Azure RDP Internet access is not restricted
Description
A potential security problem using RDP over the Internet is that attackers can use various brute force techniques to gain access to Azure Virtual Machines. Once the attackers gain access, they can use a virtual machine as a launch point for compromising other machines on the Azure Virtual Network. The attackers could also access and attack networked devices outside of Azure. We recommend you disable RDP access over the internet to Network Security Groups.
Code Example
resource "azurerm_network_security_rule" "example" {
...
- access = "Allow"
- protocol = "TCP"
- destination_port_range = ["3389" / <port range including 3389>]]
- source_address_prefix = "*" / "0.0.0.0" / "<nw>/0" / "/0" / "internet" / "any"
...
}Remediation
- Azure Portal To change the policy using the Azure Portal, follow these steps:*
. Log in to the Azure Portal at https://portal.azure.com.
. For each VM, open the * Networking* blade.
. Verify that the* INBOUND PORT RULES** does not have a rule for RDP. + For example: +
- Port = 3389
- Protocol = TCP
Source = Any OR Internet
CLI Command*
To list Network Security Groups with the corresponding non-default Security rules, use the following command: `az network nsg list --query [*].[name,securityRules]` Ensure that the NSGs do not have any of the following security rules:
- "access" : "Allow"
- "destinationPortRange" : "3389" or "*" or "[port range containing 3389]"
- "direction" : "Inbound"
- "protocol" : "TCP"
- "sourceAddressPrefix" : "*" or "0.0.0.0" or "+++ & lt;nw> +++ /0" or "/0" or "internet" or "any"+++ & lt;/nw>+++ === Fix - Buildtime
Terraform
- Resource: azurerm_network_security_rule
- Arguments: access + protocol + destination_port_range + source_address_prefix
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0520 |
| Severity | HIGH |
| IaC Type | arm |
| Frameworks | ARM, |
| Checkov ID | CKV_AZURE_9 |