Skip to main content

๐Ÿ›ก๏ธ Oracle IAAS Security List allows unrestricted RDP traffic๐ŸŸข

  • Contextual name: ๐Ÿ›ก๏ธ IAAS Security List allows unrestricted RDP traffic๐ŸŸข
  • ID: /ce/ca/oracle/compute/security-list-allows-unrestricted-rdp-traffic
  • Tags:
  • Policy Type: COMPLIANCE_POLICY
  • Policy Categories: SECURITY

Logicโ€‹

Similar Policiesโ€‹

  • Internal: dec-x-afca7c62

Similar Internal Rulesโ€‹

RulePoliciesFlags
โœ‰๏ธ dec-x-afca7c621

Descriptionโ€‹

Open File

Descriptionโ€‹

This policy identifies Oracle IAAS Security Lists that allow unrestricted ingress from the internet to the Remote Desktop Protocol (RDP) port, TCP/3389.

Rationaleโ€‹

RDP is commonly used to administer Windows workloads. Allowing RDP access from 0.0.0.0/0 or ::/0 exposes administrative interfaces to internet-wide scanning, brute-force attempts, credential stuffing, and exploitation of vulnerable remote access services. Security list rules should allow RDP only from trusted administrative networks, bastion hosts, VPN ranges, or other controlled access paths.

Impactโ€‹

Restricting public RDP ingress can block administrative connections that currently depend on open internet access. Confirm that administrators have an approved access path before removing or narrowing existing rules.

Auditโ€‹

This policy flags an Oracle IAAS Security List as INCOMPLIANT when it has at least one related rule that meets all of the following conditions:

  • Direction is Ingress.
  • Source is 0.0.0.0/0 or ::/0.

... see more

Remediationโ€‹

Open File

Remediationโ€‹

Restrict Public RDP Accessโ€‹

From OCI CLIโ€‹

Review the current ingress rules before updating the security list:

oci network security-list get \
    --security-list-id {{security-list-ocid}}

Update the security list with a revised ingress rule set that removes public RDP access or restricts RDP to trusted source CIDRs:

oci network security-list update \
    --security-list-id {{security-list-ocid}} \
    --ingress-security-rules file://ingress-rules.json

The ingress-rules.json file must contain the complete intended ingress rule set for the security list. Preserve required business traffic and replace any RDP rule sourced from 0.0.0.0/0 or ::/0 with narrowly scoped CIDR ranges.

policy.yamlโ€‹

Open File

Linked Framework Sectionsโ€‹

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
๐Ÿ’ผ APRA CPG 234 โ†’ ๐Ÿ’ผ 36c deployment and environment management โ€”development, test and production environments are appropriately segregated and enforce segregation of duties;44no data
๐Ÿ’ผ APRA CPG 234 โ†’ ๐Ÿ’ผ 36d access management controls โ€”only authorised users, software and hardware are able to access information assets (refer to Attachment B for further guidance);1717no data
๐Ÿ’ผ APRA CPG 234 โ†’ ๐Ÿ’ผ 36e hardware and software asset controls โ€”appropriate authorisation to prevent security compromises from unauthorised hardware and software assets;1919no data
๐Ÿ’ผ APRA CPG 234 โ†’ ๐Ÿ’ผ 36f network design โ€” to ensure authorised network traffic flows and to reduce the impact of security compromises;3435no data
๐Ÿ’ผ APRA CPG 234 โ†’ ๐Ÿ’ผ 45 An understanding of plausible worst case scenarios can help regulated entities identify and implement additional controls to prevent or reduce the impact of such scenarios. One example is malware that infects computers and encrypts data, both on the infected computer and any connected storage, including (corporate) networks and cloud storage. Such attacks reinforce the importance of protecting the backup environment in the event that the production environment is compromised. Common techniques to achieve this include network segmentation, highly restricted and segregated access controls and network traffic flow restrictions.4042no data
๐Ÿ’ผ CIS Oracle v3.1.0 โ†’ ๐Ÿ’ผ 2.2 Ensure no security lists allow ingress from 0.0.0.0/0 to port 3389 - Level 1 (Automated)11no data
๐Ÿ’ผ Cloudaware Framework โ†’ ๐Ÿ’ผ Network Exposure137no data
๐Ÿ’ผ FedRAMP High Security Controls โ†’ ๐Ÿ’ผ AC-4(21) Physical or Logical Separation of Information Flows (M)(H)1168no data
๐Ÿ’ผ FedRAMP High Security Controls โ†’ ๐Ÿ’ผ SC-7(5) Deny by Default โ€” Allow by Exception (M)(H)23no data
๐Ÿ’ผ FedRAMP Moderate Security Controls โ†’ ๐Ÿ’ผ AC-4(21) Physical or Logical Separation of Information Flows (M)(H)68no data
๐Ÿ’ผ FedRAMP Moderate Security Controls โ†’ ๐Ÿ’ผ SC-7(5) Deny by Default โ€” Allow by Exception (M)(H)23no data
๐Ÿ’ผ ISO/IEC 27001:2013 โ†’ ๐Ÿ’ผ A.9.4.1 Information access restriction2425no data
๐Ÿ’ผ ISO/IEC 27001:2022 โ†’ ๐Ÿ’ผ 8.21 Security of network services55no data
๐Ÿ’ผ NIST CSF v1.1 โ†’ ๐Ÿ’ผ PR.AC-4: Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties2362no data
๐Ÿ’ผ NIST CSF v1.1 โ†’ ๐Ÿ’ผ PR.DS-5: Protections against data leaks are implemented5498no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties144no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected196no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected167no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected197no data
๐Ÿ’ผ NIST SP 800-53 Revision 5 โ†’ ๐Ÿ’ผ AC-4(21) Information Flow Enforcement _ Physical or Logical Separation of Information Flows4268no data
๐Ÿ’ผ NIST SP 800-53 Revision 5 โ†’ ๐Ÿ’ผ SC-7(5) Boundary Protection _ Deny by Default โ€” Allow by Exception823no data
๐Ÿ’ผ PCI DSS v3.2.1 โ†’ ๐Ÿ’ผ 1.1 Establish and implement firewall and router configuration standards7145no data
๐Ÿ’ผ PCI DSS v3.2.1 โ†’ ๐Ÿ’ผ 1.1.6 Documentation of business justification and approval for use of all services, protocols, and ports allowed, including documentation of security features implemented for those protocols considered to be insecure.132no data
๐Ÿ’ผ PCI DSS v3.2.1 โ†’ ๐Ÿ’ผ 1.2.1 Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic.1067no data
๐Ÿ’ผ PCI DSS v3.2.1 โ†’ ๐Ÿ’ผ 1.3 Prohibit direct public access between the Internet and any system component in the cardholder data environment.7844no data
๐Ÿ’ผ PCI DSS v3.2.1 โ†’ ๐Ÿ’ผ 1.3.1 Implement a DMZ to limit inbound traffic to only system components that provide authorized publicly accessible services, protocols, and ports.630no data
๐Ÿ’ผ PCI DSS v3.2.1 โ†’ ๐Ÿ’ผ 1.3.2 Limit inbound Internet traffic to IP addresses within the DMZ.30no data
๐Ÿ’ผ PCI DSS v3.2.1 โ†’ ๐Ÿ’ผ 1.3.5 Permit only โ€œestablishedโ€ connections into the network.30no data
๐Ÿ’ผ PCI DSS v3.2.1 โ†’ ๐Ÿ’ผ 2.3 Encrypt all non-console administrative access using strong cryptography.312no data
๐Ÿ’ผ PCI DSS v4.0.1 โ†’ ๐Ÿ’ผ 1.2.1 Configuration standards for NSC rulesets are defined, implemented, maintained.40no data
๐Ÿ’ผ PCI DSS v4.0.1 โ†’ ๐Ÿ’ผ 1.2.5 All services, protocols, and ports allowed are identified, approved, and have a defined business need.32no data
๐Ÿ’ผ PCI DSS v4.0.1 โ†’ ๐Ÿ’ผ 1.2.6 Security features are defined and implemented for all services, protocols, and ports that are in use and considered to be insecure, such that the risk is mitigated.32no data
๐Ÿ’ผ PCI DSS v4.0.1 โ†’ ๐Ÿ’ผ 1.3.1 Inbound traffic to the CDE is restricted.67no data
๐Ÿ’ผ PCI DSS v4.0.1 โ†’ ๐Ÿ’ผ 1.3.2 Outbound traffic from the CDE is restricted.67no data
๐Ÿ’ผ PCI DSS v4.0.1 โ†’ ๐Ÿ’ผ 1.4.1 NSCs are implemented between trusted and untrusted networks.21no data
๐Ÿ’ผ PCI DSS v4.0.1 โ†’ ๐Ÿ’ผ 1.4.2 Inbound traffic from untrusted networks to trusted networks is restricted.30no data
๐Ÿ’ผ PCI DSS v4.0.1 โ†’ ๐Ÿ’ผ 2.2.7 All non-console administrative access is encrypted using strong cryptography.12no data
๐Ÿ’ผ PCI DSS v4.0 โ†’ ๐Ÿ’ผ 1.2.1 Configuration standards for NSC rulesets are defined, implemented, maintained.3040no data
๐Ÿ’ผ PCI DSS v4.0 โ†’ ๐Ÿ’ผ 1.2.5 All services, protocols, and ports allowed are identified, approved, and have a defined business need.2032no data
๐Ÿ’ผ PCI DSS v4.0 โ†’ ๐Ÿ’ผ 1.2.6 Security features are defined and implemented for all services, protocols, and ports that are in use and considered to be insecure, such that the risk is mitigated.832no data
๐Ÿ’ผ PCI DSS v4.0 โ†’ ๐Ÿ’ผ 1.3.1 Inbound traffic to the CDE is restricted.967no data
๐Ÿ’ผ PCI DSS v4.0 โ†’ ๐Ÿ’ผ 1.3.2 Outbound traffic from the CDE is restricted.67no data
๐Ÿ’ผ PCI DSS v4.0 โ†’ ๐Ÿ’ผ 1.4.1 NSCs are implemented between trusted and untrusted networks.921no data
๐Ÿ’ผ PCI DSS v4.0 โ†’ ๐Ÿ’ผ 1.4.2 Inbound traffic from untrusted networks to trusted networks is restricted.930no data
๐Ÿ’ผ PCI DSS v4.0 โ†’ ๐Ÿ’ผ 2.2.7 All non-console administrative access is encrypted using strong cryptography.612no data
๐Ÿ’ผ UK Cyber Essentials โ†’ ๐Ÿ’ผ 1.2 Prevent access to the administrative interface from the internet4244no data