Control: 2.4 Ensure no network security groups allow ingress from 0.0.0.0/0 to port 3389
Description
Network security groups provide stateful filtering of ingress/egress network traffic to OCI resources. It is recommended that no security group allows unrestricted ingress access to port 3389.
Removing unfettered connectivity to remote console services, such as Remote Desktop Protocol (RDP), reduces a server's exposure to risk.
Remediation
From CLI
Using the details returned from the audit procedure either:
- Remove the security rules
oci network nsg rules remove --nsg-id=<NSGID from audit output>
or
- Update the security rules
oci network nsg rules update --nsg-id=<NSGID from audit output> --security- rules=<updated security-rules JSON (without the isValid or TimeCreated fields)>eg:oci network nsg rules update --nsg- id=ocid1.networksecuritygroup.oc1.iad.xxxxxxxxxxxxxxxxxxxxxx --security- rules='[{ "description": null, "destination": null, "destination-type": null, "direction": "INGRESS", "icmp-options": null, "id": "709001", "is-stateless": null, "protocol": "6", "source": "140.238.154.0/24", "source-type": "CIDR_BLOCK", "tcp-options": { "destination-port-range": { "max": 3389, "min": 3389 }, "source-port-range": null }, "udp-options": null }]'
Usage
Run the control in your terminal:
powerpipe control run oci_compliance.control.cis_v200_2_4Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run oci_compliance.control.cis_v200_2_4 --shareSQL
This control uses a named query:
core_network_security_group_restrict_ingress_rdp_all