Profile Applicability: Level 1
Description
Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that no security group allow unrestricted ingress access to port 3389. If security groups allow all traffic on RDP, it may allow a brute force attack into the system and potentially get access to the entire network. So that limits the access list to known hosts, services, or specific employees only.
We know about RDP. It is developed by Microsoft and provides a graphic user interface to connect one computer to another.
Note: If all IPv4 addresses access your instance using RDP, it is unsafe for production environments. We authorize only a specific IP address or range of addresses to access your instance.
Rationale
Removing unfettered connectivity to remote console services, such as RDP, reduces a server's exposure to risk.
Impact
For updating an existing environment, care should be taken to ensure that administrators currently relying on an existing ingress from 0.0.0.0/0 have access to ports 22 and/or 3389 through another security group.
Default Value
It allows all the traffic into the security group.
type | protocol | Port Range | Source | Description |
---|---|---|---|---|
All traffic | all | all | Security Group ID | For the associated instances, inbound traffic allows network interfaces that are assigned to the same security group. |
Pre-Requisite
Identify AWS resources that exist within the default security group.
Before implementation steps create a set of least privileged security groups for those resources.
Place the resources in those security groups
Remove the resources noted in #1 from the default security group State
Remediation
Test Plan
Perform the following to determine if the account is configured as prescribed:
Step 1: Log in to the AWS Management Console and go to the VPC dashboard at https://console.aws.amazon.com/vpc/home
Step 2: In the left navigation pane click on the security group.
Step 3: Select the security group to audit.
Step 4: Click the Inbound Rules tab.
Step 5: See the inbound rules.
For Port 3389 in the source is set to 0.0.0.0/0 or::/0 (Anywhere), it means the selected security group allows unrestricted traffic on port 3389, therefore the RDP access the instances which are not secured.
Using AWS CLI:
To describe a security group:
aws ec2 describe-security-groups
--region us-east-1
--filters Name=ip-permission.from-port,Values=3389 Name=ip-permission.to-port,Values=3389 Name=ip-permission.ipv6-cidr,Values='::/0'
--query 'SecurityGroups[*].{Name:GroupName}'
Remediation:
Implementation Steps
Perform the following to implement the prescribed state:
Step 1: Log in to the AWS Management Console at https://console.aws.amazon.com/vpc/home
Step 2: In the left navigation pane, click Security Groups.
Step 3: Choose the Security Group to configure the rules for RDP (port 3389).
Step 4: Click the Inbound Rules tab for the selected security groups.
Step 5: Click on Edit inbound rules button.
Step 6: For type RDP Port range 3389 protocol TCP and in the source column remove 0.0.0.0/0.
Step 7: Click on the Save rules button.
Using AWS CLI:
Add restrictive ingress rule to the selected security group:
aws ec2 authorize-security-group-ingress \
--group-id <value> \
--protocol all \
--port all
Backout Plan
Login to AWS Management Console
Go to the EC2 console https://console.aws.amazon.com/ec2/
Go to the security group navigate panel
change the inbound rule all traffic
Click on Edit inbound rules button and select Type “All traffic” Protocol “All “ and port range “All” and save it.
Using AWS CLI
aws ec2 authorize-security-group-ingress \
--group-id <value> \
--protocol all \
--port all
Reference
Authorize inbound traffic for your Windows instances - Amazon Elastic Compute Cloud
Security groups for your VPC - Amazon Virtual Private Cloud
CIS Controls:
9.2 Ensure Only Approved Ports, Protocols, and Services Are Running
Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system.