Skip to main content

πŸ“ Azure VM Scale Set Instance allows public access to NetBIOS ports 🟒

  • Contextual name: πŸ“ Instance allows public access to NetBIOS ports 🟒
  • ID: /ce/ca/azure/vm-scale-set/instance-allows-unrestricted-netbios-traffic
  • Located in: πŸ“ Azure VM Scale Set

Flags​

Our Metadata​

  • Policy Type: COMPLIANCE_POLICY
  • Policy Category:
    • SECURITY

Logic​

Description​

Open File

Description​

Ensure that Azure VM Scale Set Instances are not configured to allow unrestricted inbound access to NetBIOS ports (TCP/UDP 137, 138, 139). These ports are commonly associated with legacy file-sharing and network management protocols in Windows environments. Exposing NetBIOS ports to the public internet can present substantial security risks.

Rational​

Restricting NetBIOS traffic through NSGs significantly reduces the attack surface of Azure VM Scale Set Instances (VMs) and enhances the overall security posture. NetBIOS has been a target for exploitation due to its known vulnerabilities, and its use in modern cloud environments is rare. Minimizing the exposure of these ports reduces the likelihood of unauthorized access, data exfiltration, and the spread of malicious payloads through legacy network protocols.

Impact​

Implementing these restrictions may affect systems that rely on NetBIOS for legacy network communication. Therefore, it is crucial to plan and test these changes carefully to ensure that critical business functions are not disrupted while mitigating the associated security risks.

... see more

Remediation​

Open File

Remediation​

Modify or Remove Insecure NSG Rule​

Review the security rules associated with the relevant Network Security Group (NSG) and determine whether they are required. Take appropriate action based on necessity and scope:

  • If the rule is not required: Remove the rule entirely.

  • If the rule is required but overly permissive: Update the rule to narrowly scope access, restricting the source IP range to only what is strictly necessary.

Azure CLI​

  1. Delete the rule:

    az network nsg rule delete \
      --resource-group {{resource-group-name}} \
      --nsg-name {{nsg-name}} \
      --name {{rule-name}}

  2. Restrict the rule:

    az network nsg rule update \
        --resource-group {{resource-group-name}} \
        --nsg-name {{nsg-name}} \
        --name {{rule-name}} \
        --source-address-prefixes {{trusted-cidr}}

    Replace placeholders with the appropriate values. Use space-separated values for multiple source prefixes or destination ports (e.g., --source-address-prefixes "1.2.3.4/32 5.6.7.8/32").

... see more

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Public and Anonymous Access69