Profile Applicability:

  • Level 1

Description:

This control ensures that no Network Access Control Lists (NACLs) in an AWS environment allow inbound (ingress) traffic from any IP address (0.0.0.0/0) to Microsoft Remote Desktop Protocol (RDP) port 3389. Allowing unrestricted RDP access exposes instances to brute-force login attempts, malware injection, and remote exploitation, especially when used with administrative privileges.


Rationale:

APIs exposed without proper authorization mechanisms are highly vulnerable to unauthorized access, privilege escalation, data exfiltration, and other security breaches. Configuring authorizers ensures that every API request is properly authenticated before execution. This control supports compliance with major security standards such as CIS, SOC 2, ISO 27001, HIPAA, and OWASP API Security Top 10 (API1: Broken Object Level Authorization).

Impact:

  • Positive Impact: Strengthens network security by preventing unauthorized remote desktop access and reducing exposure to brute-force and malware attacks.

  • Negative Impact: Administrators may face connectivity issues if remote access is not properly whitelisted through secure channels such as VPN or Bastion Hosts.


Default Value:

By default, new NACLs in AWS deny all inbound and outbound traffic until explicit rules are added.


Pre-Requisite:

  • IAM permissions required: ec2:DescribeNetworkAclsec2:ReplaceNetworkAclEntry.

  • Knowledge of authorized administrative IP ranges or Bastion Host configuration.


Remediation:

Test Plan 

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to VPC → Network ACLs.

  3. Select each Network ACL associated with your VPC.

  4. Under the Inbound Rules tab, check for any entry with:

    • Rule Action: ALLOW

    • Protocol: TCP

    • Port Range: 3389

    • Source: 0.0.0.0/0

  5. If such a rule exists, the NACL is non-compliant.

Implementation Plan 

Using AWS Console:

  1. Navigate to VPC → Network ACLs.

  2. Select the affected NACL.

  3. In the Inbound Rules tab, identify the rule allowing TCP 3389 from 0.0.0.0/0.

  4. Choose Edit inbound rules.

  5. Delete or modify the rule to restrict the Source to a trusted IP range or Bastion Host subnet.

  6. Save changes and verify access through secure administrative channels.

Backout Plan:

Using AWS Console:

  1. If legitimate RDP access becomes unavailable, temporarily re-add the rule for specific trusted IPs (e.g., your corporate VPN).

  2. Reassess the architecture and implement a Bastion Host or Session Manager for secure access instead of exposing RDP publicly.

References:

  • AWS Network ACL Documentation

  • AWS Security Best Practices Whitepaper