Ensure that your Azure network security groups (NSGs) don't have range of ports configured to allow inbound traffic in order to protect associated virtual machine instances against Denial-of-Service (DoS) attacks or brute-force attacks. To follow cloud security best practices, it is strongly recommended to open only specific ports within your NSGs, based on your application requirements.
This rule resolution is part of the Conformity Security & Compliance tool for Azure.
Microsoft Azure network security groups are used to filter network traffic to and from virtual machine instances running inside a virtual network. A network security group (NSG) contains security rules that allow or deny inbound network traffic to your VM resources. For each NSG rule, you can specify source, destination, port, and network protocol. Opening range of ports within your Azure network security groups is not a good practice because it can allow attackers to use port scanners and other probing techniques to identify services running on your instances and exploit their vulnerabilities.
Audit
To determine if your network security groups (NSGs) are using range of ports to allow inbound traffic, perform the following operations:
Remediation / Resolution
To update your Microsoft Azure NSG rule(s) configuration in order to restrict inbound access to specific ports only rather than range of ports, perform the following operations:
References
- Azure Official Documentation
- Azure network security overview
- Network security groups
- Create, change, or delete a network security group
- Azure best practices for network security
- Azure Command Line Interface (CLI) Documentation
- az account
- az network nsg
- az network nsg rule
- az network nsg rule
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.
You are auditing:
Check for Network Security Groups with Port Ranges
Risk Level: Medium