--- title: RDP access is not restricted description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > RDP access is not restricted --- # RDP access is not restricted {% callout %} # Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com {% alert level="danger" %} This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}). {% /alert %} {% /callout %} ## Metadata{% #metadata %} **Id:** `terraform-gcp-rdp-access-is-not-restricted` **Provider:** GCP **Platform:** Terraform **Severity:** High **Category:** Networking and Firewall #### Learn More{% #learn-more %} - [Provider Reference](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_firewall) ### Description{% #description %} This check verifies if Google Compute firewall rules allow unrestricted RDP access by examining if port 3389 (the default RDP port) is openly accessible from the internet. When firewall rules allow RDP traffic from `0.0.0.0/0` (all IPv4) or `::/0` (all IPv6), it significantly increases the risk of brute force attacks, unauthorized access, and potential system compromise. Vulnerable configurations include allowing port 3389 directly or within ranges (for example, `21-3390`), or using `protocol = "all"` with unrestricted source ranges. To secure your environment, explicitly exclude RDP ports from public access and restrict RDP traffic to specific trusted IP addresses or VPN connections. ```hcl // Insecure configuration (AVOID): resource "google_compute_firewall" "insecure" { // ... other configuration ... allow { protocol = "tcp" ports = ["80", "3389"] } source_ranges = ["0.0.0.0/0"] } // Secure configuration: resource "google_compute_firewall" "secure" { // ... other configuration ... allow { protocol = "tcp" ports = ["80", "8080", "1000-2000"] // Excludes RDP port 3389 } source_tags = ["web"] // Alternatively, limit RDP to specific IPs: // source_ranges = ["10.0.0.0/24", "192.168.1.0/24"] } ``` ## Compliant Code Examples{% #compliant-code-examples %} ```terraform resource "google_compute_firewall" "negative1" { name = "test-firewall" network = google_compute_network.default.name allow { protocol = "icmp" } allow { protocol = "tcp" ports = ["80", "8080", "1000-2000"] } source_tags = ["web"] } ``` ## Non-Compliant Code Examples{% #non-compliant-code-examples %} ```terraform resource "google_compute_firewall" "positive1" { name = "test-firewall" network = google_compute_network.default.name direction = "INGRESS" allow { protocol = "icmp" } allow { protocol = "tcp" ports = ["80", "8080", "1000-2000","3389"] } source_tags = ["web"] source_ranges = ["0.0.0.0/0"] } resource "google_compute_firewall" "positive2" { name = "test-firewall" network = google_compute_network.default.name allow { protocol = "udp" ports = ["80", "8080", "1000-2000","21-3390"] } source_tags = ["web"] source_ranges = ["::/0"] } resource "google_compute_firewall" "positive3" { name = "test-firewall" network = google_compute_network.default.name allow { protocol = "all" } source_tags = ["web"] source_ranges = ["::/0"] } ```