โญ Repository โ ๐ Compliance Engine โ ๐ CloudAware โ ๐ Azure โ ๐ Virtual Network
๐ก๏ธ Azure Network Security Group allows public access to FTP ports๐ข
- Contextual name: ๐ก๏ธ Security Group allows public access to FTP ports๐ข
- ID:
/ce/ca/azure/virtual-network/security-group-allows-unrestricted-ftp-traffic - Tags:
- ๐ข Policy with categories
- ๐ข Policy with type
- ๐ข Production policy
- Policy Type:
COMPLIANCE_POLICY - Policy Categories:
SECURITY
Logicโ
- ๐ง prod.logic.yaml๐ข
Descriptionโ
Descriptionโ
Ensure that Azure Network Security Groups are not configured with Network Security Group (NSG) rules that allow unrestricted inbound access to FTP services on ports 20 and 21 from the public internet (e.g., source IP ranges
0.0.0.0/0or::/0). FTP traffic should be tightly controlled and limited to trusted IP ranges to reduce exposure to external threats.Rationaleโ
FTP (File Transfer Protocol), which operates over TCP ports 20 (data) and 21 (control), is an outdated and insecure protocol that transmits dataโincluding credentialsโin cleartext. Allowing unrestricted external access to these ports exposes systems to significant risks, including brute-force attacks, credential harvesting, unauthorized data exfiltration, and exploitation by automated bots. Restricting access to known, trusted sources reduces the attack surface and strengthens the overall security posture.
Impactโ
Restricting FTP access may impact legitimate services if they rely on open access to these ports. Proper planning, validation, and testing are essential when implementing changes to avoid service disruption. Where possible, consider migrating to more secure file transfer protocols such as SFTP or FTPS, which offer encrypted communications and enhanced authentication mechanisms.
... see more
Remediationโ
Remediationโ
Modify or Remove Insecure NSG Ruleโ
Review the security rules associated with the relevant Network Security Group (NSG) and determine whether they are required. Take appropriate action based on necessity and scope:
If the rule is not required: Remove the rule entirely.
If the rule is required but overly permissive: Update the rule to narrowly scope access, restricting the source IP range to only what is strictly necessary.
Azure CLIโ
Delete the rule:
az network nsg rule delete \
--resource-group {{resource-group-name}} \
--nsg-name {{nsg-name}} \
--name {{rule-name}}Restrict the rule:
az network nsg rule update \
--resource-group {{resource-group-name}} \
--nsg-name {{nsg-name}} \
--name {{rule-name}} \
--source-address-prefixes {{trusted-cidr}}Replace placeholders with the appropriate values. Use space-separated values for multiple source prefixes or destination ports (e.g.,
--source-address-prefixes "1.2.3.4/32 5.6.7.8/32").... see more
policy.yamlโ
Linked Framework Sectionsโ
| Section | Sub Sections | Internal Rules | Policies | Flags | Compliance |
|---|---|---|---|---|---|
| ๐ผ Cloudaware Framework โ ๐ผ Public and Anonymous Access | 80 | no data |