📝 Azure VM Scale Set Instance allows public access to RDP port 🟢

• Contextual name: 📝 Instance allows public access to RDP port 🟢
• ID: /ce/ca/azure/vm-scale-set/instance-allows-unrestricted-rdp-traffic
• Located in: 📁 Azure VM Scale Set

Flags

• 🟢 Policy with categories
• 🟢 Policy with type
• 🟢 Production policy

Our Metadata

• Policy Type: COMPLIANCE_POLICY
• Policy Category:
  • SECURITY

Logic

• 🧠 prod.logic.yaml 🟢
  • 📕 Azure VM Scale Set Instance
  • 🔌 Azure Network Security Group Rule - object.extracts.yaml
  • 🧪 test-data.json

Description

Open File

Description

Ensure that Azure VM Scale Set Instances are not configured to allow unrestricted inbound access to the Remote Desktop Protocol (RDP) port (TCP 3389). RDP is commonly used for remote management and administrative access to Windows systems. Exposing RDP directly to the public internet creates a significant security risk, as it is a frequent target of brute-force attacks and exploitation attempts.

Rationale

Restricting RDP access through NSGs substantially reduces the attack surface of Azure VM Scale Set Instances and enhances overall security posture. Public exposure of RDP enables threat actors to attempt unauthorized logins, exploit vulnerabilities, or launch ransomware attacks. Best practices recommend allowing RDP access only through secure methods such as VPNs, jump servers, or Azure Bastion, rather than opening the port directly to the internet.

Impact

Implementing these restrictions may affect remote administration workflows that currently rely on direct RDP access over the internet. You should plan and implement alternative secure access methods to maintain operational continuity while eliminating unnecessary risk exposure.

... see more

Remediation

Open File

Remediation

Modify or Remove Insecure NSG Rule

Review the security rules associated with the relevant Network Security Group (NSG) and determine whether they are required. Take appropriate action based on necessity and scope:

• If the rule is not required: Remove the rule entirely.

• If the rule is required but overly permissive: Update the rule to narrowly scope access, restricting the source IP range to only what is strictly necessary.

Azure CLI

1. Delete the rule:

   az network nsg rule delete \
     --resource-group {{resource-group-name}} \
     --nsg-name {{nsg-name}} \
     --name {{rule-name}}

2. Restrict the rule:

   az network nsg rule update \
       --resource-group {{resource-group-name}} \
       --nsg-name {{nsg-name}} \
       --name {{rule-name}} \
       --source-address-prefixes {{trusted-cidr}} 

   Replace placeholders with the appropriate values. Use space-separated values for multiple source prefixes or destination ports (e.g., --source-address-prefixes "1.2.3.4/32 5.6.7.8/32").

... see more

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags
💼 Cloudaware Framework → 💼 Public and Anonymous Access			69