Skip to main content

Insecure Access Control

Why is this important?

Access Control is one of the most fundamental security requirements. Any problem with managing access control can allow attackers to bypass business logic and access data from other users. In the context of Google Deployment Manager this can usually be remediated by making changes to the configuration representing the desired state of your infrastructure.

Check out this video for a high-level explanation:

Access Control Issues

RDP Access Is Not Restricted

Check if the Google compute firewall allows unrestricted RDP access. Allowed ports should not contain RDP port 3389.

Option A: Make sure the default RDP port is not open

properties should not have an ingress rule with:

  • Unrestricted sourceRanges (by being specific or not having a sourceRanges defined)
  • and with allowed array containing an object with IPProtocol of tcp or udp combined with ports array containing 3389

Detailed Instructions

  1. Locate one of the following vulnerable patterns:

    Vulnerable pattern:

    resources:
    - name: firewall
    type: compute.v1.firewall
    properties:
    name: my-firewall
    sourceRanges:
    - "0.0.0.0/0"
    allowed:
    - IPProtocol: icmp
    ports:
    - "80"
    - "8080"
    - "1000-2000"
    - IPProtocol: tcp
    ports:
    - "80"
    - "8080"
    - "1000-2000"
    - "3389"

    Vulnerable pattern:

    resources:
    - name: firewall
    type: compute.v1.firewall
    properties:
    name: my-firewall
    sourceRanges:
    - "::/0"
    allowed:
    - IPProtocol: icmp
    ports:
    - "80"
    - "8080"
    - "1000-2000"
    - IPProtocol: udp
    ports:
    - "80"
    - "8080"
    - "1000-2000"
    - "21-3389"
  2. Modify the config to something like the following:

    Replacement pattern:

    resources:
    - name: firewall
    type: compute.v1.firewall
    properties:
    name: my-firewall
    allowed:
    - IPProtocol: icmp
    ports:
    - "80"
    - "8080"
    - "1000-2000"
  3. Test it

  4. Ship it 🚢 and relax 🌴

References

More information: