azure-network-public-rdp¶
Ensure that RDP access is restricted from the internet
By default, every Azure virtual machine has RDP (Remote Desktop Protocol) port 3389 enabled, and allows any RDP connection from any IP in the world. Attackers might exploit this access to gain access to virtual machines within your network and utilize these as a launch point for further exploits.
As a precaution, you should ensure that your security group rules do not include the port 3389 when the source addresses are unrestricted or allow traffic from the internet.
Examples¶
Insecure Example
resource "azurerm_network_security_group" "example" {
name = "acceptanceTestSecurityGroup1"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
}
resource "azurerm_network_security_rule" "example" {
name = "example"
priority = 100
direction = "Inbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "*"
destination_port_range = "*"
source_address_prefix = "*"
destination_address_prefix = "*"
resource_group_name = azurerm_resource_group.example.name
network_security_group_name = azurerm_network_security_group.example.name
}
Secure Example
resource "azurerm_network_security_group" "example" {
name = "acceptanceTestSecurityGroup1"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
}
resource "azurerm_network_security_rule" "example" {
name = "example"
priority = 100
direction = "Inbound"
access = "Deny"
protocol = "Tcp"
source_port_range = "*"
destination_port_range = "3389"
source_address_prefix = "*"
destination_address_prefix = "*"
resource_group_name = azurerm_resource_group.example.name
network_security_group_name = azurerm_network_security_group.example.name
}