Get The List of Network Security Groups With RDP Port Open Using Azure Cloud Shell

3 min read

Introduction

A couple of days ago, we got the info about a new RDP vulnerability, known as RDP BlueKeep which can allow remote access to a virtual machine running RDP without NLA (Network Level Authentication) by sending a specially crafted data packet that RDP does not understand, the attacker is able to cause memory corruption and remotely execute code with the NT Authority/System access level. You can read about the RDP BlueKeep flaw here.

Changing the listening port will help to “hide” Remote Desktop from hackers who are constantly scanning the network for computers listening on the default Remote Desktop Port (TCP 3389). This offers effective protection against the latest RDP worms, and add additional security to your environment.

Secure Azure VM Access

Azure Network Security Group (NSG) can help you limit network traffic to resources in a virtual network. NSG allows you to create rules (ACLs) at the desired level of granularity: network interfaces, individual VMs, or virtual subnets. You can control access by permitting or denying communication between the workloads within a virtual network, from systems on your network(s) via cross-premises connectivity, or direct Internet communication. Each network interface has zero, or one, associated network security group. Each network interface exists in a virtual network subnet. A subnet can also have zero, or one, associated network security group.

In this quick blog post, I will share with you a PowerShell script that will help you to get the list of all Network Security Groups (NSGs) which have RDP port open in all Azure subscriptions, and then export it to comma-separated value (CSV) format. This comes in handy when working with many VMs in Azure, and you want to audit which Network Security Group (NSG) has RDP port enabled.

If you have Azure Security Center (ASC) Standard enabled in your Azure subscription, then ASC can identify the list of ports open for you. The Just In Time (JIT) VM Access blade will show you the machines with RDP/SSH open and recommend to enable JIT.

Here is the script that will do the job for you.

<#
.Synopsis
A script used to find all NSGs with RDP Port Open in you Azure Subscriptions

.DESCRIPTION
A script used to get the list of all Network Security Groups (NSGs) with RDP Port open in your Azure Subscriptions.
Finally, it will export the report into a csv file in your Azure Cloud Shell storage.

.Notes
Created : 2019-06-11
Version : 1.0
Author : Charbel Nemnom
Twitter : @CharbelNemnom
Blog : https://charbelnemnom.com
Disclaimer: This script is provided "AS IS" with no warranties.
#>

$azSubs = Get-AzSubscription

foreach ( $azSub in $azSubs ) {
    Set-AzContext -Subscription $azSub | Out-Null

    $azNsgs = Get-AzNetworkSecurityGroup 
    
    foreach ( $azNsg in $azNsgs ) {
        Get-AzNetworkSecurityRuleConfig -NetworkSecurityGroup $azNsg | Where-Object { $_.DestinationPortRange -eq '3389' } | `
            Select-Object @{label = 'NSG Name'; expression = { $azNsg.Name } }, @{label = 'Rule Name'; expression = { $_.Name } }, `
        @{label = 'Port Range'; expression = { $_.DestinationPortRange } }, Access, Priority, Direction, `
        @{label = 'Resource Group Name'; expression = { $azNsg.ResourceGroupName } } | Export-Csv -Path "$($home)\clouddrive\nsg-audit.csv" -NoTypeInformation -Append
      
    }    
}

Jump into Azure Cloud Shell session (https://shell.azure.com) and run the script above:

Get The List of Network Security Groups With RDP Port Open Using Azure Cloud Shell 1

Switch to the Cloud Shell storage account and download the CSV file.

Get The List of Network Security Groups With RDP Port Open Using Azure Cloud Shell 2

And here is the final report showing in CSV format:

Get The List of Network Security Groups With RDP Port Open Using Azure Cloud Shell 3

Please note that you can accomplish the same thing using Azure CLI, however, I prefer to use Azure PowerShell.

Azure Cloud Shell is so powerful, you don’t need to install Azure CLI or PowerShell modules locally on your machine to automate your tasks. I highly recommend checking the master Cloud Shell session recorded by my dear friend Thomas Maurer.

This is version 1.0, do you want additional features? Please feel free to leave a comment below.

Hope this helps!

__
Thank you for reading my blog.

If you have any questions or feedback, please leave a comment.

-Charbel Nemnom-

About Charbel Nemnom 579 Articles
Charbel Nemnom is a Cloud Architect, Swiss Certified ICT Security Expert, Microsoft Most Valuable Professional (MVP), and Microsoft Certified Trainer (MCT), totally fan of the latest's IT platform solutions, accomplished hands-on technical professional with over 17 years of broad IT Infrastructure experience serving on and guiding technical teams to optimize the performance of mission-critical enterprise systems. Excellent communicator is adept at identifying business needs and bridging the gap between functional groups and technology to foster targeted and innovative IT project development. Well respected by peers through demonstrating passion for technology and performance improvement. Extensive practical knowledge of complex systems builds, network design, business continuity, and cloud security.

Be the first to comment

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.