Control: 2.2 Ensure no security lists allow ingress from 0.0.0.0/0 to port 3389
Description
Security lists provide stateful or stateless filtering of ingress/egress network traffic to OCI resources on a subnet level. It is recommended that no security group allows unrestricted ingress access to port 3389.
Removing unfettered connectivity to remote console services, such as Remote Desktop Protocol (RDP), reduces a server's exposure to risk.
Remediation
From Console
- Follow the audit procedure above.
- For each security list in the returned results, click the security list name.
- Either edit the
ingress ruleto be more restrictive, delete theingress ruleor click on theVCNand terminate thesecurity listas appropriate.
From CLI
- Follow the audit procedure.
- For each of the
security listsidentified, execute the following command:
oci network security-list get --security-list-id <security list id>
- Then either:
- Update the
security list, copy theingress-security-ruleselement from the JSON returned by the above get call, edit it appropriately and use it in the following command
oci network security-list update --security-list-id <security-list-id> --ingress-security-rules '<ingress security rules JSON>'
or
- Delete the security list
oci network security-list delete --security-list-id <security list id>
Usage
Run the control in your terminal:
powerpipe control run oci_compliance.control.cis_v200_2_2Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run oci_compliance.control.cis_v200_2_2 --shareSQL
This control uses a named query:
core_security_list_restrict_ingress_rdp_all