Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

Check for Unrestricted RDP Access via Security Lists

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: Very High (act immediately)

Check your Oracle Cloud Infrastructure (OCI) security lists for inbound rules that allow unrestricted access (i.e. 0.0.0.0/0) on TCP port 3389 and limit the access to trusted IP addresses or IP ranges only in order to implement the Principle of Least Privilege (POLP) and reduce the attack surface. TCP port 3389 is used for secure remote GUI login to Windows VM instances by connecting an RDP client application with an RDP server.

Security

Exposing TCP port 3389 (Remote Desktop Protocol - RDP) to the Internet can increase opportunities for malicious activities such as hacking, Man-In-The-Middle (MITM) attacks, and brute-force attacks. Therefore, it is strongly recommended to configure your OCI security lists to limit inbound traffic on TCP port 3389 to known and trusted IP addresses only.

Audit

To determine if your Oracle Cloud Infrastructure (OCI) security lists allow unrestricted access on TCP port 3389 (RDP), perform the following operations:

Using OCI Console

01 Sign in to your Oracle Cloud Infrastructure (OCI) account.

02 Navigate to Networking console available at https://cloud.oracle.com/networking/.

03 In the left navigation panel, under Overview, choose Virtual cloud networks.

04 Choose the OCI compartment that you want to access from the Compartment dropdown menu, to list the Virtual Cloud Networks (VCNs) available in the selected OCI compartment.

05 Click on the name (link) of the Virtual Cloud Network (VCN) that you want to examine.

06 In the left navigation panel, under Resources, choose Security Lists.

07 Click on the name (link) of the security list that you want to examine, listed in the Name column.

08 In the Resources navigation panel, choose Ingress Rules to access the inbound rules defined for the selected security list.

09 Check the rules list for any inbound rules with the Source attribute set to 0.0.0.0/0, IP Protocol set to TCP, and Destination Port Range set to 3389. If one or more rules match the search criteria, the selected security list has inbound rules that allow unrestricted access on TCP port 3389. As a result, the RDP access to the associated VM instances is not secured.

10 Repeat steps no. 7 - 9 for each OCI security list available for your Virtual Cloud Network (VCN).

11 Repeat steps no. 5 - 10 for each VCN deployed within the selected Oracle Cloud Infrastructure (OCI) compartment.

Using OCI CLI

01 Run search resource structured-search command (OSX/Linux/UNIX) to query all the compartments in your OCI tenancy to find security lists that match the criteria specified in the --query-text parameter (i.e., find OCI security lists that allow unrestricted access on TCP port 3389 - RDP): 

oci search resource structured-search
	--query-text "query SecurityList resources where (IngressSecurityRules.source = '0.0.0.0/0' && IngressSecurityRules.protocol = 6 && IngressSecurityRules.tcpOptions.destinationPortRange.max >= 3389 && IngressSecurityRules.tcpOptions.destinationPortRange.min <= 3389)"
	--query 'data.items[].["display-name","identifier"]'

02 The command output should return the identifiers (names and IDs) of the security lists that match the search criteria: 

[
	[
		"cc-project5-vm-security-list",
		"ocid1.securitylist.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd"
	],
	[
		"cc-prod-server-security-list",
		"ocid1.securitylist.oc1.ap-sydney-1.aaaabbbbccccddddabcdabcd1234abcd1234abcd1234abcd1234abcd1234"
	]
]

If the search resource structured-search command output returns one of more results, as shown in the example above, there are OCI security lists that allow unrestricted inbound access on TCP port 3389. As a result, the RDP access to the associated VM instances is not secured.

Remediation / Resolution

To update the inbound rule configuration for your Oracle Cloud Infrastructure (OCI) security lists in order to limit RDP access to trusted entities only (i.e., authorized IP addresses and IP address ranges) or to remove the non-compliant rule entirely, perform the following operations:

Using OCI Console

01 Sign in to your Oracle Cloud Infrastructure (OCI) account.

02 Navigate to Networking console available at https://cloud.oracle.com/networking/.

03 In the left navigation panel, under Overview, choose Virtual cloud networks.

04 Choose the OCI compartment that you want to access from the Compartment dropdown menu, to list the Virtual Cloud Networks (VCNs) available in the selected OCI compartment.

05 Click on the name (link) of the Virtual Cloud Network (VCN) that you want to access.

06 In the left navigation panel, under Resources, choose Security Lists.

07 Click on the name (link) of the security list that you want to configure, listed in the Name column.

08 In the Resources navigation panel, choose Ingress Rules to access the inbound rules defined for the selected security list.

09 To change the traffic source for the inbound rule that allows unrestricted access on TCP port 3389 (RDP), perform the following actions:

  1. Select the rule that you want to modify and choose Edit.
  2. Replace 0.0.0.0/0 in the Source CIDR box with an authorized IP address or IP address range.
  3. Choose Save changes to apply the configuration changes.

10 To remove entirely the inbound rule that allows unrestricted RDP access, perform the following actions:

  1. Select the inbound rule that you want to delete and choose Remove.
  2. In the confirmation box choose Remove to confirm the rule removal.

11 Repeat steps no. 7 - 10 for each OCI security list provisioned for your Virtual Cloud Network (VCN).

12 Repeat steps no. 5 - 11 for each VCN deployed within the selected Oracle Cloud Infrastructure (OCI) compartment.

Using OCI CLI

01 Run network security-list update command (OSX/Linux/UNIX) with the ID of the OCI security list that you want to configure as the identifier parameter, to change the traffic source for the inbound rule that allows unrestricted access (i.e., 0.0.0.0/0) on TCP port 3389 (RDP). For the "source" configuration attribute, you can provide an authorized IP address or IP address range using CIDR notation (e.g., 10.0.0.20/32 or 10.0.0.0/16): 

oci network security-list update
	--security-list-id 'ocid1.securitylist.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--ingress-security-rules '[{"source": "10.0.0.20/32", "protocol": "6", "isStateless": true, "tcpOptions": {"destinationPortRange": {"max": 3389, "min": 3389}}}]'
	--query 'data."ingress-security-rules"'

02 The command output should return the ingress rules configured for the modified security list: 

[
	{
		"description": null,
		"icmp-options": null,
		"is-stateless": true,
		"protocol": "6",
		"source": "10.0.0.20/32",
		"source-type": "CIDR_BLOCK",
		"tcp-options": {
			"destination-port-range": {
				"max": 3389,
				"min": 3389
			},
			"source-port-range": null
		},
		"udp-options": null
	}
]

03 To remove entirely the inbound rule that allows unrestricted RDP access, delete the non-compliant rule by editing the JSON configuration file that defines the security list ingress rules, specified by the --ingress-security-rules parameter, and run network security-list update command (OSX/Linux/UNIX) with the ID of the default security list that you want to update as the identifier parameter: 

oci network security-list update
	--security-list-id 'ocid1.securitylist.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd']
	--ingress-security-rules file://cc-new-ingress-rules.json
	--query 'data."ingress-security-rules"'

04 The command output should return the ingress rules available for the modified security list: 

[
	{
		"description": null,
		"icmp-options": {
			"code": null,
			"type": 3
		},
		"is-stateless": false,
		"protocol": "1",
		"source": "10.0.0.0/16",
		"source-type": "CIDR_BLOCK",
		"tcp-options": null,
		"udp-options": null
	}
]

05 Repeat steps no. 1 - 4 for each OCI security list that you want to configure, created for your Virtual Cloud Network (VCN).

06 Repeat steps no. 1 - 5 for each VCN deployed in the selected Oracle Cloud Infrastructure (OCI) compartment.

References

Publication date Mar 12, 2025

Related Networking rules