gcp-gce-fw-public-rdp¶
Ensure Google compute firewall ingress does not allow unrestricted rdp access
When configuring firewall rules to allow/deny traffic to your compute instances, it is recommended to limit access to administrative ports like RDP (Microsoft Remote Desktop on port 3389) to trusted networks (using source_ranges
).
Also noteworthy, the default VPC created in projects gets a default-allow-rdp
firewall rule which means that any VM will have its port 3389 exposed to the Internet. Is it recommended to simply delete this firewall rule, or better yet to create a custom VPC which will not get any of those insecure default rules. You can delete that default rule using the CLI (gcloud compute firewall-rules delete default-allow-rdp
) or use Terraform to block this port.
resource "google_compute_firewall" "default" {
name = "block-ssh-and-rdp-in-default-vpc"
network = google_compute_network.default.name
allow {
protocol = "icmp"
}
deny {
protocol = "tcp"
ports = ["22", "3389"]
}
Examples¶
Insecure Example
resource "google_compute_firewall" "default" {
name = "allow-rdp-access-from-the-internet"
network = google_compute_network.default.name
allow {
protocol = "tcp"
ports = ["3389"]
}
source_ranges = ["0.0.0.0/0"]
}
Secure Example
resource "google_compute_firewall" "default" {
name = "allow-rdp-access-from-trusted-networks"
network = google_compute_network.default.name
allow {
protocol = "tcp"
ports = ["3389"]
}
source_ranges = ["18.10.10.0/24"] # Limit to your own trusted networks where you will connect from
}