Introduction
A couple of days ago, we got the info about a new RDP vulnerability, known as RDP BlueKeep which can allow remote access to a virtual machine running RDP without NLA (Network Level Authentication) by sending a specially crafted data packet that RDP does not understand, the attacker is able to cause memory corruption and remotely execute code with the NT Authority/System access level. You can read about the RDP BlueKeep flaw here.
Changing the listening port will help to “hide” Remote Desktop from hackers who are constantly scanning the network for computers listening on the default Remote Desktop Port (TCP 3389). This offers effective protection against the latest RDP worms, and add additional security to your environment.
Secure Azure VM Access
Azure Network Security Group (NSG) can help you limit network traffic to resources in a virtual network. NSG allows you to create rules (ACLs) at the desired level of granularity: network interfaces, individual VMs, or virtual subnets. You can control access by permitting or denying communication between the workloads within a virtual network, from systems on your network(s) via cross-premises connectivity, or direct Internet communication. Each network interface has zero, or one, associated network security group. Each network interface exists in a virtual network subnet. A subnet can also have zero, or one, associated network security group.
In this quick blog post, I will share with you a PowerShell script that will help you to get the list of all Network Security Groups (NSGs) which have RDP port open in all Azure subscriptions, and then export it to comma-separated value (CSV) format. This comes in handy when working with many VMs in Azure, and you want to audit which Network Security Group (NSG) has an RDP port enabled.
If you have Azure Security Center (ASC) Standard enabled in your Azure subscription, then ASC can identify the list of ports open for you. The Just In Time (JIT) VM Access blade will show you the machines with RDP/SSH open and recommend enabling JIT.
Here is the script that will do the job for you.
<#
.Synopsis
A script used to find all NSGs with RDP Port Open in all your Azure Subscriptions
.DESCRIPTION
A script used to get the list of all Network Security Groups (NSGs) with RDP Port open in all your Azure Subscriptions.
Finally, it will export the report into a csv file in your Azure Cloud Shell storage.
.Notes
Created : 2019-06-11
Version : 1.0
Author : Charbel Nemnom
Twitter : @CharbelNemnom
Blog : https://charbelnemnom.com
Disclaimer: This script is provided "AS IS" with no warranties.
#>
$azSubs = Get-AzSubscription
foreach ( $azSub in $azSubs ) {
Set-AzContext -Subscription $azSub | Out-Null
$azNsgs = Get-AzNetworkSecurityGroup
foreach ( $azNsg in $azNsgs ) {
Get-AzNetworkSecurityRuleConfig -NetworkSecurityGroup $azNsg | Where-Object { $_.DestinationPortRange -eq '3389' } | `
Select-Object @{label = 'NSG Name'; expression = { $azNsg.Name } }, @{label = 'Rule Name'; expression = { $_.Name } }, `
@{label = 'Port Range'; expression = { $_.DestinationPortRange } }, Access, Priority, Direction, `
@{label = 'Resource Group Name'; expression = { $azNsg.ResourceGroupName } } | Export-Csv -Path "$($home)\clouddrive\nsg-audit.csv" -NoTypeInformation -Append
}
}
Jump into Azure Cloud Shell session (https://shell.azure.com) and run the script above:
Switch to the Cloud Shell storage account and download the CSV file.
And here is the final report showing in CSV format:
Please note that you can accomplish the same thing using Azure CLI, however, I prefer to use Azure PowerShell.
Azure Cloud Shell is so powerful, you don’t need to install Azure CLI or PowerShell modules locally on your machine to automate your tasks. I highly recommend checking the master Cloud Shell session recorded by my dear friend Thomas Maurer.
This is version 1.0, do you want additional features? Please feel free to leave a comment below.
Hope this helps!
__
Thank you for reading my blog.
If you have any questions or feedback, please leave a comment.
-Charbel Nemnom-
