Ensure That RDP Access Is Restricted From the Internet

HIGH

Description

Description:

GCP 'Firewall Rules' are specific to a 'VPC Network'. Each rule either 'allows' or 'denies' traffic when its conditions are met. Its conditions allow users to specify the type of traffic, such as ports and protocols, and the source or destination of the traffic, including IP addresses, subnets, and instances.

Firewall rules are defined at the VPC network level and are specific to the network in which they are defined. The rules themselves cannot be shared among networks. Firewall rules only support IPv4 traffic. When specifying a source for an ingress rule or a destination for an egress rule by address, an 'IPv4' address or 'IPv4 block in CIDR' notation can be used. Generic '(0.0.0.0/0)' incoming traffic from the Internet to a VPC or VM instance using 'RDP' on 'Port 3389' can be avoided.

Rationale:

GCP 'Firewall Rules' within a 'VPC Network'. These rules apply to outgoing (egress) traffic from instances and incoming (ingress) traffic to instances in the network. Egress and ingress traffic flows are controlled even if the traffic stays within the network (for example, instance-to-instance communication).
For an instance to have outgoing Internet access, the network must have a valid Internet gateway route or custom route whose destination IP is specified. This route simply defines the path to the Internet, to avoid the most general '(0.0.0.0/0)' destination 'IP Range' specified from the Internet through 'RDP' with the default 'Port 3389'. Generic access from the Internet to a specific IP Range should be restricted.

All Remote Desktop Protocol (RDP) connections from outside of the network to the concerned VPC(s) will be blocked. There could be a business need where secure shell access is required from outside of the network to access resources associated with the VPC. In that case, specific source IP(s) should be mentioned in firewall rules to white-list access to RDP port for the concerned VPC(s).

Remediation

From Google Cloud Console

Go to 'VPC Network'.
Go to the 'Firewall Rules'.
Click the 'Firewall Rule' to be modified.
Click 'Edit'.
Modify 'Source IP ranges' to specific 'IP'.
Click 'Save'.

From Google Cloud CLI

1.Update RDP Firewall rule with new 'SOURCE_RANGE' from the below command:

gcloud compute firewall-rules update FirewallName --allow=[PROTOCOL[:PORT[-PORT]],...] --source-ranges=[CIDR_RANGE,...]

Policy Details

Rule Reference ID: AC_GCP_0134

CSP: GCP

Remediation Available: Yes

Domain: Infrastructure Security

Resource: google_compute_firewall

Resource Category: Virtual Network

Resource Type: Network Firewall

Frameworks

CIS Google Cloud Platform Foundations v1.3.0 Level 2
CIS Google Cloud Platform Foundations v2.0.0 Level 2
CSCv8
NIST-800-53
NIST-CSF
GDPR
HIPAA
NIST-800-171
ISO-27001
CSCv7
PCI-DSSv4.0
CIS Google Cloud Platform Foundations v1.2.0 Level 2
SOC2

Detections

Analytics