Control: Windows machines should meet requirements for 'User Rights Assignment'
Description
Windows machines should have the specified Group Policy settings in the category 'User Rights Assignment' for allowing log on locally, RDP, access from the network, and many other user activities. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope.
Usage
Run the control in your terminal:
powerpipe control run azure_compliance.control.network_security_group_rdp_access_restrictedSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_compliance.control.network_security_group_rdp_access_restricted --shareSQL
This control uses a named query:
with network_sg as ( select distinct name sg_name from azure_network_security_group nsg, jsonb_array_elements(security_rules) sg, jsonb_array_elements_text(sg -> 'properties' -> 'destinationPortRanges' || (sg -> 'properties' -> 'destinationPortRange') :: jsonb) dport, jsonb_array_elements_text(sg -> 'properties' -> 'sourceAddressPrefixes' || (sg -> 'properties' -> 'sourceAddressPrefix') :: jsonb) sip where sg -> 'properties' ->> 'access' = 'Allow' and sg -> 'properties' ->> 'direction' = 'Inbound' and (sg -> 'properties' ->> 'protocol' ilike 'TCP' or sg -> 'properties' ->> 'protocol' = '*') and sip in ('*', '0.0.0.0', '0.0.0.0/0', 'Internet', 'any', '<nw>/0', '/0') and ( dport in ('3389', '*') or ( dport like '%-%' and split_part(dport, '-', 1) :: integer <= 3389 and split_part(dport, '-', 2) :: integer >= 3389 ) ))select sg.id resource, case when nsg.sg_name is null then 'ok' else 'alarm' end as status, case when nsg.sg_name is null then sg.title || ' restricts RDP access from internet.' else sg.title || ' allows RDP access from internet.' end as reason , sg.resource_group as resource_group , sub.display_name as subscriptionfrom azure_network_security_group sg left join network_sg nsg on nsg.sg_name = sg.name join azure_subscription sub on sub.subscription_id = sg.subscription_id;