🛡️ Google GCE Network allows unrestricted RDP traffic🟢

• Contextual name: 🛡️ GCE Network has Firewall Rules which allow unrestricted RDP access from the Internet🟢
• ID: /ce/ca/google/vpc/network-rdp-access
• Tags:
  • 🟢 Policy with categories
  • 🟢 Policy with type
  • 🟢 Production policy
• Policy Type: COMPLIANCE_POLICY
• Policy Categories: SECURITY

Logic

• 🧠 prod.logic.yaml🟢
  • 📗 Google GCE Network
  • 🔌 Google GCE Firewall Rule - object.extracts.yaml
  • 🧪 test-data.json

Similar Policies

• Cloud Conformity: Check for Unrestricted RDP Access

Description

Open File

Description

This policy identifies Google GCE Networks that have Firewall Rules allowing unrestricted incoming traffic (0.0.0.0/0) from the internet to the Remote Desktop Protocol (RDP) port, TCP/UDP 3389.

In GCP, Firewall Rules are defined at the VPC Network level. Each rule either allows or denies traffic based on its configuration. These configurations specify the type of traffic (e.g., protocols and ports) and the source or destination (e.g., IP addresses, subnets, and instances).

Rationale

The RDP port is used for remote administrative access to Windows-based virtual machines. Exposing this port to the public internet poses a significant security risk, as it becomes a prime target for automated scanners and attackers performing brute-force, credential-stuffing, and vulnerability-based attacks. A successful exploit could lead to unauthorized access or complete compromise of the affected virtual machine.

To reduce risk, RDP access should be limited to specific administrative IP addresses or managed securely through Identity-Aware Proxy (IAP) or VPN access.

... see more

Remediation

Open File

Remediation

From Google Cloud Console

1. Go to VPC Network.
2. Go to the Firewall Rules.
3. Click the Firewall Rule to be modified.
4. Click Edit.
5. Modify Source IP ranges to specific IP.
6. Click Save.

From Google Cloud CLI

1. Identify Firewall Rules Allowing Public Access

   gcloud compute networks get-effective-firewalls default \
       --format="table(NAME, DIRECTION, IP_RANGES)" \
       --filter="IP_RANGES:0.0.0.0/0 AND DIRECTION:INGRESS"

2. Restrict the Source Range

   Once you have identified the firewall rules, update each one to restrict access to trusted CIDR ranges:

   gcloud compute firewall-rules update {{firewall-rule-name}} \
       --source-ranges={{cidr-range1}},{{cidr-range2}}

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 CIS GCP v1.2.0 → 💼 3.7 Ensure that RDP access is restricted from the Internet - Level 2 (Automated)			1		no data
💼 CIS GCP v1.3.0 → 💼 3.7 Ensure That RDP Access Is Restricted From the Internet - Level 2 (Automated)			1		no data
💼 CIS GCP v2.0.0 → 💼 3.7 Ensure That RDP Access Is Restricted From the Internet - Level 2 (Automated)			1		no data
💼 CIS GCP v3.0.0 → 💼 3.7 Ensure That RDP Access Is Restricted From the Internet - Level 2 (Automated)			1		no data
💼 Cloudaware Framework → 💼 Public and Anonymous Access			106		no data