Source
Display name
[Deprecated]: RDP access from the Internet should be blocked
Id
e372f825-a257-4fb8-9175-797a8a8627d6 Copy Id Copy resourceId
Version
2.0.0-deprecated
Versioning
Versions supported for Versioning: 1
Category
Network
Description
This policy is deprecated. This policy audits any network security rule that allows RDP access from Internet
Cloud environments
AzureCloud = true
Available in AzUSGov
The Policy is available in AzureUSGovernment cloud. Version: '2.*.*'
Mode
All
Type
BuiltIn
Preview
False
Deprecated
True
Effect
Default Allowed
RBAC role(s)
none
Rule aliases
IF (6)
Rule resource types
IF (1)
ComplianceHide
The following
1 compliance controls are associated with this Policy definition '[Deprecated]: RDP access from the Internet should be blocked' (e372f825-a257-4fb8-9175-797a8a8627d6)
Columns▼ Records: 10 25 100 200 Use the filters above each column to filter and limit table data. Advanced searches can be performed by using the following operators:
< ,
<= ,
> ,
>= ,
= ,
* ,
! ,
{ ,
} ,
|| ,
&& ,
[empty] ,
[nonempty] ,
rgx: Learn more ? Page 1 of 1
Clear Azure_Security_Benchmark_v2.0 Clear NS-4 Clear Customer
Control Domain
Control
Name
MetadataId
Category
Title
Owner
Requirements
Description
Info
Policy#
Azure_Security_Benchmark_v2.0 NS-4
Azure_Security_Benchmark_v2.0_NS-4 Azure Security Benchmark NS-4
Network Security
Protect applications and services from external network attacks
Customer
Protect Azure resources against attacks from external networks, including distributed denial of service (DDoS) Attacks, application specific attacks, and unsolicited and potentially malicious internet traffic. Azure includes native capabilities for this:
- Use Azure Firewall to protect applications and services against potentially malicious traffic from the internet and other external locations.
- Use Web Application Firewall (WAF) capabilities in Azure Application Gateway, Azure Front Door, and Azure Content Delivery Network (CDN) to protect your applications, services, and APIs against application layer attacks.
- Protect your assets against DDoS attacks by enabling DDoS protection on your Azure virtual networks.
- Use Azure Security Center to detect misconfiguration risks related to the above.
Azure Firewall Documentation: https://docs.microsoft.com/azure/firewall/
How to deploy Azure WAF: https://docs.microsoft.com/azure/web-application-firewall/overview
Manage Azure DDoS Protection using the Azure portal: https://docs.microsoft.com/azure/virtual-network/manage-ddos-protection
n/a
link 14
No results
Initiatives usage
Records: 10 25 100 200 Use the filters above each column to filter and limit table data. Advanced searches can be performed by using the following operators:
< ,
<= ,
> ,
>= ,
= ,
* ,
! ,
{ ,
} ,
|| ,
&& ,
[empty] ,
[nonempty] ,
rgx: Learn more ? Page 1 of 1
Clear Regulatory Compliance Clear Deprecated Clear BuiltIn
Initiative DisplayName
Initiative Id
Initiative Category
State
Type
polSet in AzUSGov
[Deprecated]: Azure Security Benchmark v2
bb522ac1-bc39-4957-b194-429bcd3bcb0b Regulatory Compliance
Deprecated BuiltIn
true
No results
History
Date/Time (UTC ymd) (i)
Change type
Change detail
2021-09-27 15:52:17
change
Version remains equal, new suffix: deprecated (2.0.0 > 2.0.0-deprecated)
2020-01-29 21:53:30
add
e372f825-a257-4fb8-9175-797a8a8627d6
JSON compareHide
compare mode:
side-by-side
line-by-line
version left: 2.0.0 version right: 2.0.0-deprecated 2.0.0
@@ -1,12 +1,13 @@
1
{
2
-
"displayName": "RDP access from the Internet should be blocked",
3
"policyType": "BuiltIn",
4
"mode": "All",
5
-
"description": "This policy audits any network security rule that allows RDP access from Internet",
6
"metadata": {
7
-
"version": "2.0.0",
8
-
"category": "Network"
9
},
10
"parameters": {
11
"effect": {
12
"type": "String",
1
{
2
+
"displayName": "[Deprecated]: RDP access from the Internet should be blocked",
3
"policyType": "BuiltIn",
4
"mode": "All",
5
+
"description": "This policy is deprecated. This policy audits any network security rule that allows RDP access from Internet",
6
"metadata": {
7
+
"version": "2.0.0-deprecated ",
8
+
"category": "Network",
9
+
"deprecated": true
10
},
11
"parameters": {
12
"effect": {
13
"type": "String",
JSON
api-version=2021-06-01 Copy definition Copy definition 4 EPAC EPAC
{ 7 items displayName: "[Deprecated]: RDP access from the Internet should be blocked" , policyType: "BuiltIn" , mode: "All" , description: "This policy is deprecated. This policy audits any network security rule that allows RDP access from Internet" , metadata: { 3 items version: "2.0.0-deprecated" , category: "Network" , deprecated: true } , parameters: { 1 item } , policyRule: { 2 items if: { 1 item allOf: [ 2 items { 2 items field: "type" , equals: "Microsoft.Network/networkSecurityGroups/securityRules" } , { 1 item allOf: [ 4 items { 2 items field: "Microsoft.Network/networkSecurityGroups/securityRules/access" , equals: "Allow" } , { 2 items field: "Microsoft.Network/networkSecurityGroups/securityRules/direction" , equals: "Inbound" } , { 1 item anyOf: [ 6 items { 2 items field: "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange" , equals: "*" } , { 2 items field: "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange" , equals: "3389" } , { 2 items value: 🔍 "[
if(
and(
not(
empty(
field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange')
)
),
contains(
field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'),
'-'
)
),
and(
lessOrEquals(
int(
first(
split(
field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'),
'-'
)
)
),
3389
),
greaterOrEquals(
int(
last(
split(
field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'),
'-'
)
)
),
3389
)
),
'false'
)
]", equals: "true" } , { 2 items count: { 2 items field: "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]" , where: { 2 items value: 🔍 "[
if(
and(
not(
empty(
first(
field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')
)
)
),
contains(
first(
field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')
),
'-'
)
),
and(
lessOrEquals(
int(
first(
split(
first(
field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')
),
'-'
)
)
),
3389
),
greaterOrEquals(
int(
last(
split(
first(
field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')
),
'-'
)
)
),
3389
)
),
'false'
)
]", equals: "true" } } , greater: 0 } , { 1 item not: { 2 items field: "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]" , notEquals: "*" } } , { 1 item not: { 2 items field: "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]" , notEquals: "3389" } } ] } , { 1 item anyOf: [ 4 items { 2 items field: "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix" , equals: "*" } , { 2 items field: "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix" , equals: "Internet" } , { 1 item not: { 2 items field: "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]" , notEquals: "*" } } , { 1 item not: { 2 items field: "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]" , notEquals: "Internet" } } ] } ] } ] } , then: { 1 item effect: "[parameters('effect')]" } } }
