CIS GCP 3.7 (Ensure RDP access is restricted from the internet) requires: Firewall rules should not allow RDP (port 3389) access from 0.0.0.0/0. This is a critical-severity control.

How does EchelonGraph detect CIS GCP 3.7 violations?

EchelonGraph automatically detects CIS GCP 3.7 violations using scanner rule GCP-FW-002. The scanner checks cloud infrastructure configurations in real-time and flags non-compliant resources.

What audit questions are asked for CIS GCP 3.7?

List all firewall rules allowing RDP from any source. How do administrators access Windows instances? Is Azure AD or Cloud Identity used for RDP authentication?

🔷CIS GCP 3.7Rule: GCP-FW-002critical

Ensure RDP access is restricted from the internet

Description

Firewall rules should not allow RDP (port 3389) access from 0.0.0.0/0.

⚠️ Risk Impact

Open RDP is one of the most exploited attack vectors. BlueKeep, DejaBlue, and similar vulnerabilities allow remote code execution.

🔍 How EchelonGraph Detects This

GCP-FW-002Automated scanner rule

EchelonGraph's Tier 1 Cloud Scanner automatically checks for this condition across all connected Google Cloud accounts. Violations are flagged as critical-severity findings with remediation guidance.

🖥️ Manual Verification

terminal

gcloud compute firewall-rules list --filter='direction=INGRESS AND allowed[].ports:3389 AND sourceRanges:0.0.0.0/0'

🔧 Remediation

Remove 0.0.0.0/0 source ranges from RDP firewall rules. Use Cloud IAP or VPN for remote access.

💀 Real-World Attack Scenario

The Conti ransomware group routinely scans for open RDP ports. In one documented case, they accessed a GCP Windows Server via RDP brute-force, deployed Cobalt Strike within 30 minutes, and encrypted 47 production servers within 4 hours — demanding $2.5M in ransom.

💰 Cost of Non-Compliance

FBI reports RDP is the #1 initial access vector for ransomware (70% of cases). Average ransomware payment: $1.54M (2024). Total recovery cost including downtime: $4.54M. Insurance increasingly excludes RDP-related claims.

📋 Audit Questions

1.List all firewall rules allowing RDP from any source.
2.How do administrators access Windows instances?
3.Is Azure AD or Cloud Identity used for RDP authentication?

🎯 MITRE ATT&CK Mapping

T1021.001 — Remote Desktop ProtocolT1110 — Brute ForceT1486 — Data Encrypted for Impact

🏗️ Infrastructure as Code Fix

main.tf

# Block public RDP, use IAP instead:
resource "google_compute_firewall" "deny_public_rdp" {
  name      = "deny-public-rdp"
  network   = google_compute_network.vpc.name
  priority  = 1000
  deny {
    protocol = "tcp"
    ports    = ["3389"]
  }
  source_ranges = ["0.0.0.0/0"]
}

⚡ Common Pitfalls

⛔Assuming Windows instances need public RDP (IAP supports RDP tunneling)
⛔Not checking for RDP on non-standard ports
⛔Allowing RDP from partner IP ranges without time-bound access

📈 Business Value

Closing public RDP eliminates the primary ransomware entry vector. Organizations that block RDP from the internet reduce ransomware incidents by 85%.

⏱️ Effort Estimate

Manual

1-2 hours to audit and remove open RDP rules

With EchelonGraph

EchelonGraph continuously monitors for open RDP rules across all networks

🔗 Cross-Framework References

SOC2-CC6.6ISO27001-A.13.1.3

Automate CIS GCP 3.7 compliance

EchelonGraph continuously monitors this control across all your cloud accounts.

Start Free →