--- title: RDP access is not restricted description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > RDP access is not restricted --- # RDP access is not restricted {% callout %} # Important note for users on the following Datadog sites: app.ddog-gov.com {% alert level="danger" %} This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). (). {% /alert %} {% /callout %} ## Metadata{% #metadata %} **Id:** `75418eb9-39ec-465f-913c-6f2b6a80dc77` **Cloud Provider:** GCP **Platform:** Ansible **Severity:** High **Category:** Networking and Firewall #### Learn More{% #learn-more %} - [Provider Reference](https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_compute_firewall_module.html) ### Description{% #description %} Allowing unrestricted RDP (TCP port 3389) ingress exposes hosts to automated brute-force attacks and unauthorized remote access. This rule inspects Ansible `google.cloud.gcp_compute_firewall` and `gcp_compute_firewall` tasks and flags ingress rules whose `source_ranges` include unrestricted CIDRs (for example `0.0.0.0/0` or `::/0`) and whose `allowed` entries include port `3389` (typically `ip_protocol: tcp`). The `allowed` property must not include port `3389` for rules that permit unrestricted source ranges. Either remove or disable RDP on the firewall, or restrict `source_ranges` to trusted CIDRs. Consider using a bastion host, VPN, or identity-based access (IAP/SSM) instead of direct RDP. Resources where `direction` is ingress, `source_ranges` contains an unrestricted CIDR, and `allowed[].ports` contains `"3389"` are flagged. Secure example that restricts RDP to a corporate CIDR: ```yaml - name: allow-rdp-from-corporate google.cloud.gcp_compute_firewall: name: allow-rdp-corp network: default direction: INGRESS source_ranges: - 10.0.0.0/8 allowed: - ip_protocol: tcp ports: - "3389" ``` ## Compliant Code Examples{% #compliant-code-examples %} ```yaml - name: create a firewall google.cloud.gcp_compute_firewall: name: test_object allowed: - ip_protocol: tcp ports: - '80' target_tags: - test-ssh-server - staging-ssh-server source_tags: - test-ssh-clients project: test_project auth_kind: serviceaccount service_account_file: /tmp/auth.pem state: present ``` ## Non-Compliant Code Examples{% #non-compliant-code-examples %} ```yaml - name: rdp_in_range google.cloud.gcp_compute_firewall: name: test_object source_ranges: - "0.0.0.0/0" allowed: - ip_protocol: tcp ports: - "22" - "80" - "8080" - "2000-4000" target_tags: - test-ssh-server - staging-ssh-server source_tags: - test-ssh-clients project: test_project auth_kind: serviceaccount service_account_file: "/tmp/auth.pem" state: present - name: rdp_in_port google.cloud.gcp_compute_firewall: name: test_object source_ranges: - "0.0.0.0/0" allowed: - ip_protocol: tcp ports: - "22" - "80" - "3389" target_tags: - test-ssh-server - staging-ssh-server source_tags: - test-ssh-clients project: test_project auth_kind: serviceaccount service_account_file: "/tmp/auth.pem" state: present ```