📝 Google GCE Network has Firewall Rules which allow unrestricted RDP access from the Internet 🟢

• Contextual name: 📝 GCE Network has Firewall Rules which allow unrestricted RDP access from the Internet 🟢
• ID: /ce/ca/google/vpc/network-rdp-access
• Located in: 📁 Google VPC

Flags

• 🟢 Policy with categories
• 🟢 Policy with type
• 🟢 Production policy

Our Metadata

• Policy Type: COMPLIANCE_POLICY
• Policy Category:
  • SECURITY

Similar Policies

• Cloud Conformity
  • Check for Unrestricted RDP Access

Logic

• 🧠 prod.logic.yaml 🟢
  • 📕 Google GCE Network
  • 🔌 Google GCE Firewall Rule - object.extracts.yaml
  • 🧪 test-data.json

Description

Open File

Description

GCP Firewall Rules are specific to a VPC Network. Each rule either allows or denies traffic when its conditions are met. Its conditions allow users to specify the type of traffic, such as ports and protocols, and the source or destination of the traffic, including IP addresses, subnets, and instances.

Firewall rules are defined at the VPC network level and are specific to the network in which they are defined. The rules themselves cannot be shared among networks. Firewall rules only support IPv4 traffic. When specifying a source for an ingress rule or a destination for an egress rule by address, an IPv4 address or IPv4 block in CIDR notation can be used. Generic (0.0.0.0/0) incoming traffic from the Internet to a VPC or VM instance using RDP on Port 3389 can be avoided.

Rationale

GCP Firewall Rules within a VPC Network. These rules apply to outgoing (egress) traffic from instances and incoming (ingress) traffic to instances in the network. Egress and ingress traffic flows are controlled even if the traffic stays within the network (for example, instance-to-instance communication). For an instance to have outgoing Internet access, the network must have a valid Internet gateway route or custom route whose destination IP is specified. This route simply defines the path to the Internet, to avoid the most general (0.0.0.0/0) destination IP Range specified from the Internet through RDP with the default Port 3389. Generic access from the Internet to a specific IP Range should be restricted.

... see more

Remediation

Open File

Remediation

From Google Cloud Console

1. Go to VPC Network.
2. Go to the Firewall Rules.
3. Click the Firewall Rule to be modified.
4. Click Edit.
5. Modify Source IP ranges to specific IP.
6. Click Save.

From Google Cloud CLI

1.Update RDP Firewall rule with new SOURCE_RANGE from the below command:

        gcloud compute firewall-rules update FirewallName --allow=[PROTOCOL[:PORT[-PORT]],...] --source-ranges=[CIDR_RANGE,...]

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags
💼 CIS GCP v3.0.0 → 💼 3.7 Ensure That RDP Access Is Restricted From the Internet - Level 2 (Automated)			1
💼 Cloudaware Framework → 💼 Secure Access			43