By default, every Azure virtual machine has RDP (Remote Desktop Protocol), port 3389 enabled, and allows any RDP connection from any IP in the world. As great as that is, this can be a (huge) security risk. So, what if we want to change this, and limit who has RDP access to the VM? What if we want only a select range of IPs, or a specific IP to only have access to the VM(s)? For example, your branch office has a static public IP, and we only want RDP access from this IP/location ,change the listening port for RDP port (3389) to a custom port on your VM. How can we achieve this?
Steps to follow:- Change the listening port for Remote Desktop on your VM.
When you connect to a computer (either a Windows client or Windows Server) through the Remote Desktop client, the Remote Desktop feature on your computer "hears" the connection request through a defined listening port (3389 by default). You can change that listening port on Windows computers by modifying the registry.
For this example I am using Port 6123 as custom port for RDP.
- Start the registry editor. (Type regedit in the Search box.)
- Navigate to the following registry subkey: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp
- Find PortNumber
- Click Edit > Modify, and then click Decimal.
- Type the new port number 6123, and then click OK.
- Close the registry editor.
- Configure Windows firewall to permit connections to the new port number.
- Now, go to control panel > Windows firewall > Click on Advance Settings > Inbound Rules > Create a new Rule > Select Port > Select TCP > Specific local ports(6123)> Allow Connection > Select Rule Applies to connected networks > Give new rule a name and description.
- Restart your VM.
The next time you connect to this computer by using the Remote Desktop connection, you must type the new port.
- Restricting RDP access to your VMs in Azure
Let’s begin, if you go into the property settings of the VM, and select the Networking in Settings > In Inbound Port Rules > and select, “Add inbound port rule“
The Inbound Security Rule properties, as follows:
Wait, what do all of these fields mean?
- Source: The source can by any IP Address, or CIDR Range, or a default-service tag.
- Source IP Address/CIDR Ranges: Any IP Address, or CIDR Range.
- Source Service Tag: There are a series of options here, but in short:
- Load Balancer: Any probes in the Azure Load Balancer
- Virtual Network: The Virtual Network the VM is connected to
- Internet: All network traffic in the public virtual network, (including all Azure services, such as Azure Traffic Manager, Storage and SQL)
- Azure Traffic Manager: Denotes the IP address from where the Azure Load Balancer health probes will originate.
- Storage.*: Access to Azure storage services and/or specific Azure regions
- SQL.*: Access to Azure SQL Database and Warehouse services, and/or specific Azure regions
- Source Port Ranges: You can use either a range of ports, or use a Wildcard (*) for all ranges.
- Destination: The source can by any IP Address, or CIDR Range, or the Virtual Network.
- Destination Port Ranges: You can use either a range of ports, or use a Wildcard (*) for all ranges.
- Protocol: TCP or UDP, or Any, which includes both TCP and UDP, and ICMP.
- Action: Allow, or Deny access.
- Priority: A number between 100-4096. The lowest is 100, and the highest we can input is 4096. Lower the number, higher the priority.
- Name: The name of the rule. Note, once created, it cannot be changed!
So, these are the values/settings I implemented for the Allow Inbound Rule:
- Source: IP Addresses
- Source IP Addresses/CIDR Ranges: xxx.xxx.xxx.xxx(Give Public IP from where you are going to access this VM over RDP)
- Source Port Ranges: *
- Destination: Any
- Destination Port Ranges: 6123
- Protocol: TCP
- Action: Allow
- Priority: 100
- Name: RDP_6123
Next are the values/settings I implemented for the Deny all RDP Inbound Rule:
- Source: ServiceTag
- Source Service Tag: Intenert
- Source Port Ranges: *
- Destination: Virtual Network
- Destination Port Ranges: 3389
- Protocol: Any
- Action: Deny
- Priority: 101
- Name: Deny-RDP-Access
The inbound port rules should look something like this now. Why we set Priority the way we did… Well, Rules are checked in the order of priority. Once a rule applies, no more rules are tested for matching.
Once the rules has been submitted, and accepted, and if we try to RDP into the VM we should now only be allowed from the IP Range, or IP & using custom RDP port.