Profile Applicability:

Level 2

Description:

Firewall rules in Google Cloud Platform (GCP) regulate ingress and egress traffic at the VPC level. These rules define traffic conditions such as protocols, ports, and IP ranges. Allowing unrestricted Remote Desktop Protocol (RDP) traffic on port 3389 from the internet (0.0.0.0/0) poses a security risk and should be avoided.

Rationale:

Allowing unrestricted RDP access exposes systems to potential threats such as brute force attacks and unauthorized access. Restricting RDP access to specific, trusted IP ranges mitigates risks and ensures secure communication. Firewall rules should limit ingress traffic to only trusted sources on a need-to-access basis.

Impact:

Blocking RDP access from the internet (0.0.0.0/0) ensures systems are protected but may disrupt workflows requiring remote access. Specific IP ranges can be whitelisted to accommodate legitimate access needs.

Default Value:

By default, GCP allows unrestricted ingress traffic on port 3389. Ensure this default setting is overridden to protect resources.

Audit Steps:

From Google Cloud Console:

  1. Navigate to VPC Network > Firewall Rules.

               

  1. Review the rules and verify:

    • Port is not set to 3389.

                       

  • Action is not set to Allow.

                             

  • Source IP ranges is not set to 0.0.0.0/0.

                                    

From Google Cloud CLI:

List all firewall rules and review configurations:

gcloud compute firewall-rules list --format="table(name,direction,sourceRanges,allowed.ports)"

  1. Ensure no rule meets the following criteria:

    • SOURCE_RANGES is 0.0.0.0/0.

    • DIRECTION is INGRESS.

    • IPProtocol is tcp or ALL.

    • PORTS is set to 3389 or includes it in a range, or the value is NULL (allowing all ports).

Remediation Steps:

From Google Cloud Console:

  1. Navigate to VPC Network > Firewall Rules.

                                   

  1. Select the firewall rule you want to modify.
                       

  2. Click Edit.

                             

  1. Update Source IP ranges to a specific, trusted IP range.

                             

  1. Click Save to apply the changes.

                             

From Google Cloud CLI:

Update the firewall rule to restrict RDP access:

gcloud compute firewall-rules update <FIREWALL_NAME> \
  --allow=tcp:3389 \
  --source-ranges=<CIDR_RANGE>

Example:
gcloud compute firewall-rules update allow-rdp-rule \

  --allow=tcp:3389 \

  --source-ranges=192.168.1.0/24

References:

  1. GCP Firewall Rules Documentation

Additional Information:

  1. GCP VPC currently supports only IPv4. If IPv6 (::/0) is introduced in the future, firewall rules should also restrict IPv6-based traffic.

  2. Consider using Identity-Aware Proxy (IAP) or a bastion host for enhanced security and centralized access management.

CIS Controls:

Control

Description

IG 1

IG 2

IG 3

4.4 Implement and Manage Firewalls on Servers

Apply firewalls to servers to block unauthorized access and enforce security policies.

4.5 Firewalls on End-User Devices

Use host-based firewalls to block unauthorized traffic on end-user devices.

9.2 Restrict Ports, Protocols, and Services

Ensure only approved ports, protocols, and services are operational.


12.4 Deny Unauthorized Communication

Block unauthorized TCP or UDP communication across network boundaries.