AzPolicyAdvertizer

last sync: 2020-Jul-03 15:47:34 UTC

Azure Policy

RDP access from the Internet should be blocked

Policy DisplayName RDP access from the Internet should be blocked

Policy Id e372f825-a257-4fb8-9175-797a8a8627d6

Policy Category Network

Policy Description This policy audits any network security rule that allows RDP access from Internet

Policy Mode All

Policy Type BuiltIn

Policy in Preview FALSE

Policy Deprecated FALSE

Policy Effect Default: Audit
Allowed: (Audit,Disabled)

Roles used none

Policy Changes

Date/Time (UTC ymd) (i)	Change	Change detail
2020-01-29 21:53:30	add: Policy	e372f825-a257-4fb8-9175-797a8a8627d6

Used in Policy Initiative(s)

Initiative DisplayName	Initiative Id
CIS Microsoft Azure Foundations Benchmark 1.1.0	1a5bb27d-173f-493e-9568-eb56638dde4d

Policy Rule

{
  "properties": {
    "displayName": "RDP access from the Internet should be blocked",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "This policy audits any network security rule that allows RDP access from Internet",
    "metadata": {
      "version": "2.0.0",
      "category": "Network"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Network/networkSecurityGroups/securityRules"
          },
          {
            "allOf": [
              {
                "field": "Microsoft.Network/networkSecurityGroups/securityRules/access",
                "equals": "Allow"
              },
              {
                "field": "Microsoft.Network/networkSecurityGroups/securityRules/direction",
                "equals": "Inbound"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange",
                    "equals": "*"
                  },
                  {
                    "field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange",
                    "equals": "3389"
                  },
                  {
                  "value": "[if(and(not(empty(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'))), contains(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'),'-')), and(lessOrEquals(int(first(split(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'), '-'))),3389),greaterOrEquals(int(last(split(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'), '-'))),3389)), 'false')]",
                    "equals": "true"
                  },
                  {
                    "count": {
                    "field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]",
                      "where": {
                      "value": "[if(and(not(empty(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')))), contains(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')),'-')), and(lessOrEquals(int(first(split(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')), '-'))),3389),greaterOrEquals(int(last(split(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')), '-'))),3389)) , 'false')]",
                        "equals": "true"
                      }
                    },
                    "greater": 0
                  },
                  {
                    "not": {
                    "field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]",
                      "notEquals": "*"
                    }
                  },
                  {
                    "not": {
                    "field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]",
                      "notEquals": "3389"
                    }
                  }
                ]
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix",
                    "equals": "*"
                  },
                  {
                    "field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix",
                    "equals": "Internet"
                  },
                  {
                    "not": {
                    "field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]",
                      "notEquals": "*"
                    }
                  },
                  {
                    "not": {
                    "field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]",
                      "notEquals": "Internet"
                    }
                  }
                ]
              }
            ]
          }
        ]
      },
      "then": {
      "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/e372f825-a257-4fb8-9175-797a8a8627d6",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "e372f825-a257-4fb8-9175-797a8a8627d6"
}

Azure Policy

RDP access from the Internet should be blocked

Popular