Azure Introduction
Azure Pricing
Azure Threats
Unrestricted HTTP Access
More Info:
Ensure that no network security groups allow unrestricted inbound access on TCP port 80.
Risk Level
Critical
Address
Security
Compliance Standards
HITRUST
Triage and Remediation
Remediation
The remediation steps for Unrestricted HTTP Access in AZURE are:
- Login to the AZURE portal (https://portal.azure.com/)
- Navigate to the Virtual Machine that has unrestricted HTTP access.
- Click on the “Networking” tab on the left-hand side of the Virtual Machine page.
- Under the “Inbound port rules” section, click on “Add inbound port rule”.
- In the “Add inbound security rule” page, provide the following details:
- Name: A name for the new rule
- Priority: A number that specifies the priority of the rule. A lower number indicates a higher priority.
- Protocol: Select “TCP” from the dropdown.
- Port range: Specify the port range that you want to restrict. For example, if you want to restrict port 80, enter “80” in both the “Start port” and “End port” fields.
- Action: Select “Deny” from the dropdown.
- Source: Select “Any” from the dropdown.
- Destination: Select “Any” from the dropdown.
- Click on “Add” to create the new rule.
- Repeat steps 4-6 for all the ports that you want to restrict.
- Once all the necessary rules have been created, click on “Save” to apply the changes.
After completing these steps, the unrestricted HTTP access should be remediated for the Virtual Machine in AZURE.
To remediate unrestricted HTTP access in AZURE using AZURE CLI, follow the below steps:
-
Login to Azure CLI using the command “az login”. Enter your Azure credentials when prompted.
-
Run the command “az network nsg list” to list all the network security groups (NSGs) in your subscription.
-
Identify the NSG that is associated with the virtual machine or the subnet that has unrestricted HTTP access.
-
Run the command
az network nsg rule list --nsg-name <NSG-Name>
to list all the rules in the NSG. -
Identify the rule that allows unrestricted HTTP access.
-
Run the command “az network nsg rule delete —nsg-name
<NSG-Name>
—name<Rule-Name>
” to delete the rule that allows unrestricted HTTP access. -
Confirm the deletion by running the command
az network nsg rule list --nsg-name <NSG-Name>
again and verifying that the rule is no longer present. -
Repeat the above steps for all the NSGs that have unrestricted HTTP access.
-
Once all the rules have been deleted, the unrestricted HTTP access issue should be resolved.
Note: It is recommended to restrict access to HTTP and allow access only through HTTPS to ensure secure communication.
To remediate unrestricted HTTP access in Azure using Python, you can use the Azure Python SDK to create a Network Security Group (NSG) and apply it to the virtual network. The NSG will contain a rule that blocks all inbound traffic on port 80.
Here are the step-by-step instructions:
- Install the Azure Python SDK using pip:
pip install azure-mgmt-network
- Import the necessary modules:
from azure.common.credentials import ServicePrincipalCredentials
from azure.mgmt.network import NetworkManagementClient
from azure.mgmt.network.models import (
NetworkSecurityGroup,
SecurityRule,
SecurityRuleAccess,
SecurityRuleDirection,
SecurityRuleProtocol,
)
- Create a Service Principal for authentication:
credentials = ServicePrincipalCredentials(
client_id='<client_id>',
secret='<client_secret>',
tenant='<tenant_id>',
)
Replace <client_id>
, <client_secret>
, and <tenant_id>
with your Azure AD credentials.
- Create an instance of the
NetworkManagementClient
:
subscription_id = '<subscription_id>'
resource_group_name = '<resource_group_name>'
location = '<location>'
network_client = NetworkManagementClient(
credentials,
subscription_id,
)
Replace <subscription_id>
, <resource_group_name>
, and <location>
with your Azure subscription ID, resource group name, and location.
- Create a Network Security Group:
nsg_name = '<nsg_name>'
nsg_params = NetworkSecurityGroup(
location=location,
)
nsg_result = network_client.network_security_groups.create_or_update(
resource_group_name,
nsg_name,
nsg_params,
)
Replace <nsg_name>
with a name for your Network Security Group.
- Create a Security Rule to block inbound traffic on port 80:
rule_name = '<rule_name>'
rule_params = SecurityRule(
protocol=SecurityRuleProtocol.tcp,
source_port_range='*',
destination_port_range='80',
source_address_prefix='*',
destination_address_prefix='*',
access=SecurityRuleAccess.deny,
direction=SecurityRuleDirection.inbound,
priority=1000,
)
rule_result = network_client.security_rules.create_or_update(
resource_group_name,
nsg_name,
rule_name,
rule_params,
)
Replace <rule_name>
with a name for your Security Rule.
- Apply the Network Security Group to your virtual network:
vnet_name = '<vnet_name>'
vnet_params = network_client.virtual_networks.get(
resource_group_name,
vnet_name,
)
vnet_params.network_security_group = nsg_result
vnet_result = network_client.virtual_networks.create_or_update(
resource_group_name,
vnet_name,
vnet_params,
)
Replace <vnet_name>
with the name of your virtual network.
That’s it! The Network Security Group will now block all inbound traffic on port 80, remedying the unrestricted HTTP access misconfiguration.