Check for Unrestricted RDP Access via Network Security Groups

Risk Level: Very High (act immediately)

Check your Oracle Cloud Infrastructure (OCI) network security groups for inbound rules that allow unrestricted access (i.e. 0.0.0.0/0) on TCP port 3389 and limit the access to trusted IP addresses or IP ranges only in order to implement the Principle of Least Privilege (POLP) and reduce the attack surface. TCP port 3389 is used for secure remote GUI login to Windows VM instances by connecting an RDP client application with an RDP server.

Security

Exposing TCP port 3389 (Remote Desktop Protocol - RDP) to the Internet can increase opportunities for malicious activities such as hacking, Man-In-The-Middle (MITM) attacks, and brute-force attacks. Therefore, it is strongly recommended to configure your OCI security lists to limit inbound traffic on TCP port 3389 to known and trusted IP addresses only.

Audit

To determine if your OCI network security groups (NSGs) allow unrestricted access on TCP port 3389 (RDP), perform the following operations:

Using OCI Console

01 Sign in to your Oracle Cloud Infrastructure (OCI) account.

02 Navigate to Networking console available at https://cloud.oracle.com/networking/.

03 In the left navigation panel, under Overview, choose Virtual cloud networks.

04 Choose the OCI compartment that you want to access from the Compartment dropdown menu, to list the Virtual Cloud Networks (VCNs) available in the selected OCI compartment.

05 Click on the name (link) of the Virtual Cloud Network (VCN) that you want to examine.

06 In the left navigation panel, under Resources, choose Network Security Groups.

07 Click on the name (link) of the network security group (NSG) that you want to examine, listed in the Name column.

08 In the Resources navigation panel, choose Security Rules, and select only the Ingress checkbox under Direction to list the inbound rules defined for the selected NSG.

09 Check the Security Rules list for any inbound rules with the Source attribute set to 0.0.0.0/0, Protocol set to TCP, and Destination Port Range set to 3389. If one or more rules match the search criteria, the selected network security group (NSG) has inbound rules that allow unrestricted access on TCP port 3389. As a result, the RDP access to the target VM instances is not secured.

10 Repeat steps no. 7 - 9 for each OCI network security group available for your Virtual Cloud Network (VCN).

11 Repeat steps no. 5 - 10 for each VCN deployed within the selected Oracle Cloud Infrastructure (OCI) compartment.

Using OCI CLI

01 Run iam compartment list command (Windows/macOS/Linux) with output query filters to list the ID of each compartment available in your Oracle Cloud Infrastructure (OCI) account:

oci iam compartment list
	--all
	--include-root
	--query 'data[]."id"'

02 The command output should return the requested OCI compartment identifiers (OCIDs):

[
	"ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"ocid1.compartment.oc1..abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd"
]

03 Run network nsg list command (Windows/macOS/Linux) with the ID of the OCI compartment that you want to examine as the identifier parameter, the list the ID of each network security group (NSG) available in the selected compartment:

oci network nsg list
	--compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--all
	--query 'data[]."id"'

04 The command output should return the requested NSG identifiers (IDs):

[
	"ocid1.networksecuritygroup.oc1.ap-sydney-1.1234bbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"ocid1.networksecuritygroup.oc1.ap-sydney-1.aaaabbbbccccddddabcdabcd1234abcd1234abcd1234abcd1234abcd1234"
]

05 Run network nsg rules list command (Windows/macOS/Linux) with the ID of the OCI network security group (NSG) that you want to examine as the identifier parameter and custom output filters to describe the inbound rules that allow unrestricted network access on TCP port 3389 (RDP), configured for the selected NSG:

oci network nsg rules list
	--nsg-id 'ocid1.networksecuritygroup.oc1.ap-sydney-1.1234bbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--all 2>/dev/null | jq -r '.data[] | select(.source == "0.0.0.0/0" and .direction == "INGRESS" and ((."tcp-options"."destination-port-range".max >= 3389 and ."tcp-options"."destination-port-range".min <= 3389) or ."tcp-options"."destination-port-range" == null))'

06 The command output should return the inbound rules that allow unrestricted access on TCP port 3389:

{
	"description": null,
	"destination": null,
	"destination-type": null,
	"direction": "INGRESS",
	"icmp-options": null,
	"id": "ABC123",
	"is-stateless": false,
	"is-valid": true,
	"protocol": "6",
	"source": "0.0.0.0/0",
	"source-type": "CIDR_BLOCK",
	"tcp-options": {
		"destination-port-range": {
			"max": 3389,
			"min": 3389
		},
		"source-port-range": null
	},
	"time-created": "2025-03-04T17:05:18.857000+00:00",
	"udp-options": null
}

If the network nsg rules list command does not return an output, there are no ingress rules that allow unrestricted RDP access configured for the selected NSG. If the command output returns one of more results, as shown in the example above, there are OCI network security group (NSG) that allow unrestricted inbound access on TCP port 3389. As a result, the RDP access to the target VM instances is not secured.

07 Repeat steps no. 5 and 6 for each OCI network security group available for your Virtual Cloud Network (VCN).

08 Repeat steps no. 3 - 7 for each VCN deployed within the selected Oracle Cloud Infrastructure (OCI) compartment.

Remediation / Resolution

To update the inbound rule configuration for your OCI network security groups (NSGs) in order to limit RDP access to trusted networks and machines only (i.e., authorized IP addresses and IP address ranges) or to remove the non-compliant rule entirely, perform the following operations:

Using OCI Console

01 Sign in to your Oracle Cloud Infrastructure (OCI) account.

02 Navigate to Networking console available at https://cloud.oracle.com/networking/.

03 In the left navigation panel, under Overview, choose Virtual cloud networks.

04 Choose the OCI compartment that you want to access from the Compartment dropdown menu, to list the Virtual Cloud Networks (VCNs) available in the selected OCI compartment.

05 Click on the name (link) of the Virtual Cloud Network (VCN) that you want to access.

06 In the left navigation panel, under Resources, choose Network Security Groups.

07 Click on the name (link) of the network security group (NSG) that you want to configure, listed in the Name column.

08 In the Resources navigation panel, choose Security Rules, and select only the Ingress checkbox under Direction to list the ingress rules defined for the selected NSG.

09 To change the traffic source for the inbound rule that allows unrestricted access on TCP port 3389 (RDP), perform the following actions:

Select the rule that you want to modify and choose Edit.
Replace 0.0.0.0/0 in the Source CIDR box with an authorized IP address or IP address range.
Choose Save changes to apply the configuration changes.

10 To remove entirely the inbound rule that allows unrestricted RDP access, perform the following actions:

Select the inbound rule that you want to delete and choose Remove.
In the confirmation box choose Remove to confirm the security rule removal.

11 Repeat steps no. 7 - 10 for each OCI network security group provisioned for your Virtual Cloud Network (VCN).

12 Repeat steps no. 5 - 11 for each VCN deployed within the selected Oracle Cloud Infrastructure (OCI) compartment.

Using OCI CLI

01 Run network nsg rules update command (OSX/Linux/UNIX) with the ID of the OCI network security group (NSG) that you want to configure as the identifier parameter, to change the traffic source for the inbound rule that allows unrestricted access (i.e., 0.0.0.0/0) on TCP port 3389 (RDP). For the "source" configuration attribute, you can provide an authorized IP address or IP address range using CIDR notation (e.g., 10.0.0.30/32 or 10.0.0.0/16):

oci network nsg rules update
	--nsg-id 'ocid1.networksecuritygroup.oc1.ap-sydney-1.1234bbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--security-rules '[{ "description": null, "destination": null, "destination-type": null, "direction": "INGRESS", "icmp-options": null, "id": "ABC123", "is-stateless": true, "protocol": "6", "source": "10.0.0.30/32", "source-type": "CIDR_BLOCK", "tcp-options": { "destination-port-range": { "max": 3389, "min": 3389 }, "source-port-range": null }, "udp-options": null }]'

02 The command output should return the ingress rules configured for the modified network security group (NSG):

{
	"data": {
		"security-rules": [
			{
				"description": null,
				"destination": null,
				"destination-type": null,
				"direction": "INGRESS",
				"icmp-options": null,
				"id": "ABC123",
				"is-stateless": true,
				"is-valid": true,
				"protocol": "6",
				"source": "10.0.0.30/32",
				"source-type": "CIDR_BLOCK",
				"tcp-options": {
					"destination-port-range": {
						"max": 3389,
						"min": 3389
					},
					"source-port-range": null
				},
				"time-created": "2025-03-04T17:34:05.311000+00:00",
				"udp-options": null
			}
		]
	}
 }

03 To remove entirely the NSG ingress rule that allows unrestricted RDP access, run network nsg rules remove command (OSX/Linux/UNIX) with the ID of the non-compliant inbound rule that you want to delete as the identifier parameter:

oci network nsg rules remove
	--nsg-id 'ocid1.networksecuritygroup.oc1.ap-sydney-1.1234bbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--security-rule-ids '{"id": "ABC123"}'

04 The command output should return the ingress rules available for the modified network security group:

[
	{
		"description": null,
		"destination": null,
		"destination-type": null,
		"direction": "INGRESS",
		"icmp-options": null,
		"id": "ABCABC",
		"is-stateless": false,
		"is-valid": true,
		"protocol": "6",
		"source": "0.0.0.0/0",
		"source-type": "CIDR_BLOCK",
		"tcp-options": {
		"destination-port-range": {
			"max": 8080,
			"min": 8080
		},
		"source-port-range": null
		},
		"time-created": "2025-03-04T17:18:56.395000+00:00",
		"udp-options": null
	}
]

05 Repeat steps no. 1 - 4 for each network security group (NSG) created for your Virtual Cloud Network (VCN).

06 Repeat steps no. 1 - 5 for each VCN deployed within the selected Oracle Cloud Infrastructure (OCI) compartment.

References

Oracle Cloud Infrastructure Documentation
Network Security Groups
Network Security Group Management/a>
Managing Security Rules for an NSG

Oracle Cloud Infrastructure CLI Documentation
compartment list
nsg list
nsg rules list
nsg rules update
nsg rules remove

Publication date Mar 12, 2025

Audit

Using OCI Console

Using OCI CLI

Remediation / Resolution

Using OCI Console

Using OCI CLI

References

Related Networking rules