Skip to main content

πŸ“ Azure Network Security Group allows public access to HTTP(S) ports 🟒

  • Contextual name: πŸ“ Security Group allows public access to HTTP(S) ports 🟒
  • ID: /ce/ca/azure/virtual-network/security-group-allows-unrestricted-http-traffic
  • Located in: πŸ“ Azure Virtual Network

Flags​

Our Metadata​

  • Policy Type: COMPLIANCE_POLICY
  • Policy Category:
    • SECURITY

Similar Policies​

Similar Internal Rules​

RulePoliciesFlags
βœ‰οΈ dec-x-f4cc003a1

Logic​

Description​

Open File

Description​

Ensure that Azure Network Security Groups are not configured with Network Security Group (NSG) rules that allow unrestricted inbound access to HTTP (port 80) and HTTPS (port 443) from the public internet. Inbound access to these ports should be restricted to trusted IP address ranges or fronted by secure services such as Azure Application Gateway or Azure Front Door to reduce exposure and maintain a strong security posture.

Rationale​

NSGs are critical components for controlling network traffic to and from Azure resources. Inbound access to ports 80 (HTTP) and 443 (HTTPS) from any source (0.0.0.0/0, ::/0) significantly increases the attack surface of a NSG and may allow unauthenticated access to web applications or services. Periodically auditing NSG rules and restricting internet exposure to only what is strictly necessary is a key security best practice. Where public access is required, it should be scoped to specific source IPs or protected by additional layers such as web application firewalls (WAFs) or reverse proxies.

... see more

Remediation​

Open File

Remediation​

Modify or Remove Insecure NSG Rule​

Review the security rules associated with the relevant Network Security Group (NSG) and determine whether they are required. Take appropriate action based on necessity and scope:

  • If the rule is not required: Remove the rule entirely.

  • If the rule is required but overly permissive: Update the rule to narrowly scope access, restricting the source IP range to only what is strictly necessary.

Azure CLI​

  1. Delete the rule:

    az network nsg rule delete \
      --resource-group {{resource-group-name}} \
      --nsg-name {{nsg-name}} \
      --name {{rule-name}}

  2. Restrict the rule:

    az network nsg rule update \
        --resource-group {{resource-group-name}} \
        --nsg-name {{nsg-name}} \
        --name {{rule-name}} \
        --source-address-prefixes {{trusted-cidr}}

    Replace placeholders with the appropriate values. Use space-separated values for multiple source prefixes or destination ports (e.g., --source-address-prefixes "1.2.3.4/32 5.6.7.8/32").

... see more

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 36d access management controls β€”only authorised users, software and hardware are able to access information assets (refer to Attachment B for further guidance);1414
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 36e hardware and software asset controls β€”appropriate authorisation to prevent security compromises from unauthorised hardware and software assets;1616
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 36f network design β€” to ensure authorised network traffic flows and to reduce the impact of security compromises;2930
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 45 An understanding of plausible worst case scenarios can help regulated entities identify and implement additional controls to prevent or reduce the impact of such scenarios. One example is malware that infects computers and encrypts data, both on the infected computer and any connected storage, including (corporate) networks and cloud storage. Such attacks reinforce the importance of protecting the backup environment in the event that the production environment is compromised. Common techniques to achieve this include network segmentation, highly restricted and segregated access controls and network traffic flow restrictions.3537
πŸ’Ό CIS Azure v1.5.0 β†’ πŸ’Ό 6.4 Ensure that HTTP(S) access from the Internet is evaluated and restricted - Level 1 (Automated)11
πŸ’Ό CIS Azure v2.0.0 β†’ πŸ’Ό 6.4 Ensure that HTTP(S) access from the Internet is evaluated and restricted - Level 1 (Automated)11
πŸ’Ό CIS Azure v2.1.0 β†’ πŸ’Ό 6.4 Ensure that HTTP(S) access from the Internet is evaluated and restricted - Level 1 (Automated)11
πŸ’Ό CIS Azure v3.0.0 β†’ πŸ’Ό 7.4 Ensure that HTTP(S) access from the Internet is evaluated and restricted (Automated)1
πŸ’Ό CIS Azure v4.0.0 β†’ πŸ’Ό 8.4 Ensure that HTTP(S) access from the Internet is evaluated and restricted (Automated)1
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Public and Anonymous Access77
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-4(21) Physical or Logical Separation of Information Flows (M)(H)1142
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-7(5) Deny by Default β€” Allow by Exception (M)(H)18
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-4(21) Physical or Logical Separation of Information Flows (M)(H)42
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-7(5) Deny by Default β€” Allow by Exception (M)(H)18
πŸ’Ό ISO/IEC 27001:2013 β†’ πŸ’Ό A.9.4.1 Information access restriction1920
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 6.7 Remote working44
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 8.1 User end point devices813
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 8.16 Monitoring activities45
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 8.22 Segregation of networks44
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.AC-4: Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties1752
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.DS-5: Protections against data leaks are implemented4766
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties88
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected114
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected94
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected108
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-4(21) Information Flow Enforcement _ Physical or Logical Separation of Information Flows3742
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-7(5) Boundary Protection _ Deny by Default β€” Allow by Exception418
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 1.1 Establish and implement firewall and router configuration standards7138
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 1.1.6 Documentation of business justification and approval for use of all services, protocols, and ports allowed, including documentation of security features implemented for those protocols considered to be insecure.127
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 1.2.1 Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic.1035
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 1.3 Prohibit direct public access between the Internet and any system component in the cardholder data environment.7825
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 1.3.1 Implement a DMZ to limit inbound traffic to only system components that provide authorized publicly accessible services, protocols, and ports.619
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 1.3.2 Limit inbound Internet traffic to IP addresses within the DMZ.19
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 1.3.5 Permit only β€œestablished” connections into the network.19
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 2.2.4 Configure system security parameters to prevent misuse.16
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 1.2.1 Configuration standards for NSC rulesets are defined, implemented, maintained.34
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 1.2.5 All services, protocols, and ports allowed are identified, approved, and have a defined business need.27
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 1.2.6 Security features are defined and implemented for all services, protocols, and ports that are in use and considered to be insecure, such that the risk is mitigated.27
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 1.3.1 Inbound traffic to the CDE is restricted.35
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 1.3.2 Outbound traffic from the CDE is restricted.35
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 1.4.1 NSCs are implemented between trusted and untrusted networks.17
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 1.4.2 Inbound traffic from untrusted networks to trusted networks is restricted.19
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 2.2.6 System security parameters are configured to prevent misuse.16
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 1.2.1 Configuration standards for NSC rulesets are defined, implemented, maintained.2434
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 1.2.5 All services, protocols, and ports allowed are identified, approved, and have a defined business need.1527
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 1.2.6 Security features are defined and implemented for all services, protocols, and ports that are in use and considered to be insecure, such that the risk is mitigated.627
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 1.3.1 Inbound traffic to the CDE is restricted.735
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 1.3.2 Outbound traffic from the CDE is restricted.35
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 1.4.1 NSCs are implemented between trusted and untrusted networks.717
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 1.4.2 Inbound traffic from untrusted networks to trusted networks is restricted.719
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 2.2.6 System security parameters are configured to prevent misuse.1216
πŸ’Ό UK Cyber Essentials β†’ πŸ’Ό 1.2 Prevent access to the administrative interface from the internet3638