Description:

Remote Desktop Protocol (RDP) is a commonly used protocol for managing Windows-based servers and virtual machines. However, exposing RDP (port 3389) to the internet can significantly increase the risk of attacks such as brute-force attempts and unauthorized access. Evaluating and restricting RDP access from the internet ensures that only authorized users from trusted sources can access virtual machines (VMs) using RDP.

This can be achieved by configuring Network Security Groups (NSGs), Azure Firewall, and enabling Just-in-Time (JIT) access for RDP, as well as restricting RDP access based on IP addresses, regions, or trusted sources.


Rationale:

RDP access from the internet exposes your VMs to various threats, including brute-force attacks or exploitation of known vulnerabilities. By restricting RDP access to specific IP ranges, trusted users, or using JIT access, you minimize the attack surface and prevent unauthorized access. This approach helps in meeting security best practices and compliance requirements.


Impact:

Enabling RDP access restrictions significantly improves the security of your resources. However, it may cause challenges for legitimate users who need to access VMs remotely. Therefore, access should be carefully configured, ensuring only necessary users and sources can connect. Just-in-Time (JIT) access provides a secure way to temporarily enable RDP access when needed.


Default Value:

By default, RDP access (port 3389) is allowed unless restricted by Network Security Groups (NSGs) or Azure Firewall.


Pre-requisites:

  • Appropriate NSG or Azure Firewall associated with the VM.

  •  RDP-enabled Windows VM.

  •  Just-in-Time access is available in Defender for Cloud.

  •  Owner, Contributor, or Network Contributor permissions.


Test Plan:

  1. Sign in to the Azure Portal https://portal.azure.com

  2. Open Network Security Groups.

  3. Select the  Network Security Groups linked to the virtual machine.

  4. Under Settings, open Inbound security rules.

  5. Check for rules allowing TCP port 3389.

  6. Confirm there is no rule allowing port 3389 from Any or 0.0.0.0/0.

  7. If found, follow the implementation steps.



Implementation steps:

  1. Sign in to the Azure Portal https://portal.azure.com

  2. Open Network Security Groups.

  3. Select the NSG associated with the VM.

  4. Under Settings, open Inbound security rules.

   

  1. Remove or modify any rule allowing TCP port 3389 from Any.

  2. Allow RDP only from trusted IP addresses or private networks.


  1. Save the changes.


Backout Plan :

  1. Sign in to the Azure Portal https://portal.azure.com

  2. Open Network Security Groups.

  3. Select the  Network Security Groups.

  4. Under Settings, open Inbound security rules.

  5. Modify the RDP rule to restore previous access.

  6. Save the changes.


References: