGroups/securityRules",
"apiVersion": "2021-03-01",
"properties": {
"destinationPortRanges": "22-1024",
"direction": "inbound",
"sourceAddressPrefixes": "10.0.0.0/16"
}
#other required fields
}
Terraform¶
Ensure that an azurerm_network_security_rule or the security_rule block in azurerm_network_security_group does NOT contain all of the following:
source_address_prefix
= “*” or “0.0.0.0” or “internet” or “any”destination_port_range
= “3389” or “*”
Example Configuration¶
resource "azurerm_network_security_rule" "example" {
source_address_prefix = "10.0.0.0/16"
destination_port_range = "22-1024"
# other required fields here
}