Skip to main content

πŸ“ Azure Network Security Group allows public access to HTTP(S) ports 🟒

  • Contextual name: πŸ“ Security Group allows public access to HTTP(S) ports 🟒
  • ID: /ce/ca/azure/virtual-network/security-group-allows-unrestricted-http-traffic
  • Located in: πŸ“ Azure Virtual Network

Flags​

Our Metadata​

  • Policy Type: COMPLIANCE_POLICY
  • Policy Category:
    • SECURITY

Similar Policies​

Similar Internal Rules​

RulePoliciesFlags
βœ‰οΈ dec-x-f4cc003a1

Logic​

Description​

Open File

Description​

Ensure that Azure Network Security Groups are not configured with Network Security Group (NSG) rules that allow unrestricted inbound access to HTTP (port 80) and HTTPS (port 443) from the public internet. Inbound access to these ports should be restricted to trusted IP address ranges or fronted by secure services such as Azure Application Gateway or Azure Front Door to reduce exposure and maintain a strong security posture.

Rationale​

NSGs are critical components for controlling network traffic to and from Azure resources. Inbound access to ports 80 (HTTP) and 443 (HTTPS) from any source (0.0.0.0/0, ::/0) significantly increases the attack surface of a NSG and may allow unauthenticated access to web applications or services. Periodically auditing NSG rules and restricting internet exposure to only what is strictly necessary is a key security best practice. Where public access is required, it should be scoped to specific source IPs or protected by additional layers such as web application firewalls (WAFs) or reverse proxies.

... see more

Remediation​

Open File

Remediation​

Modify or Remove Insecure NSG Rule​

Review the security rules associated with the relevant Network Security Group (NSG) and determine whether they are required. Take appropriate action based on necessity and scope:

  • If the rule is not required: Remove the rule entirely.

  • If the rule is required but overly permissive: Update the rule to narrowly scope access, restricting the source IP range to only what is strictly necessary.

Azure CLI​

  1. Delete the rule:

    az network nsg rule delete \
      --resource-group {{resource-group-name}} \
      --nsg-name {{nsg-name}} \
      --name {{rule-name}}

  2. Restrict the rule:

    az network nsg rule update \
        --resource-group {{resource-group-name}} \
        --nsg-name {{nsg-name}} \
        --name {{rule-name}} \
        --source-address-prefixes {{trusted-cidr}}

    Replace placeholders with the appropriate values. Use space-separated values for multiple source prefixes or destination ports (e.g., --source-address-prefixes "1.2.3.4/32 5.6.7.8/32").

... see more

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 36d access management controls β€”only authorised users, software and hardware are able to access information assets (refer to Attachment B for further guidance);1314
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 36e hardware and software asset controls β€”appropriate authorisation to prevent security compromises from unauthorised hardware and software assets;1516
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 36f network design β€” to ensure authorised network traffic flows and to reduce the impact of security compromises;2628
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 45 An understanding of plausible worst case scenarios can help regulated entities identify and implement additional controls to prevent or reduce the impact of such scenarios. One example is malware that infects computers and encrypts data, both on the infected computer and any connected storage, including (corporate) networks and cloud storage. Such attacks reinforce the importance of protecting the backup environment in the event that the production environment is compromised. Common techniques to achieve this include network segmentation, highly restricted and segregated access controls and network traffic flow restrictions.3235
πŸ’Ό CIS Azure v1.5.0 β†’ πŸ’Ό 6.4 Ensure that HTTP(S) access from the Internet is evaluated and restricted - Level 1 (Automated)11
πŸ’Ό CIS Azure v2.0.0 β†’ πŸ’Ό 6.4 Ensure that HTTP(S) access from the Internet is evaluated and restricted - Level 1 (Automated)11
πŸ’Ό CIS Azure v2.1.0 β†’ πŸ’Ό 6.4 Ensure that HTTP(S) access from the Internet is evaluated and restricted - Level 1 (Automated)11
πŸ’Ό CIS Azure v3.0.0 β†’ πŸ’Ό 7.4 Ensure that HTTP(S) access from the Internet is evaluated and restricted (Automated)1
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Public and Anonymous Access69
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-4(21) Physical or Logical Separation of Information Flows (M)(H)1138
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-7(5) Deny by Default β€” Allow by Exception (M)(H)18
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-4(21) Physical or Logical Separation of Information Flows (M)(H)38
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-7(5) Deny by Default β€” Allow by Exception (M)(H)18
πŸ’Ό ISO/IEC 27001:2013 β†’ πŸ’Ό A.9.4.1 Information access restriction1719
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 6.7 Remote working34
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 8.1 User end point devices710
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 8.16 Monitoring activities34
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 8.22 Segregation of networks34
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.AC-4: Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties1534
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.DS-5: Protections against data leaks are implemented4150
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties57
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected81
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected68
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected66
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-4(21) Information Flow Enforcement _ Physical or Logical Separation of Information Flows3338
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-7(5) Boundary Protection _ Deny by Default β€” Allow by Exception318
πŸ’Ό UK Cyber Essentials β†’ πŸ’Ό 1.2 Prevent access to the administrative interface from the internet3336