Ensure that Microsoft Azure network security groups (NSGs) do not allow unrestricted access on TCP ports 20 and 21 in order to protect against attackers that use brute force methods to gain access to Azure virtual machines associated with these NSGs. TCP ports 20 and 21 are used for data transfer and communication by the File Transfer Protocol (FTP) client-server applications.
This rule resolution is part of the Cloud Conformity Security & Compliance tool for Azure
Allowing unrestricted FTP access to your Azure virtual machines (VMs) via network security groups (NSGs) can increase opportunities for malicious activities such as brute-force attacks, FTP bounce attacks, spoofing and packet capture attacks.
To determine if your Azure network security groups allow unrestricted access on TCP ports 20 and 21 (FTP), perform the following actions
Remediation / Resolution
To update your Azure network security group FTP rule configuration in order to restrict Secure Shell access to specific, authorized entities only such as IP addresses or IP ranges, perform the following actions:
- Azure Official Documentation
- Azure network security overview
- Network security groups
- Create, change, or delete a network security group
- Azure best practices for network security
- CIS Microsoft Azure Foundations
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.
You are auditing:
Check for Unrestricted FTP Access
Risk level: Very High