Check for Unrestricted HTTPS Access

Sign in to Azure Management Console.

Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure resources.

From the Subscription filter box, select the Azure account subscription that you want to examine.

From the Type filter box, select Network security group to list only the security groups available in the selected Azure subscription.

Click on the name of the network security group that you want to examine.

In the navigation panel, under Settings, select Inbound security rules to access the list with the inbound rules defined for the selected security group.

On the Inbound security rules page, verify the value available in the SOURCE column for any inbound rule with the PORT set to 443 and the PROTOCOL set to TCP. If one or more rules have the SOURCE set to Any (i.e. 0.0.0.0/0), the selected network security group allows unrestricted traffic on TCP port 443, therefore the inbound access to the associated Microsoft Azure virtual machine(s) is not secured.

Repeat steps no. 5 – 7 for each network security group available in the selected subscription.

Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Run network nsg list command (Windows/macOS/Linux) using custom query filters to list the names of all network security groups (and the name of their associated resource groups) available in the current Azure subscription:

az network nsg list
				--output table
				--query '[*].{name:name, resourceGroup:resourceGroup}'

The command output should return a table with requested information:

Name                        ResourceGroup
------------------------    ------------------------------
cc-production-server-nsg    cloud-shell-storage-westeurope
cc-staging-app-server-nsg   cloud-shell-storage-westeurope

Run network nsg rule list command (Windows/macOS/Linux) using the name of the Azure network security group (NSG) that you want to examine and its associated resource group as identifier parameters. The below command includes an example query string to identify all the inbound access rules:

az network nsg rule list
				--nsg-name cc-production-server-nsg
				--resource-group cloud-shell-storage-westeurope
				--query "[?direction=='Inbound' && access=='Allow' && (protocol=='TCP' || protocol=='*')]"

The command output should return the requested security group rule metadata or an empty array, i.e. [], if there are no inbound access rules:

[
				{
				"access": "Allow",
				"description": null,
				"destinationAddressPrefix": "*",
				"destinationAddressPrefixes": [],
				"destinationApplicationSecurityGroups": null,
				"destinationPortRange": "443",
				"destinationPortRanges": [],
				"direction": "Inbound",
				"etag": "W/\"abcdabcd-abcd-abcd-abcd-abcdabcdabcd\"",
				"id": "/subscriptions/abcd1234-abcd-1234-abcd-1234abcd1234/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/networkSecurityGroups/cc-production-server-nsg/securityRules/selectedPort",
				"name": "HTTPS",
				"priority": 100,
				"protocol": "TCP",
				"provisioningState": "Succeeded",
				"resourceGroup": "cloud-shell-storage-westeurope",
				"sourceAddressPrefix": "*",
				"sourceAddressPrefixes": [],
				"sourceApplicationSecurityGroups": null,
				"sourcePortRange": "*",
				"sourcePortRanges": [],
				"type": "Microsoft.Network/networkSecurityGroups/securityRules"
				}
]

If there are any rules with "sourceAddressPrefix" or "sourceAddressPrefixes" attributes set to or containing "*", "internet", "0.0.0.0", "0.0.0.0/0", "::", "0:0:0:0:0:0:0:0", "0000:0000:0000:0000:0000:0000:0000:0000" or "::/0", the selected network security group (NSG) allows unrestricted traffic on certain ports. To check for HTTPS access, check if any of the unrestricted inbound rules have "destinationPortRange" or "destinationPortRanges" set to or containing either 443 or some range that covers 443 (e.g. 1-1000 or *). If any rules match this criteria, the security group rule is non-compliant.

Repeat step no. 3 and 4 for each Azure network security group created within the selected subscription.

Repeat steps no. 1 – 5 for each subscription available in your Microsoft Azure cloud account.

Sign in to Azure Management Console.

Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure resources.

From the Subscription filter box, select the Azure account subscription that you want to access.

From the Type filter box, select Network security group to list only the security groups available in the selected Azure subscription.

Click on the name of the network security group that you want to reconfigure.

In the navigation panel, under Settings, select Inbound security rules to access the list with the inbound rules defined for the selected security group.

On the Inbound security rules page, click on the name of the non-compliant security group rule(s) that you want to reconfigure.

On the selected security group rule configuration panel, perform the following:

1. Select IP Addresses from the Source dropdown list to allow inbound traffic on TCP port 443 from trusted IP addresses only.
2. For Source IP addresses/CIDR ranges, provide the source IP address, IP addresses or IP address ranges that will be allowed to access the virtual machines associated with the selected network security group (NSG). You can specify a single value or comma-separated list of multiple values. An example of multiple values is 192.168.1.5/32, 10.0.0.3/32.
3. Make sure that Action is set to Allow and leave the rest of the NSG configuration settings unchanged.
4. Click Save to apply the changes.

Repeat steps no. 5 – 8 for each network security group that allows unrestricted inbound access on TCP port 443 (HTTPS), available in the selected Azure subscription.

Repeat steps no. 3 – 9 for each subscription created in your Microsoft Azure cloud account.

Run network nsg rule update command (Windows/macOS/Linux) using the name of the network security group rule that you want to reconfigure as the identifier parameter to restrict HTTPS access on TCP port 443 to trusted IP address(es) only by setting the --source-address-prefixes parameter to the IP address, IP addresses or IP address ranges that are allowed to access the virtual machines associated with the selected network security group. You can specify a single value or a space-separated list of multiple values, as shown in the example below:

az network nsg rule update
				--name HTTPS
				--nsg-name cc-production-server-nsg
				--resource-group cloud-shell-storage-westeurope
				--source-address-prefixes 192.168.10.51/32 192.168.10.52/32

The command output should return the metadata for the reconfigured Azure NSG rule:

{
				"access": "Allow",
				"description": null,
				"destinationAddressPrefix": "*",
				"destinationAddressPrefixes": [],
				"destinationApplicationSecurityGroups": null,
				"destinationPortRange": "443",
				"destinationPortRanges": [],
				"direction": "Inbound",

				...

				"name": "HTTPS",
				"priority": 110,
				"protocol": "TCP",
				"provisioningState": "Succeeded",
				"resourceGroup": "cloud-shell-storage-westeurope",
				"sourceAddressPrefix": "",
				"sourceAddressPrefixes": [
				"192.168.10.51/32",
				"192.168.10.52/32"
				],
				"sourcePortRange": "*",
				"sourcePortRanges": [],
				"type": "Microsoft.Network/networkSecurityGroups/securityRules"
}

Repeat step no. 1 and 2 for each network security group (NSG) that allows unrestricted inbound access on TCP port 443, available in the current subscription.

Repeat steps no. 1 – 3 for each subscription created within your Microsoft Azure cloud account.