AzPolicyAdvertizer

last sync: 2021-Nov-26 17:15:01 UTC

Azure Policy definition

[Deprecated]: RDP access from the Internet should be blocked

Name [Deprecated]: RDP access from the Internet should be blocked
Azure Portal

Id e372f825-a257-4fb8-9175-797a8a8627d6

Version 2.0.0-deprecated
details on versioning

Category Network
Microsoft docs

Description This policy is deprecated. This policy audits any network security rule that allows RDP access from Internet

Mode All

Type BuiltIn

Preview FALSE

Deprecated True

Effect Default: Audit
Allowed: (Audit, Disabled)

Used RBAC Role none

History

Date/Time (UTC ymd) (i)	Change type	Change detail
2021-09-27 15:52:17	change	Version remains equal, new suffix: deprecated (2.0.0 > 2.0.0-deprecated)
2020-01-29 21:53:30	add	e372f825-a257-4fb8-9175-797a8a8627d6

Used in Initiatives

Initiative DisplayName	Initiative Id	Initiative Category	State
[Deprecated]: Azure Security Benchmark v2	bb522ac1-bc39-4957-b194-429bcd3bcb0b	Regulatory Compliance	Deprecated

JSON Changes

Visual JSON JSON (Annotated)

Show unchanged values

JSON

{
  "displayName": "[Deprecated]: RDP access from the Internet should be blocked",
  "policyType": "BuiltIn",
  "mode": "All",
  "description": "This policy is deprecated. This policy audits any network security rule that allows RDP access from Internet",
  "metadata": {
    "version": "2.0.0-deprecated",
    "category": "Network",
    "deprecated": true
  },
  "parameters": {
    "effect": {
      "type": "String",
      "metadata": {
        "displayName": "Effect",
        "description": "Enable or disable the execution of the policy"
      },
      "allowedValues": [
        "Audit",
        "Disabled"
      ],
      "defaultValue": "Audit"
    }
  },
  "policyRule": {
    "if": {
      "allOf": [
        {
          "field": "type",
          "equals": "Microsoft.Network/networkSecurityGroups/securityRules"
        },
        {
          "allOf": [
            {
              "field": "Microsoft.Network/networkSecurityGroups/securityRules/access",
              "equals": "Allow"
            },
            {
              "field": "Microsoft.Network/networkSecurityGroups/securityRules/direction",
              "equals": "Inbound"
            },
            {
              "anyOf": [
                {
                  "field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange",
                  "equals": "*"
                },
                {
                  "field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange",
                  "equals": "3389"
                },
                {
                  "value": "[if(and(not(empty(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'))), contains(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'),'-')), and(lessOrEquals(int(first(split(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'), '-'))),3389),greaterOrEquals(int(last(split(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'), '-'))),3389)), 'false')]",
                  "equals": "true"
                },
                {
                  "count": {
                    "field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]",
                    "where": {
                      "value": "[if(and(not(empty(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')))), contains(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')),'-')), and(lessOrEquals(int(first(split(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')), '-'))),3389),greaterOrEquals(int(last(split(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')), '-'))),3389)) , 'false')]",
                      "equals": "true"
                    }
                  },
                  "greater": 0
                },
                {
                  "not": {
                    "field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]",
                    "notEquals": "*"
                  }
                },
                {
                  "not": {
                    "field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]",
                    "notEquals": "3389"
                  }
                }
              ]
            },
            {
              "anyOf": [
                {
                  "field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix",
                  "equals": "*"
                },
                {
                  "field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix",
                  "equals": "Internet"
                },
                {
                  "not": {
                    "field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]",
                    "notEquals": "*"
                  }
                },
                {
                  "not": {
                    "field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]",
                    "notEquals": "Internet"
                  }
                }
              ]
            }
          ]
        }
      ]
    },
    "then": {
      "effect": "[parameters('effect')]"
    }
  }
}

AzPolicyAdvertizer

Azure Policy definition

[Deprecated]: RDP access from the Internet should be blocked

JSON Left

JSON Right