Automatically remove Azure RDP Endpoints

JS Code Coverage Part 2

With great power comes great responsibility, which is definitely true when it comes to RDP access.

I’m not referring to the fact that enabling RDP also enables the possibility for unknown individuals to access the system. Configuring ACL’s on your Endpoints, Login/password Policies, patching and monitoring should keep everything pretty secure. I’m talking about point-and-click administration.

RDP Endpoints maintenance

The problem of keeping RDP endpoints enabled is its ease-of-use for most people, introducing all kind of issues when it comes to maintaining a consistent state. Now there are lots of tools available to help prevent configuration drift. But in my opinion, discouraging the use of RDP sessions is a good start.

The scenario: Remove RDP endpoints within a scheduled interval.

I want to discourage the use of RDP, not ban RDP sessions completely. RDP can be used for investigation purposes, yet sessions should not exceed a one-hour time limit. In addition, an Azure admin will need to recreate the Azure VM Endpoint.

Note: The script looks for the name “RemoteDesktop” in order to remove the Endpoint from the Azure VM configuration. Another option would involve retrieving the RDP port of the VM using PowerShell remoting and look for a match within the Endpoint collection, in case you don’t trust anyone.

Let’s start by creating the script locally first.

Iterate though all VM’s > Look for and remove the Endpoint > Update the configuration

Automation the process

Now you could initialize this from a different host manually or as a job, however Azure has a dedicated Automation host called Azure Automation.

Note: Currently Azure Automation is only available within the “classic” Microsoft Azure portal (http://manage.windowsazure.com/)

In order to access your Azure resources within the Automation context, it’s required setup some authentication basics. I prefer using Azure Active Directory, but certificates can be used as well. An easy guide on how to setup Authentication using Azure Active Directory can be found in this blog post (step 1 to 4).

  • Create a new Runbook by clicking on the tab RUNBOOKS and NEW > RUNBOOK > Quick Create. Name it RemoveRDPEndpoints
  • Open the AUTHOR tab and include the following script:

The following script changes have been applied to get everything working within a Azure Automation (PowerShell Workflow) context:

  • The Authorization part was added, allowing the Automation host to Authenticate and access your Azure resources
  • Parallel was added for Parallel execution
  • Some constructs aren’t supported within a PowerShell Workflow context and therefore altered.

Creating a schedule

The last step is to schedule the execution of the Runbook

  • Make sure to publish the RemoveRDPEndpoints Runbook
  • Click on SCHEDULE located at the top of the page
  • select LINK TO A NEW SCHEDULE, which will allow the creation of a new schedule
  • Give the new schedule a name and configure the schedule as desired, in my case HOURLY.

For more details on scheduling Runbooks, please visit my post Microsoft Azure Automation – Schedule Jobs

Post Navigation