Profile Applicability:
Level 1
Description:
Remote Desktop Protocol (RDP) is often used to remotely access Windows-based instances in AWS. However, RDP access should be restricted to only trusted IP addresses to minimize exposure and reduce the risk of unauthorized access. By restricting RDP access to specific IP addresses or ranges, you can significantly improve the security posture of your instances.
Rationale:
Restricting RDP access to specific IP addresses ensures that:
Only authorized users or services with known IP addresses can access the instance.
Exposure to brute-force attacks or unauthorized login attempts is minimized.
Compliance with security best practices for limiting remote access to only trusted sources.
Default Value:
By default, RDP access is often allowed from any IP address (0.0.0.0/0), which is not secure. This needs to be manually restricted to specific trusted IP addresses.
Impact:
Pros:
Enhanced security by limiting RDP access to specific, trusted IP addresses.
Reduced attack surface for the instance, lowering the likelihood of unauthorized access.
Improved compliance with security policies requiring restricted access.
Cons:
If not properly configured, legitimate access may be blocked if the wrong IP address is restricted.
Requires ongoing management to ensure the correct IP addresses are added as needed.
Remediation:
Test Plan:
Using AWS Console:
Log in to the AWS Console at AWS Console.
Navigate to EC2 under Compute.
In the Security Groups section, select the security group associated with the Windows instance.
In the Inbound Rules tab, check the rule for RDP (TCP port 3389).
Edit the rule to restrict access to only trusted IP addresses or ranges by specifying a custom source IP (e.g., 203.0.113.0/24).
Save the changes and verify that only the specified IP addresses are allowed to access the instance via RDP.
Using AWS CLI:
Run the following command to describe the security group associated with the Windows instance:
aws ec2 describe-security-groups --group-ids <security-group-id>
Review the current inbound rules and ensure that RDP access is allowed only from the specified IP addresses or ranges.
To modify the security group and restrict RDP access to a specific IP address, use the following command:
aws ec2 authorize-security-group-ingress --group-id <security-group-id> --protocol tcp --port 3389 --cidr <trusted-ip-range>/32
To remove access from any other IP range, use the following command:
aws ec2 revoke-security-group-ingress --group-id <security-group-id> --protocol tcp --port 3389 --cidr 0.0.0.0/0
Implementation Plan:
Using AWS Console:
Log in to the AWS Console at AWS Console.
Go to EC2 and select Security Groups under Network & Security.
Find the security group attached to your Windows instance and select it.
Review the Inbound Rules and restrict the RDP access rule to specific IP addresses or IP ranges (e.g., 203.0.113.0/24).
Save the changes, and verify that only the trusted IP addresses have RDP access.
Using AWS CLI:
To allow RDP access only from specific IP addresses, use the following command:
aws ec2 authorize-security-group-ingress --group-id <security-group-id> --protocol tcp --port 3389 --cidr <trusted-ip-range>/32
To revoke access from any IP address (0.0.0.0/0), use the following command:
aws ec2 revoke-security-group-ingress --group-id <security-group-id> --protocol tcp --port 3389 --cidr 0.0.0.0/0
Backout Plan:
Using AWS Console:
If legitimate access is blocked, log in to the AWS Console.
Navigate to EC2 and go to Security Groups.
Edit the inbound rule to re-allow access from the previous IP range or remove the IP restriction.
Using AWS CLI:
If RDP access needs to be restored to its original state, run the following command:
aws ec2 revoke-security-group-ingress --group-id <security-group-id> --protocol tcp --port 3389 --cidr <trusted-ip-range>/32
Revert the rule to allow access from 0.0.0.0/0 if needed:
aws ec2 authorize-security-group-ingress --group-id <security-group-id> --protocol tcp --port 3389 --cidr 0.0.0.0/0
References:
CIS Controls: