Azure Introduction
Azure Pricing
Azure Threats
Unrestricted RDP Access
More Info:
Ensure that Microsoft Azure network security groups (NSGs) do not allow unrestricted access (i.e. 0.0.0.0/0) on TCP port 3389 in order to protect against attackers that use brute force techniques to gain access to the Azure virtual machines associated with the NSGs. TCP port 3389 is used for secure remote GUI login to Microsoft VMs by connecting a Remote Desktop Protocol (RDP) client application with an RDP server.
Risk Level
High
Address
Security
Compliance Standards
CISAZURE, CBP, SOC2, PCIDSS, ISO27001, HIPAA, HITRUST, GDPR, NISTCSF, FedRAMP
Triage and Remediation
Remediation
To remediate the unrestricted RDP access issue in Azure, you can follow the below steps:
- Login to the Azure portal (https://portal.azure.com/)
- Select the virtual machine that has unrestricted RDP access.
- Click on the “Networking” option from the left-hand side menu.
- Under the “Inbound port rules” section, click on “Add inbound port rule”.
- In the “Add inbound security rule” blade, provide the following details:
- Name: Enter a name for the rule (e.g. RDP Restricted)
- Priority: Set a priority number for the rule (e.g. 100)
- Source: Select “IP Addresses” and enter the IP address range that you want to allow RDP access from. If you want to allow RDP access from a specific IP address, enter that IP address.
- Protocol: Select “TCP”
- Destination port ranges: Enter “3389”
- Action: Select “Allow”
- Description: Enter a description for the rule (optional)
- Click on “Add” to create the rule.
- Once the rule is created, delete the existing rule that allows unrestricted RDP access.
- To delete the existing rule, click on the rule in the “Inbound port rules” section, and then click on the “Delete” button.
By following these steps, you can remediate the unrestricted RDP access issue in Azure.
The following steps can be taken to remediate unrestricted RDP access in Azure using Azure CLI:
- Open the Azure CLI command prompt.
- Run the following command to get the list of virtual machines in the subscription:
az vm list
- Identify the virtual machine(s) that have unrestricted RDP access.
- Run the following command to restrict RDP access to a specific IP address range:
az vm open-port --port 3389 --resource-group <resource-group-name> --name <vm-name> --priority 1001 --source-address-prefixes <ip-address-range> --protocol tcp
Note: Replace <resource-group-name>
with the name of the resource group where the virtual machine is located, <vm-name>
with the name of the virtual machine, and <ip-address-range>
with the IP address range that should be allowed RDP access.
- Verify that RDP access is now restricted to the specified IP address range by attempting to connect to the virtual machine from a different IP address.
By following these steps, you can remediate unrestricted RDP access in Azure using Azure CLI.
To remediate the unrestricted RDP access issue in Azure using Python, you can use the Azure SDK for Python. Here are the steps to follow:
- Install the Azure SDK for Python using the following command:
pip install azure-mgmt-compute
-
Authenticate with Azure using the Azure CLI or Service Principal credentials.
-
Use the following code to retrieve the virtual machine:
from azure.mgmt.compute import ComputeManagementClient
from azure.identity import AzureCliCredential
credential = AzureCliCredential()
subscription_id = '<your-subscription-id>'
resource_group_name = '<your-resource-group-name>'
vm_name = '<your-vm-name>'
compute_client = ComputeManagementClient(credential, subscription_id)
vm = compute_client.virtual_machines.get(resource_group_name, vm_name, expand='instanceView')
- Check if the virtual machine has any inbound rules that allow RDP access:
rdp_rule = None
for rule in vm.network_profile.network_interfaces[0].ip_configurations[0].load_balancer_backend_address_pools[0].backend_ip_configurations[0].load_balancer_inbound_nat_rules:
if rule.protocol == 'tcp' and rule.backend_port == 3389:
rdp_rule = rule
break
if rdp_rule:
print('RDP access is allowed')
else:
print('RDP access is not allowed')
- If the virtual machine has an inbound rule that allows RDP access, remove the rule using the following code:
if rdp_rule:
lb_client = NetworkManagementClient(credential, subscription_id)
lb_name = vm.network_profile.network_interfaces[0].ip_configurations[0].load_balancer_backend_address_pools[0].load_balancer.id.split('/')[-1]
rule_name = rdp_rule.id.split('/')[-1]
lb_client.load_balancer_inbound_nat_rules.delete(resource_group_name, lb_name, rule_name)
print('RDP access rule has been removed')
else:
print('RDP access is not allowed')
Note: This code assumes that the virtual machine is behind a load balancer and the inbound rule that allows RDP access is a NAT rule. If your virtual machine is not behind a load balancer, you need to modify the code accordingly.