3 min. Read

A couple of days ago, we received information about a new RDP vulnerability known as RDP BlueKeep which may allow remote access to a virtual machine that uses RDP without NLA (Network Level Authentication) By sending a specially crafted data packet that is not understood by RDP, an attacker could cause memory errors and execute code remotely NT authority / system access level. You can read about the RDP BlueKeep error here.

Changing the listening port helps to “hide” the remote desktop from hackers who are constantly looking for computers on the network that are listening on the default information service port (TCP 3389).. This provides effective protection against the latest RDP worms and increases your environment.

Azure Network Security Group (NSG) can help limit network traffic to virtual network resources. NSG allows you to create rules (ACLs) at the desired level of resolution: network interfaces, individual virtual machines, or virtual subnets. You can control access by allowing or blocking communication between virtual network workloads, from network (s) systems through a business-to-business connection, or through a direct Internet connection. Each network interface has zero or one connected network security group. Each network interface is on a subnet of a virtual network. A subnet can also have zero or one connected network security group.

In this quick blog post, I’ll share with you a PowerShell script to help you get a list of all the network security groups (NSGs) whose RDP port is open on all Azure subscriptions, and then export it to comma-separated value (CSV) format. This is handy when working with many Azure virtual machines, and you want to check which network security group (NSG) RDP port is in use.

If your Azure subscription uses the Azure Security Center (ASC) Standard, ASC can identify a list of ports open to you. Just in Time (JIT) VM Access the blade shows machines with RDP / SSH open and recommends enabling JIT.

Here is a script that will do the job for you.

<#
.Synopsis
A script used to find all NSGs with RDP Port Open in all your Azure Subscriptions

.DESCRIPTION
A script used to get the list of all Network Security Groups (NSGs) with RDP Port open in all your Azure Subscriptions.
Finally, it will export the report into a csv file in your Azure Cloud Shell storage.

.Notes
Created : 2019-06-11
Version : 1.0
Author : Charbel Nemnom
Twitter : @CharbelNemnom
Blog : https://charbelnemnom.com
Disclaimer: This script is provided "AS IS" with no warranties.
#>

$azSubs = Get-AzSubscription

foreach ( $azSub in $azSubs ) {
    Set-AzContext -Subscription $azSub | Out-Null

    $azNsgs = Get-AzNetworkSecurityGroup 
    
    foreach ( $azNsg in $azNsgs ) {
        Get-AzNetworkSecurityRuleConfig -NetworkSecurityGroup $azNsg | Where-Object { $_.DestinationPortRange -eq '3389' } | `
            Select-Object @{label = 'NSG Name'; expression = { $azNsg.Name } }, @{label = 'Rule Name'; expression = { $_.Name } }, `
        @{label = 'Port Range'; expression = { $_.DestinationPortRange } }, Access, Priority, Direction, `
        @{label = 'Resource Group Name'; expression = { $azNsg.ResourceGroupName } } | Export-Csv -Path "$($home)clouddrivensg-audit.csv" -NoTypeInformation -Append
      
    }    
}

Jump Azure Cloud Shell session (https://shell.azure.com) and run the script above:

Switch to the Cloud Shell storage account and upload the CSV file.

Get a list of network security groups whose RDP port has been opened using Azure Cloud Shell 2

And here is the final report, which is displayed in CSV format:

Get a list of network security groups whose RDP port has been opened using Azure Cloud Shell 3

Note that you can do the same thing with the Azure CLI, but I prefer to use Azure PowerShell.

Azure Cloud Shell is so powerful that you don’t have to install Azure CLI or PowerShell modules locally on your machine to automate your tasks. I highly recommend Master Cloud Shell session recorded by my dear friend Thomas Maurer.

This is version 1.0, do you want more features? Leave a comment below.

Hopefully this will help!

__
Thanks for locking my blog.

If you have any questions or feedback, please leave a comment.

-Charbel Nemnom-

LEAVE A REPLY

Please enter your comment!
Please enter your name here