Detections
Analytics

7.4 Ensure that HTTP(S) access from the Internet is evaluated and restricted

Information

Network security groups should be periodically evaluated for port misconfigurations. Where HTTP(S) is not explicitly required and narrowly configured for resources attached to a network security group, Internet-level access to Azure resources should be restricted or eliminated.

The potential security problem with using HTTP(S) over the Internet is that attackers can use various brute force techniques to gain access to Azure resources. Once the attackers gain access, they can use the resource as a launch point for compromising other resources within the Azure tenant.

Solution

Remediate from Azure Portal

 - Go to Network security groups.
 - Click the name of a network security group.
 - Under Settings, click Inbound security rules.
 - Check the box next to any inbound security rule matching:
 - Port: 80, 443, or range including 80 or 443
 - Protocol: TCP or Any
 - Source: 0.0.0.0/0, Internet, or Any
 - Action: Allow

 - Click Delete.
 - Click Yes.
 - Repeat steps 1-6 for each network security group requiring remediation.

Remediate from Azure CLI

For each network security group rule requiring remediation, run the following command to delete the rule:

az network nsg rule delete --resource-group <resource-group> --nsg-name <network-security-group> --name <rule>

See Also

https://workbench.cisecurity.org/benchmarks/21611

Item Details

Category: SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|CA-9, 800-53|SC-7, CSCv7|9.2

Plugin: microsoft_azure

Control ID: 0d71b19986253c23cc91066cfae8d4b1e1f7d1a0c46a3c445e290676cd4d6410