โญ Repository โ ๐ Compliance Engine โ ๐ CloudAware โ ๐ Azure โ ๐ Virtual Network
๐ก๏ธ Azure Network Security Group allows public access to RPC port๐ข
- Contextual name: ๐ก๏ธ Security Group allows public access to RPC port๐ข
- ID:
/ce/ca/azure/virtual-network/security-group-allows-unrestricted-rpc-traffic - Tags:
- ๐ข Policy with categories
- ๐ข Policy with type
- ๐ข Production policy
- Policy Type:
COMPLIANCE_POLICY - Policy Categories:
SECURITY
Logicโ
- ๐ง prod.logic.yaml๐ข
Descriptionโ
Descriptionโ
Ensure that Azure Network Security Groups are not configured to allow unrestricted inbound access to the Remote Procedure Call (RPC) port (TCP 135). Network Security Group (NSG) rules should explicitly restrict inbound traffic to this port to only trusted IP ranges to enhance security posture and prevent unauthorized communication.
Rationalโ
RPC (port 135) is frequently targeted by threat actors due to its role in enabling remote administration and inter-process communication between distributed systems. Unrestricted access to this port can lead to unauthorized system access, remote code execution, and lateral movement across the network. Restricting inbound RPC traffic to known, trusted sources helps mitigate risks associated with protocol exploitation, unauthorized data exposure, and the propagation of malware within the environment.
Impactโ
Before implementing restrictions, validate that all dependent applications and services relying on RPC functionality are identified and accounted for. Failure to properly evaluate dependencies may result in service disruptions or degraded functionality.
... see more
Remediationโ
Remediationโ
Modify or Remove Insecure NSG Ruleโ
Review the security rules associated with the relevant Network Security Group (NSG) and determine whether they are required. Take appropriate action based on necessity and scope:
If the rule is not required: Remove the rule entirely.
If the rule is required but overly permissive: Update the rule to narrowly scope access, restricting the source IP range to only what is strictly necessary.
Azure CLIโ
Delete the rule:
az network nsg rule delete \
--resource-group {{resource-group-name}} \
--nsg-name {{nsg-name}} \
--name {{rule-name}}Restrict the rule:
az network nsg rule update \
--resource-group {{resource-group-name}} \
--nsg-name {{nsg-name}} \
--name {{rule-name}} \
--source-address-prefixes {{trusted-cidr}}Replace placeholders with the appropriate values. Use space-separated values for multiple source prefixes or destination ports (e.g.,
--source-address-prefixes "1.2.3.4/32 5.6.7.8/32").... see more
policy.yamlโ
Linked Framework Sectionsโ
| Section | Sub Sections | Internal Rules | Policies | Flags | Compliance |
|---|---|---|---|---|---|
| ๐ผ Cloudaware Framework โ ๐ผ Public and Anonymous Access | 80 | no data |