Remote Desktop Protocol is developed by Microsoft and it is a proprietary protocol which provides a user with a graphical interface to connect another computer over a network connection. It runs on the client-server-based architecture. On the server computer, RDP server software should be installed and on the client side, the user must employ the RDP client software for this purpose.
Azure enables 3389 port of your Remote Desktop Protocol (RDP) and allows connections from any IP around the world, by default. It has many benefits but can also be a cause of a threat and a high-security risk. If some attacker performs brute force attack on your RDP and can remotely access your device(s), then all your sensitive data can get compromised. How can we deal with this now? We have two options – either restrict RDP access over your VMs or select a range of IPs or specific IPs to access your VMs.
Restricting your Remote Desktop Protocol (RDP) to access VMs isn’t challenging but it requires some understanding of Azure Network Security. We can ensure this by using Azure Network Security Groups (NSG’s). While deploying a VM, it expects an NSG to be assigned. You need to create an NSG beforehand and directly employ the same NSG to the new VMs deployments Now, how we can create such Network Security Groups (NSG’s).
How you can create such Network Security Groups (NSG’s)?
- Allow RDP from a specific IP.
- Deny all RDP traffic
Furthermore, perform the following steps:
- Go into property settings of VM and select “Networking Setting“
- Then select, “Add Inbound Traffic Rule“
- Click on the wrench and change from “Basic” to “Advanced” settings
Properties of Inbound Security Rule are as follows:
- Source: Source can be any IP address or CIDR range or a default service tag.
- Source IP address/Classless Inter-Domain Routing (CIDR) ranges Any IP address or any CIDR range.
- Source Service Tag: There are a set of options here:
- Load Balancer: Scrutinizes the Azure Load Balancer
- Virtual Network: The Virtual Network to which your VM is connected
- Internet: All the public virtual network traffic, (including all Azure services, such as Azure Traffic Manager, Storage, and SQL)
- Azure Traffic Manager: The IP address from where the Azure Load Balancer health check will begin
- Storage: Access to Azure storage services and/or specific Azure regions
- SQL: Access to Azure SQL Database and Warehouse services, and/or specific Azure regions
- Source Port Ranges: Range of ports or use a CIDR for all ranges
- Destination: The source can be any IP Address, or CIDR Range, or the Virtual Network
- Destination Port Ranges: Range of ports or a CIDR for all ranges
- Protocol: TCP or UDP, or Any, which includes both TCP and UDP, and ICMP
- Action: Allow or Deny access
- Priority: A number between 100-4096. The lowest is 100, and the highest we can input is 4096. Lower the number, higher the priority
- Name: The name of the rule. Note that, once created, the name cannot be changed!
The below image shows you the fields (described above) you need to fill in for allowing RDP for specific IP ranges.
The below image shows all the fields you need to fill in for denying all RDP access:
How Centilytics helps you in securing your Remote Desktop Protocol (RDP)?
Centilytics has an insight that lists down all your Azure subscriptions whose RDP has no restricted access to the internet as well as the subscriptions whose RDP has restricted access to the internet. This insight also helps you by scrutinize your security rules, access given to RDP in your network security group and shows where it has been created. Hence, it becomes easier to manage and ensure that your data is secure.
- Severity: This column represents the severity of the access allowance to RDP.
Ok: It means RDP access is restricted from the internet or restricted to some specific range of IPs
Warning: It means RDP access unrestricted from the internet
- Subscription ID: It is a GUID which is used to uniquely identify the subscription for using Azure services.
- Subscription Name: It is the name under which this Remote Desktop Protocol (RDP) is created.
- Network Security Group: The security group from which RDP inherit the restrictions.
- Security Rule: This column shows the security rule applied to the RDP under network security group (NSG).
- Resource Group: Resource Group is the group in which your RDP is created. By putting all the applications in a resource group, you can manage them all together.
- Location: This column shows the region of your instance where it has been created.
- Identifier: This is the compilation of all the data to identify your instance.
Applicable filters are:
|EA Account IDs||Applying the account Id filter will display data for the selected account Id.|
|Severity||Applying severity filter will display resources according to the selected severity type i.e. selecting critical will display all resources with critical severity. Same will be the case for warning and ok severity types|
|EA Resource Tags||Applying resource tags filter will display data which will have the selected resource tag. For e.g. – If the user has tagged any resource using a tag named environment, then selecting an environment from the resource tags filter will display all the data accordingly|
|EA Resource Tags Value||Applying resource tags value filter will further display data which will have the selected resource tag value. For e.g. – If the user has tagged some resource by a tag named environment and has given it a value say production (environment:production), then the user will be able to view data of all the resources which are tagged as “environment:production”. User can use the tag value filter only when a tag name has been provided.|