iCompaas Support

Description:

Remote Desktop Protocol (RDP) is a commonly used protocol for managing Windows-based servers and virtual machines. However, exposing RDP (port 3389) to the internet can significantly increase the risk of attacks such as brute-force attempts and unauthorized access. Evaluating and restricting RDP access from the internet ensures that only authorized users from trusted sources can access virtual machines (VMs) using RDP.

This can be achieved by configuring Network Security Groups (NSGs), Azure Firewall, and enabling Just-in-Time (JIT) access for RDP, as well as restricting RDP access based on IP addresses, regions, or trusted sources.

Rationale:

RDP access from the internet exposes your VMs to various threats, including brute-force attacks or exploitation of known vulnerabilities. By restricting RDP access to specific IP ranges, trusted users, or using JIT access, you minimize the attack surface and prevent unauthorized access. This approach helps in meeting security best practices and compliance requirements.

Impact:

Enabling RDP access restrictions significantly improves the security of your resources. However, it may cause challenges for legitimate users who need to access VMs remotely. Therefore, access should be carefully configured, ensuring only necessary users and sources can connect. Just-in-Time (JIT) access provides a secure way to temporarily enable RDP access when needed.

Default Value:

By default, RDP access (port 3389) is allowed unless restricted by Network Security Groups (NSGs) or Azure Firewall.

Pre-requisites:

• Azure subscription.
  

• Network Security Groups (NSGs) or Azure Firewall configured.
  

• Virtual Machines with RDP enabled.
  

• Just-in-Time (JIT) VM Access should be enabled for better control over RDP access.
  

• Owner, Contributor, or Network Contributor role permissions.
  

Audit:

1. Sign in to Azure portal as an Owner, Contributor, or Network Contributor.
   

2. Navigate to Network Security Groups (NSGs) or Azure Firewall.
   

3. Verify that RDP access is properly evaluated and restricted based on security policies.
   

Implementation steps:

1. Sign in to Azure portal:
   

   • Use an account with Owner, Contributor, or Network Contributor permissions.
     

2. Navigate to Network Security Groups (NSGs):
   

   • In the Azure portal, go to Network Security Groups (NSGs).
     

   • Review the Inbound security rules for RDP (port 3389) and restrict access to trusted IP addresses only.
     

3. Restrict RDP Access Using NSGs:
   

   • Create an NSG rule that allows RDP access (port 3389) from only trusted IPs (e.g., specific IP address ranges, subnets, or VPNs).
     

   • Deny RDP access from all other sources.
     

4. Use Azure Firewall to Restrict RDP Access:
   

   • Azure Firewall can be used to enforce RDP access restrictions.
     

   • Create a Firewall policy that only allows RDP traffic from trusted IPs or VPN connections.
     

6. Enable Just-in-Time (JIT) VM Access for RDP:
   

   • JIT VM Access allows you to enable RDP access temporarily and securely.
     

   • Navigate to Azure Security Center and enable JIT VM Access for the VMs that require RDP access.
     

   • JIT access will automatically modify NSG rules to allow RDP access only for the duration specified.
     

8. Monitor RDP Access with Azure Monitor:
   

   • Use Azure Monitor and Network Watcher to monitor RDP traffic to your VMs.
     

   • Set up alerts to notify administrators when there is an unauthorized attempt to access a VM via RDP.
     

9. Automate RDP Access Restriction with Azure Policy:
   

   • Use Azure Policy to enforce RDP access restrictions across your Azure environment.

11. Test and Verify:
    

    • After configuring the RDP access restriction, test to ensure that only trusted IP ranges can connect via RDP to your VMs.
      

    • Try connecting via RDP from an untrusted IP to confirm that access is denied.
      

12. Review and Adjust:
    

    • Regularly review NSG rules, Firewall policies, and JIT access configurations to ensure that RDP access is restricted and only authorized users are allowed access.
      

Backout Plan (Automated):

1. Sign in to Azure portal:
   

   • Use an account with Owner, Contributor, or Network Contributor permissions.
     

2. Navigate to NSGs or Azure Firewall:
   

   • Go to Network Security Groups (NSGs) or Azure Firewall.
     

3. Remove or Revert RDP Access Restrictions:
   

   • In NSGs, remove or adjust the rules that restrict RDP access.
     

   • In Azure Firewall, remove or revert the RDP rules that restrict traffic.
     

4. Revert Just-in-Time (JIT) Access:
   

   • If JIT VM Access was used, disable or adjust the JIT settings for the VM.
     

5. Verify Reverted Configuration:
   

   • Test to ensure that RDP access is no longer restricted and that the access controls are functioning as expected.
     

6. Monitor Access Logs:
   

   • Use Azure Monitor to ensure that the previous RDP restrictions are not being enforced after the backout.
     

References:

• Network Security Group Overview
  

• Azure Firewall Overview
  

• Just-in-Time VM Access