Profile Applicability: Level 1
Description:
Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to port 3389.
Rationale:
Removing unfettered connectivity to remote console services, such as RDP, reduces a server's exposure to risk.
Audit:
Perform the following to determine if the account is configured as prescribed:
1. Login to the AWS Management Console at https://console.aws.amazon.com/vpc/home
2. In the left pane, click Security Groups
3. For each security group, perform the following:
4. Select the security group
5. Click the Inbound Rules tab
6. Ensure no rule exists that has a port range that includes port 3389 and has a Source of 0.0.0.0/0
Note: A Port value of ALL or a port range such as 1024-4098 are inclusive of port 3389.
Remediation:
Perform the following to implement the prescribed state:
1. Login to the AWS Management Console at https://console.aws.amazon.com/vpc/home
2. In the left pane, click Security Groups
3. For each security group, perform the following:
4. Select the security group
5. Click the Inbound Rules tab
6. Identify the rules to be removed
7. Click the x in the Remove column
8. Click Save
Impact:
For updating an existing environment, care should be taken to ensure that administrators currently relying on an existing ingress from 0.0.0.0/0 have access to ports 22 and/or 3389 through another security group.
CIS Controls:
9.2 Ensure Only Approved Ports, Protocols and Services Are Running
Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system.