Skip to main content

πŸ“ Azure Network Security Group allows unrestricted HTTP(S) access from the Internet 🟒

  • Contextual name: πŸ“ Security Group allows unrestricted HTTP(S) access from the Internet 🟒
  • ID: /ce/ca/azure/virtual-network/security-group-rule-disable-https-access-from-internet
  • Located in: πŸ“ Azure Virtual Network

Flags​

Our Metadata​

  • Policy Type: COMPLIANCE_POLICY
  • Policy Category:
    • SECURITY

Similar Policies​

Similar Internal Rules​

RulePoliciesFlags
βœ‰οΈ dec-x-f4cc003a1

Logic​

Description​

Open File

Description​

Network security groups should be periodically evaluated for port misconfigurations. Where certain ports and protocols may be exposed to the Internet, they should be evaluated for necessity and restricted wherever they are not explicitly required and narrowly configured.

Rationale​

The potential security problem with using HTTP(S) over the Internet is that attackers can use various brute force techniques to gain access to Azure resources. Once the attackers gain access, they can use the resource as a launch point for compromising other resources within the Azure tenant.

Audit​

From Azure Portal​
  1. Open the Networking blade for the specific Virtual machine in Azure portal.
  2. Verify that the INBOUND PORT RULES does not have a rule for UDP such as:
    • port = 80/443,
    • protocol = TCP,
    • Source = Any OR Internet
From Azure CLI​

List Network security groups with corresponding non-default Security rules:

az network nsg list --query [*].[name,securityRules]

Ensure that none of the NSGs have security rule as below:

... see more

Remediation​

Open File

Remediation​

From Azure Portal​

  1. Go to Virtual machines.
  2. For each VM, open the Networking blade.
  3. Click on Inbound port rules.
  4. Delete the rule with:
    • Port = 80/443 OR [port range containing 80/443].
    • Protocol = TCP OR Any.
    • Source = Any (*) OR IP Addresses(0.0.0.0/0) OR Service Tag(Internet).
    • Action = Allow.

From Azure CLI​

Run below command to list network security groups:

az network nsg list --subscription <subscription-id> --output table
  1. For each network security group, run below command to list the rules associated with the specified port:
az network nsg rule list --resource-group <resource-group> --nsg-name <nsg-name> --query "[?destinationPortRange=='80 or 443']"
  1. Run the below command to delete the rule with:
    • Port = 80/443 OR [port range containing 80/443]
    • Protocol = TCP OR "*"
    • Source = Any (*) OR IP Addresses(0.0.0.0/0) OR Service Tag(Internet)
    • Action = Allow
az network nsg rule delete --resource-group <resource-group> --nsg-name <nsg-name> --name <rule-name>

... [see more](remediation.md)

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 36d access management controls β€”only authorised users, software and hardware are able to access information assets (refer to Attachment B for further guidance);1313
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 36e hardware and software asset controls β€”appropriate authorisation to prevent security compromises from unauthorised hardware and software assets;1515
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 36f network design β€” to ensure authorised network traffic flows and to reduce the impact of security compromises;2829
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 45 An understanding of plausible worst case scenarios can help regulated entities identify and implement additional controls to prevent or reduce the impact of such scenarios. One example is malware that infects computers and encrypts data, both on the infected computer and any connected storage, including (corporate) networks and cloud storage. Such attacks reinforce the importance of protecting the backup environment in the event that the production environment is compromised. Common techniques to achieve this include network segmentation, highly restricted and segregated access controls and network traffic flow restrictions.3436
πŸ’Ό CIS Azure v1.5.0 β†’ πŸ’Ό 6.4 Ensure that HTTP(S) access from the Internet is evaluated and restricted - Level 1 (Automated)11
πŸ’Ό CIS Azure v2.0.0 β†’ πŸ’Ό 6.4 Ensure that HTTP(S) access from the Internet is evaluated and restricted - Level 1 (Automated)11
πŸ’Ό CIS Azure v2.1.0 β†’ πŸ’Ό 6.4 Ensure that HTTP(S) access from the Internet is evaluated and restricted - Level 1 (Automated)11
πŸ’Ό CIS Azure v3.0.0 β†’ πŸ’Ό 7.4 Ensure that HTTP(S) access from the Internet is evaluated and restricted (Automated)1
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Public and Anonymous Access24
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-4(21) Physical or Logical Separation of Information Flows (M)(H)1139
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-7(5) Deny by Default β€” Allow by Exception (M)(H)19
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-4(21) Physical or Logical Separation of Information Flows (M)(H)39
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-7(5) Deny by Default β€” Allow by Exception (M)(H)19
πŸ’Ό ISO/IEC 27001:2013 β†’ πŸ’Ό A.9.4.1 Information access restriction1920
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 6.7 Remote working55
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 8.1 User end point devices911
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 8.16 Monitoring activities66
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 8.22 Segregation of networks55
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.AC-4: Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties1735
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.DS-5: Protections against data leaks are implemented4351
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties58
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected82
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected69
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected67
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-4(21) Information Flow Enforcement _ Physical or Logical Separation of Information Flows3539
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-7(5) Boundary Protection _ Deny by Default β€” Allow by Exception519
πŸ’Ό UK Cyber Essentials β†’ πŸ’Ό 1.2 Prevent access to the administrative interface from the internet3537