Network firewall rules should not permit ingress from to port 3389 (RDP)


If RDP is open to the internet, attackers can attempt to gain access to VM instances. Removing unfettered connectivity to remote console services, such as RDP, reduces a server’s exposure to risk.

Remediation Steps

Google Cloud Console

  • Navigate to VPC networks.

  • In the left navigation, select Firewall.

  • Click the firewall rule that has Protocols/ports set to “tcp:3389” and Filters set to “IP ranges:”

  • Click EDIT.

  • Modify Source IP ranges to a specific IP.

  • Click Save.

gcloud CLI

  • To update a firewall with a new source IP range:

    • gcloud compute firewall-rules update FIREWALL_NAME --allow=[PROTOCOL[:PORT[-PORT]],...] --source-ranges=[CIDR_RANGE,...]