lacework-global-685

2.4 Ensure no network security groups allow ingress from 0.0.0.0/0 to port 3389 (Automated)

Description

Network security groups provide stateful filtering of ingress/egress network traffic to OCI resources. Best practices recommend that no security group allows unrestricted ingress to port 3389.

Remediation

From Console:

1. Login into the OCI Console.

2. Click the search bar at the top of the screen.

3. Type Advanced Resource Query and hit enter.

4. Click the Advanced Resource Query button in the upper right corner of the screen.

5. Enter the following query in the query box:

   query networksecuritygroup resources where lifeCycleState = 'AVAILABLE'

6. For each of the network security groups in the returned results, click the name and inspect each of the security rules.

7. Identify security rules with direction: Ingress, Source: 0.0.0.0/0, and Destination Port Range including port: 3389.

8. Either Edit the Security rules to restrict the source and/or port range or delete the rule.

From CLI:

1. Execute the following command:

   for region in $(oci iam region list | jq -r '.data[] | .name')
   do
     echo "Enumerating region $region"
     for compid in $(oci iam compartment list --include-root --compartment-id-in-subtree TRUE 2>/dev/null | jq -r '.data[] | .id')
     do
       echo "Enumerating compartment $compid"
       for nsgid in $(oci network nsg list --compartment-id $compid --region $region --all 2>/dev/null | jq -r '.data[] | .id')
       do
         output=$(oci network nsg rules list --nsg-id=$nsgid --all 2>/dev/null | jq -r '.data[] | select(.source == "0.0.0.0/0" and .direction == "INGRESS" and ((."tcp-options"."destination-port-range".max >= 3389 and ."tcp-options"."destination-port-range".min <= 3389) or ."tcp-options"."destination-port-range" == null))')
         if [ ! -z "$output" ]; then echo "nsgid=", $nsgid, "Security Rules=", $output; fi
       done
     done
   done

2. For each of the network security group security rules identified either:

   Remove the security rules

   oci network nsg rules remove --nsg-id=<nsg-id>

   or

   Update the security rules

   oci network nsg rules update --nsg-id=<nsg-id> --security-rules=<updated security-rules JSON (without the isValid or TimeCreated fields)>

   For example:

   oci network nsg rules update --nsg-id=ocid1.networksecuritygroup.oc1.iad.xxxxxxxxxxxxxxxxxxxxxx --security-rules='[{ "description": null, "destination": null, "destination-type": null, "direction": "INGRESS", "icmp-options": null, "id": "709001", "is-stateless": null, "protocol": "6", "source": "140.238.154.0/24", "source-type": "cidr_block", "tcp-options": { "destination-port-range": { "max": 3389, "min": 3389 }, "source-port-range": null }, "udp-options": null }]'

Impact

For updating an existing environment, take care to ensure that administrators currently relying on an existing ingress from 0.0.0.0/0 have access to ports 22 and/or 3389 through another network security group or security list.