Verify that RDP access from the Internet is evaluated and restricted
Why this matters
RDP (port 3389) is a high-risk vector frequently targeted by brute-force and credential-stuffing attacks. If unrestricted RDP access is allowed from the Internet, attackers may gain full remote control of Azure virtual machines. This can be used to pivot into private networks, exfiltrate data, or deploy malware. RDP should only be accessible via secure tunneling (e.g. VPN) and from tightly controlled IP ranges.
What this check does
This Auto Check verifies that no Network Security Group (NSG) rule allows unrestricted public access to TCP port 3389 (RDP) from the Internet.
Check Logic:
Passes if:
- No NSG rule allows inbound access to port 3389 (or range including 3389)
AND - Source is not set to *, 0.0.0.0/0, /0, Internet, or Any
Fails if:
- Any NSG rule allows inbound TCP traffic on port 3389
AND - Source is publicly routable (e.g. *, 0.0.0.0/0, Internet)
How to fix it
Azure Portal:
- Go to Network security groups
- Under Settings, open Inbound security rules
- Identify any rule with:
- Port = 3389 or range including 3389
- Protocol = TCP or Any
- Source = 0.0.0.0/0, Internet, or Any
- Action = Allow
- Select the rule
- Click Delete β Confirm with Yes
Azure CLI:
az network nsg rule delete \
--resource-group <resource-group> \
--nsg-name <network-security-group> \
--name <rule-name>
PowerShell:
Get-AzNetworkSecurityGroup -ResourceGroupName <resource-group> | Get-AzNetworkSecurityRuleConfig | Where-Object {
$_.Direction -eq "Inbound" -and
$_.Access -eq "Allow" -and
$_.DestinationPortRange -eq "3389" -and
($_.SourceAddressPrefix -eq "*" -or $_.SourceAddressPrefix -eq "0.0.0.0/0" -or $_.SourceAddressPrefix -eq "Internet")
}
Remove-AzNetworkSecurityRuleConfig `
-Name <rule-name> `
-NetworkSecurityGroup <nsg-object>
Exceptions
None. RDP must never be publicly exposed without a secured access path and proper justification.
- Further resources
https://docs.microsoft.com/en-us/azure/security/azure-security-network-security-best-practices#disable-rdpssh-access-to-azure-virtual-machines
https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-network-security#ns-1-establish-network-segmentation-boundaries
https://docs.microsoft.com/en-us/azure/expressroute/
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-site-to-site-resource-manager-portal
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-point-to-site-resource-manager-portal