Control: 2.2 Ensure no security lists allow ingress from 0.0.0.0/0 to port 3389

Description

Security lists provide stateful or stateless filtering of ingress/egress network traffic to OCI resources on a subnet level. It is recommended that no security group allows unrestricted ingress access to port 3389.

Remediation

From Console

1. Login to OCI Console.
2. Click in the search bar, top of the screen.
3. Type Advanced Resource Query and hit enter.
4. Click the Advanced Resource Query button in the upper right of the screen.
5. Enter the following query in the query box:

query SecurityList resources where (IngressSecurityRules.source = '0.0.0.0/0' && IngressSecurityRules.protocol = 6 && IngressSecurityRules.tcpOptions.destinationPortRange.max = 3389 && IngressSecurityRules.tcpOptions.destinationPortRange.min = 3389)

6. For each security list in the returned results, click the security list name
7. Either edit the ingress rule to be more restrictive, delete the ingress rule or click on the VCN and terminate the security list as appropriate.

From Command Line

1. Execute the following command:

oci search resource structured-search --query-text "query SecurityList resources where (IngressSecurityRules.source = '0.0.0.0/0' && IngressSecurityRules.protocol = 6 && IngressSecurityRules.tcpOptions.destinationPortRange.max = 3389 && IngressSecurityRules.tcpOptions.destinationPortRange.min = 3389)"

2. For each of the security lists identified get the its details

oci network security-list get --security-list-id <security list id>

3. Then either:

• Update the security list, copy the ingress-security-rules element from the JSON returned by the above get call, edit it appropriately and use it in the following command:

oci network security-list update --security-list-id <security-list-id> -- ingress-security-rules '<ingress security rules JSON>'

or

• Delete the security list

oci network security-list delete --security-list-id <security list id>