Profile Applicability:

  • Level 1

Description:

This control ensures that AWS Security Groups do not allow unrestricted inbound traffic (0.0.0.0/0 for IPv4 or ::/0 for IPv6) to TCP port 3389, which is used for Microsoft Remote Desktop Protocol (RDP) access. Allowing open access to RDP significantly increases the risk of brute-force attacks, unauthorized system access, and exploitation of known Windows vulnerabilities. Restricting RDP access to trusted IP addresses or through secure gateways (like a Bastion Host or VPN) mitigates these risks. 

Rationale:

RDP is a common attack vector for threat actors attempting to gain unauthorized access to Windows-based systems. If port 3389 is exposed to the internet, attackers can perform automated scans to identify open ports and execute brute-force or credential-stuffing attacks. Restricting access to RDP by limiting the source IP range or using a private connection (e.g., AWS Systems Manager Session Manager, VPN, or AWS Direct Connect) ensures adherence to the principle of least privilege and protects internal infrastructure from external threats. 

Impact:

  • Positive Impact: Enhances the security posture by reducing the exposure of Windows-based EC2 instances to external attacks and ensuring access is granted only through secure and controlled channels.

  • Negative Impact: May limit direct RDP access for legitimate users unless a secure alternative (such as VPN or Bastion Host) is implemented. 

Default Value:

By default, new AWS Security Groups have no inbound rules, meaning RDP access must be explicitly allowed. 

Pre-Requisite:

  • IAM permissions required: ec2:DescribeSecurityGroups, ec2:RevokeSecurityGroupIngress, ec2:AuthorizeSecurityGroupIngress.
  • Identify approved IP ranges or networks that legitimately require RDP access.

Remediation:

Test Plan 

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to EC2 → Security Groups.

  3. Select each Security Group and open the Inbound Rules tab.

  4. Check for rules with:

    • Protocol: TCP

    • Port Range: 3389

    • Source: 0.0.0.0/0 or ::/0

  5. If any rule matches this configuration, the Security Group is non-compliant.

Implementation Plan 

Using AWS Console:

  1. Navigate to EC2 → Security Groups.

  2. Select the non-compliant Security Group.

  3. Click Edit inbound rules.

  4. Identify and delete any rule that allows TCP 3389 from 0.0.0.0/0 or ::/0.

  5. Add new inbound rules to restrict RDP access:

    • Source: Authorized corporate or VPN CIDR blocks (e.g., 10.0.0.0/16).

    • Source: Specific admin IP addresses (e.g., 203.0.113.25/32).

  6. Click Save rules to apply changes.

  7. Test connectivity to ensure legitimate RDP users can still connect securely.

Backout Plan:

Using AWS Console:

  1. If access issues occur after restricting rules, temporarily re-add a specific trusted IP range to restore administrative access.
  2. Implement a secure access solution such as AWS Systems Manager Session Manager, Bastion Host, or VPN to manage RDP connections securely.

References: