โญ Repository โ ๐ Compliance Engine โ ๐ CloudAware โ ๐ Azure โ ๐ Virtual Network
๐ก๏ธ Azure Network Security Group allows public access to MSSQL port๐ข
- Contextual name: ๐ก๏ธ Security Group allows public access to MSSQL port๐ข
- ID:
/ce/ca/azure/virtual-network/security-group-allows-unrestricted-traffic-to-mssql - Tags:
- ๐ข Policy with categories
- ๐ข Policy with type
- ๐ข Production policy
- Policy Type:
COMPLIANCE_POLICY - Policy Categories:
SECURITY
Logicโ
- ๐ง prod.logic.yaml๐ข
Descriptionโ
Descriptionโ
Ensure that Azure Network Security Groups hosting Microsoft SQL Server (MSSQL) are not configured to allow unrestricted inbound access to the default MSSQL port (1433). Network Security Group (NSG) rules should be reviewed and adjusted to restrict inbound traffic on port 1433 to authorized IP addresses or trusted networks, thereby minimizing the risk of unauthorized access and potential exploitation of the database.
Rationalโ
Unrestricted access to MSSQL on port 1433 significantly increases the attack surface of the database server. This exposure can lead to security threats such as brute-force attacks, unauthorized data access, and data exfiltration. MSSQL servers are often targeted by malicious actors, particularly when weak authentication or unpatched vulnerabilities exist. By limiting access to trusted sources, you can mitigate these risks and ensure that only authorized systems and users can interact with the database, thereby enhancing its overall security posture.
Impactโ
Configuring the NSG to restrict access may require adjustments to application and network configurations to ensure continued access for authorized users and services. It is critical to implement and test these changes carefully to avoid service disruptions while maintaining security.
... see more
Remediationโ
Remediationโ
Modify or Remove Insecure NSG Ruleโ
Review the security rules associated with the relevant Network Security Group (NSG) and determine whether they are required. Take appropriate action based on necessity and scope:
If the rule is not required: Remove the rule entirely.
If the rule is required but overly permissive: Update the rule to narrowly scope access, restricting the source IP range to only what is strictly necessary.
Azure CLIโ
Delete the rule:
az network nsg rule delete \
--resource-group {{resource-group-name}} \
--nsg-name {{nsg-name}} \
--name {{rule-name}}Restrict the rule:
az network nsg rule update \
--resource-group {{resource-group-name}} \
--nsg-name {{nsg-name}} \
--name {{rule-name}} \
--source-address-prefixes {{trusted-cidr}}Replace placeholders with the appropriate values. Use space-separated values for multiple source prefixes or destination ports (e.g.,
--source-address-prefixes "1.2.3.4/32 5.6.7.8/32").... see more
policy.yamlโ
Linked Framework Sectionsโ
| Section | Sub Sections | Internal Rules | Policies | Flags | Compliance |
|---|---|---|---|---|---|
| ๐ผ Cloudaware Framework โ ๐ผ Public and Anonymous Access | 80 | no data |