Verify that RDP access from the Internet is evaluated and restricted

Last updated: April 9, 2026

Framework Reference: A.8.23 Integration: Azure – Network Security Groups (NSGs)

Why this matters
RDP (port 3389) is a high-risk vector frequently targeted by brute-force and credential-stuffing attacks. If unrestricted RDP access is allowed from the Internet, attackers may gain full remote control of Azure virtual machines. This can be used to pivot into private networks, exfiltrate data, or deploy malware. RDP should only be accessible via secure tunneling (e.g. VPN) and from tightly controlled IP ranges.

What this check does
This Auto Check verifies that no Network Security Group (NSG) rule allows unrestricted public access to TCP port 3389 (RDP) from the Internet.

Check Logic:
Passes if:

  • No NSG rule allows inbound access to port 3389 (or range including 3389)
    AND

  • Source is not set to *, 0.0.0.0/0, /0, Internet, or Any

Fails if:

  • Any NSG rule allows inbound TCP traffic on port 3389
    AND

  • Source is publicly routable (e.g. *, 0.0.0.0/0, Internet)

How to fix it

Azure Portal:

  1. Go to Network security groups

  2. Under Settings, open Inbound security rules

  3. Identify any rule with:

  4. Port = 3389 or range including 3389

  5. Protocol = TCP or Any

  6. Source = 0.0.0.0/0, Internet, or Any

  7. Action = Allow

  8. Select the rule

  9. Click Delete → Confirm with Yes

Azure CLI:

az network nsg rule delete \  --resource-group <resource-group> \  --nsg-name <network-security-group> \  --name <rule-name>

PowerShell:

Get-AzNetworkSecurityGroup -ResourceGroupName <resource-group> | Get-AzNetworkSecurityRuleConfig | Where-Object {  $_.Direction -eq "Inbound" -and  $_.Access -eq "Allow" -and  $_.DestinationPortRange -eq "3389" -and  ($_.SourceAddressPrefix -eq "*" -or $_.SourceAddressPrefix -eq "0.0.0.0/0" -or $_.SourceAddressPrefix -eq "Internet") }

Remove-AzNetworkSecurityRuleConfig  -Name <rule-name>  -NetworkSecurityGroup <nsg-object>

Exceptions
None. RDP must never be publicly exposed without a secured access path and proper justification.