π Azure VM Scale Set Instance allows public access to CIFS port π’
- Contextual name: π Instance allows public access to CIFS port π’
- ID:
/ce/ca/azure/vm-scale-set/instance-allows-unrestricted-cifs-traffic - Located in: π Azure VM Scale Set
Flagsβ
- π’ Policy with categories
- π’ Policy with type
- π’ Production policy
Our Metadataβ
- Policy Type:
COMPLIANCE_POLICY - Policy Category:
SECURITY
Logicβ
- π§ prod.logic.yaml π’
Descriptionβ
Descriptionβ
Ensure that Azure VM Scale Set Instances are not configured to allow unrestricted inbound access to the CIFS (Common Internet File System) service on TCP port 445. CIFS is a network file-sharing protocol used primarily by Windows-based systems for accessing and sharing files over a network. While essential in certain scenarios, exposing TCP port 445 to the public internet poses a significant security risk. Access to CIFS should be strictly limited to trusted IP addresses and networks to mitigate the risk of unauthorized access and data compromise.
Rationale�β
Unrestricted access to CIFS over TCP port 445 significantly increases the attack surface of your environment. Threat actors commonly target this port to exploit vulnerabilities in file-sharing protocols, potentially resulting in unauthorized access, data leakage, or lateral movement within the network. Restricting CIFS access to only trusted networks and enforcing appropriate network security controls aligns with the principle of least privilege and is a critical step toward safeguarding sensitive resources.
... see more
Remediationβ
Remediationβ
Modify or Remove Insecure NSG Ruleβ
Review the security rules associated with the relevant Network Security Group (NSG) and determine whether they are required. Take appropriate action based on necessity and scope:
If the rule is not required: Remove the rule entirely.
If the rule is required but overly permissive: Update the rule to narrowly scope access, restricting the source IP range to only what is strictly necessary.
Azure CLIβ
Delete the rule:
az network nsg rule delete \
--resource-group {{resource-group-name}} \
--nsg-name {{nsg-name}} \
--name {{rule-name}}Restrict the rule:
az network nsg rule update \
--resource-group {{resource-group-name}} \
--nsg-name {{nsg-name}} \
--name {{rule-name}} \
--source-address-prefixes {{trusted-cidr}}Replace placeholders with the appropriate values. Use space-separated values for multiple source prefixes or destination ports (e.g.,
--source-address-prefixes "1.2.3.4/32 5.6.7.8/32").... see more
policy.yamlβ
Linked Framework Sectionsβ
| Section | Sub Sections | Internal Rules | Policies | Flags |
|---|---|---|---|---|
| πΌ Cloudaware Framework β πΌ Public and Anonymous Access | 69 |