⭐ Repository → 📁 Compliance Engine → 📁 CloudAware → 📁 Azure → 📁 Virtual Machine
🛡️ Azure Virtual Machine allows public access to NetBIOS ports🟢
- Contextual name: 🛡️ Virtual Machine allows public access to NetBIOS ports🟢
- ID:
/ce/ca/azure/virtual-machine/allows-unrestricted-netbios-traffic - Tags:
- Policy Type:
COMPLIANCE_POLICY - Policy Categories:
SECURITY
Logic
Description
Description
Ensure that Azure Virtual Machines are not configured to allow unrestricted inbound access to NetBIOS ports (TCP/UDP 137, 138, 139). These ports are commonly associated with legacy file-sharing and network management protocols in Windows environments. Exposing NetBIOS ports to the public internet can present substantial security risks.
Rational
Restricting NetBIOS traffic through NSGs significantly reduces the attack surface of Azure Virtual Machines (VMs) and enhances the overall security posture. NetBIOS has been a target for exploitation due to its known vulnerabilities, and its use in modern cloud environments is rare. Minimizing the exposure of these ports reduces the likelihood of unauthorized access, data exfiltration, and the spread of malicious payloads through legacy network protocols.
Impact
Implementing these restrictions may affect systems that rely on NetBIOS for legacy network communication. Therefore, it is crucial to plan and test these changes carefully to ensure that critical business functions are not disrupted while mitigating the associated security risks.
... see more
Remediation
Remediation
Modify or Remove Insecure NSG Rule
Review the security rules associated with the relevant Network Security Group (NSG) and determine whether they are required. Take appropriate action based on necessity and scope:
If the rule is not required: Remove the rule entirely.
If the rule is required but overly permissive: Update the rule to narrowly scope access, restricting the source IP range to only what is strictly necessary.
Azure CLI
Delete the rule:
az network nsg rule delete \
--resource-group {{resource-group-name}} \
--nsg-name {{nsg-name}} \
--name {{rule-name}}Restrict the rule:
az network nsg rule update \
--resource-group {{resource-group-name}} \
--nsg-name {{nsg-name}} \
--name {{rule-name}} \
--source-address-prefixes {{trusted-cidr}}Replace placeholders with the appropriate values. Use space-separated values for multiple source prefixes or destination ports (e.g.,
--source-address-prefixes "1.2.3.4/32 5.6.7.8/32").... see more
policy.yaml
Linked Framework Sections
| Section | Sub Sections | Internal Rules | Policies | Flags | Compliance |
|---|---|---|---|---|---|
| 💼 Cloudaware Framework → 💼 Public and Anonymous Access | 80 | no data |