Azure Network Security Group (NSG) Allows Traffic From Internet On Port 3389

Blocking RDP port 3389 will protect users from attacks like account compromise, Denial of service and ransomware.

Policy Details

Policy Subtype
Run, Build
Template Type

Build Rules

Azure Network Security Group (NSG) allows traffic from internet on port 3389.
JSON Query:
($.resource.*.azurerm_network_security_rule[*].*[?( @.access == 'Allow' && @.direction == 'Inbound' )].destination_port_ranges contains 3389 or $.resource.*.azurerm_network_security_rule[*].*[?( @.access == 'Allow' && @.direction == 'Inbound' )].destination_port_range equals 3389) or ($.resource.*.azurerm_network_security_group[*].*[*].security_rule[?( @.access == 'Allow' && @.direction == 'Inbound' )].destination_port_ranges contains 3389 or $.resource.*.azurerm_network_security_group[*].*[*].security_rule[?( @.access == 'Allow' && @.direction == 'Inbound' )].destination_port_range equals 3389)
Recommended solution for not allowing SSH traffic on port 3389 from internet in NSG.
It is recommended that Azure Network Security Group (NSG) should not allow SSH traffic from internet on port 3389. Please make sure if your template has "access" set to "Deny" if direction is Inbound and port is 3389.
For example:
"azurerm_network_security_rule": [ { "<network_security_rule_name>": [ { "access": "Deny", "destination_address_prefix": "*", "destination_port_range": "3389", "direction": "Inbound", "name": "test123" } ] } ]

Run Rule Recommendation

  1. Login to Azure Portal.
  2. Click on All services.
  3. Under NETWORKING, Click on Network security groups.
  4. Click on reported Network security group.
  5. Under SETTINGS, Click on Inbound security rules.
  6. Click on reported row (3389 PORT).
  7. Set Action to Deny.
  8. Click on OK.
Remediation CLI Command:
az network nsg rule update --name ${ruleName} --resource-group ${resourceGroup} --nsg-name ${resourceName} --access Deny
CLI Command Description:
This CLI command requires 'Microsoft.Network/networkSecurityGroups/securityRules/*' permission. Successful execution will update the network security group to revoke the inbound rule records allowing traffic from Internet on port 3389.


There are 12 standards that are applicable to this policy:
  • MITRE ATT&CK [Beta]
  • PCI DSS v3.2
  • GDPR
  • CSA CCM v3.0.1
  • CIS v1.1 (Azure)
  • SOC 2
  • HITRUST CSF v9.3
  • CCPA 2018
  • NIST 800-53 Rev4

Recommended For You