Remote Desktop Protocol is developed by Microsoft and it is a proprietary protocol that provides a user with a graphical interface to connect another computer over a network connection. It runs on the client-server-based architecture. On the server computer, RDP server software should be installed and on the client-side, the user must employ the RDP client software for this purpose.
Azure enables 3389 port of your Remote Desktop Protocol (RDP) and allows connections from any IP around the world, by default. It has many benefits but can also be a cause of a threat and a high-security risk. If some attacker performs brute force attack on your RDP and can remotely access your device(s), then all your sensitive data can get compromised. How can we deal with this now? We have two options – either restrict RDP access over your VMs or select a range of IPs or specific IPs to access your VMs.
Restricting your Remote Desktop Protocol (RDP) to access VMs isn’t challenging but it requires some understanding of Azure Network Security. We can ensure this by using Azure Network Security Groups (NSG’s). While deploying a VM, it expects an NSG to be assigned. You need to create an NSG beforehand and directly employ the same NSG to the new VMs deployments Now, how we can create such Network Security Groups (NSG’s).
How you can create such Network Security Groups (NSG’s)?
- Allow RDP from a specific IP.
- Deny all RDP traffic
Furthermore, perform the following steps:
- Go into property settings of VM and select “Networking Setting“
- Then select, “Add Inbound Traffic Rule“
- Click on the wrench and change from “Basic” to “Advanced” settings
Properties of Inbound Security Rule are as follows:
- Source: Source can be any IP address or CIDR range or a default service tag.
- Source IP address/Classless Inter-Domain Routing (CIDR) ranges Any IP address or any CIDR range.
- Source Service Tag: There are a set of options here:
- Load Balancer: Scrutinizes the Azure Load Balancer
- Virtual Network: The Virtual Network to which your VM is connected
- Internet: All the public virtual network traffic, (including all Azure services, such as Azure Traffic Manager, Storage, and SQL)
- Azure Traffic Manager: The IP address from where the Azure Load Balancer health check will begin
- Storage: Access to Azure storage services and/or specific Azure regions
- SQL: Access to Azure SQL Database and Warehouse services, and/or specific Azure regions
- Source Port Ranges: Range of ports or use a CIDR for all ranges
- Destination: The source can be any IP Address, or CIDR Range, or the Virtual Network
- Destination Port Ranges: Range of ports or a CIDR for all ranges
- Protocol: TCP or UDP, or Any, which includes both TCP and UDP, and ICMP
- Action: Allow or Deny access
- Priority: A number between 100-4096. The lowest is 100, and the highest we can input is 4096. Lower the number, higher the priority
- Name: The name of the rule. Note that, once created, the name cannot be changed!
The below image shows you the fields (described above) you need to fill in for allowing RDP for specific IP ranges.
The below image shows all the fields you need to fill in for denying all RDP access:
How Centilytics helps you in securing your Remote Desktop Protocol (RDP)?
Centilytics has an insight that lists down all your Azure subscriptions whose RDP has no restricted access to the internet as well as the subscriptions whose RDP has restricted access to the internet. This insight also helps you by scrutinize your security rules, access given to RDP in your network security group and shows where it has been created. Hence, it becomes easier to manage and ensure that your data is secure.
