Description
Ensure that Azure VM Scale Set Instances are not configured to allow unrestricted inbound access to the Telnet port (TCP 23). Network Security Group (NSG) rules should prohibit inbound Telnet traffic from open IP ranges such as 0.0.0.0/0 due to the protocol's inherent security weaknesses.
Rationalβ
Telnet is an insecure protocol that transmits data, including user credentials, in plaintext. Allowing unrestricted Telnet access exposes instances to significant security risks, including unauthorized access, credential theft, and man-in-the-middle (MITM) attacks. Restricting Telnet traffic to trusted IP addresses mitigates these risks. Furthermore, organizations are strongly encouraged to replace Telnet with secure alternatives like SSH, which offer encrypted communication and robust authentication mechanisms.
Impactβ
Limiting Telnet access may require updates to legacy systems or workflows. Ensure that any necessary access is maintained through secure, restricted channels to prevent service interruptions while enhancing overall security.
Auditβ
This policy flagged an Azure VM Scale Set Instance as INCOMPLIANT if it is associated with a Network Interface that is connected to an NSG containing at least one Inbound Security Rule that meets all of the following conditions:
Directionis Inbound.Accessis Allow.Protocolis either Tcp,*, ornull.Source Address Prefixis either Internet,*0.0.0.0, /0, or Any.Destination Portis 23.
If the Direction, Access, Protocol, or Source Address Prefix fields do not match the criteria above, the VM is marked as INAPPLICABLE.
If the Destination Port does not match, the VM is considered COMPLIANT.