Microsoft AzureOverview
Network security groups should be periodically evaluated for port misconfigurations. Where certain ports and protocols may be exposed to the Internet, they should be evaluated for necessity and restricted wherever they are not explicitly required and narrowly configured.
Rationale
The potential security problem with using HTTP(S) over the Internet is that attackers can use various brute force techniques to gain access to Azure resources. Once the attackers gain access, they can use the resource as a launch point for compromising other resources within the Azure tenant.
Remediation guidance
- Run the below command to list network security groups:
az network nsg list --subscription <subscription-id> --output table
- For each network security group, run the below command to list the rules associated with the specified port:
az network nsg rule list --resource-group <resource-group> --nsg-name <nsg-name> --query "[?destinationPortRange=='80 or 443']"
- Run the below command to delete the rule with:
- Port = 80/443 OR [port range containing 80/443]
- Protocol =
TCPOR"*" - Source = Any (
*) OR IP Addresses (0.0.0.0/0) OR Service Tag (Internet) - Action = Allow
az network nsg rule delete --resource-group <resource-group> --nsg-name <nsg-name> --name <rule-name>
Azure Portal (Asset-Level)
- Open the affected resource from the finding details in Azure Portal.
- Navigate to the relevant Security/Configuration/Networking blade.
- Apply the control-specific secure setting.
- Save and re-run the check.
Service-wide remediation
Recommended when many resources are affected: fix the platform baseline first so new resources inherit the secure setting, then remediate the existing flagged resources in batches.
Azure
Use management group or subscription Azure Policy assignments, remediation tasks where supported, landing-zone standards, and IaC modules so drift is prevented at scale.
Operational rollout
- Fix the baseline first at the account, subscription, project, cluster, or tenant scope that owns this control.
- Remediate the currently affected resources in batches, starting with internet-exposed and production assets.
- Re-scan and track approved exceptions with an owner and expiry date.
Query logic
These are the stored checks tied to this control.
Azure NSGs allowing HTTP(S) traffic
Connectors
Covered asset types
Expected check: eq []
{
securityGroups(
where: {
rules_SOME: {
direction: "Inbound"
action: "Allow"
protocol: "TCP"
AND: [
{
OR: [
{ sources_INCLUDES: "cidr:0.0.0.0/0" }
{ sources_INCLUDES: "cidr:::/0" }
{ sources_INCLUDES: "tag:Internet" }
{ sources: [] }
]
}
{
OR: [
{ destFromPort_LTE: 80, destToPort_GTE: 80 }
{ destFromPort_LTE: 443, destToPort_GTE: 443 }
]
}
]
}
}
) {
...AssetFragment
}
}
