Ensure that your Azure network security groups (NSGs) don't have range of ports configured to allow inbound traffic in order to protect associated virtual machine instances against Denial-of-Service (DoS) attacks or brute-force attacks. To follow cloud security best practices, it is strongly recommended to open only specific ports within your NSGs, based on your application requirements.
This rule resolution is part of the Cloud Conformity Security & Compliance tool for Azure
Microsoft Azure network security groups are used to filter network traffic to and from virtual machine instances running inside a virtual network. A network security group (NSG) contains security rules that allow or deny inbound network traffic to your VM resources. For each NSG rule, you can specify source, destination, port, and network protocol. Opening range of ports within your Azure network security groups is not a good practice because it can allow attackers to use port scanners and other probing techniques to identify services running on your instances and exploit their vulnerabilities.
To determine if your network security groups (NSGs) are using range of ports to allow inbound traffic, perform the following operations:
Remediation / Resolution
To update your Microsoft Azure NSG rule(s) configuration in order to restrict inbound access to specific ports only rather than range of ports, perform the following operations:
Unlock the Remediation Steps
Gain free unlimited access
to our full Knowledge Base
Over 750 rules & best practices
You are auditing:
Check for Network Security Groups with Port Ranges
Risk level: Medium