Ensure NSGs restrict RDP access from the internet
Description
Network Security Groups should not allow RDP (port 3389) from any source.
⚠️ Risk Impact
Open RDP is the primary vector for ransomware delivery and credential brute-forcing.
🔍 How EchelonGraph Detects This
EchelonGraph's Tier 1 Cloud Scanner automatically checks for this condition across all connected Azure accounts. Violations are flagged as critical-severity findings with remediation guidance.
🔧 Remediation
Use Azure Bastion for remote access instead of exposing RDP directly.
💀 Real-World Attack Scenario
A healthcare organization's Azure VM had RDP exposed to the internet. The Conti ransomware group brute-forced RDP credentials and deployed ransomware across 15 VMs within 2 hours, encrypting patient records and medical imaging data. The ransom demand was $4.1M.
💰 Cost of Non-Compliance
FBI IC3 2024: RDP is the #1 initial access vector for ransomware (67%). Average ransomware recovery: $4.54M. Healthcare ransomware incidents average 19 days of downtime.
📋 Audit Questions
- 1.List all NSGs allowing RDP from any source.
- 2.Is Azure Bastion deployed as the standard remote access method?
- 3.Are JIT VM access policies configured?
🎯 MITRE ATT&CK Mapping
⚡ Common Pitfalls
- ⛔Using JIT access but allowing too long access windows (max 3 hours recommended)
- ⛔Not checking for RDP on non-standard ports in NSG rules
- ⛔Exposing RDP through Azure Load Balancer NAT rules
📈 Business Value
Eliminating public RDP access prevents the #1 ransomware entry vector. Azure Bastion + JIT access provides defense-in-depth for administrative access.
⏱️ Effort Estimate
1-2 hours to audit and remediate NSG rules
EchelonGraph monitors for open RDP across all Azure subscriptions
🔗 Cross-Framework References
Automate CIS Azure 2.2 compliance
EchelonGraph continuously monitors this control across all your cloud accounts.
Start Free →