Azure Introduction
Azure Pricing
Azure Threats
Unrestricted RPC Access
More Info:
Ensure that Microsoft Azure network security groups (NSGs) do not allow unrestricted access (i.e. 0.0.0.0/0) on TCP port 135 in order to implement the principle of least privilege and effectively reduce the attack surface. Remote Procedure Call (RPC) TCP port 135 is used for client-server communications by Microsoft Message Queuing (MSMQ) as well as other Microsoft Windows/Windows Server software.
Risk Level
High
Address
Security
Compliance Standards
SOC2, GDPR, ISO27001, HIPAA, HITRUST, NISTCSF, PCIDSS, FedRAMP
Triage and Remediation
Remediation
To remediate the “Unrestricted RPC Access” misconfiguration in Azure using the Azure Console, you can follow these steps:
-
Log in to the Azure portal (https://portal.azure.com/).
-
Navigate to the virtual machine that has the misconfiguration.
-
Click on the “Networking” tab in the left-hand menu.
-
Under “Inbound port rules”, click on “Add inbound port rule”.
-
In the “Add inbound security rule” dialog box, fill in the following information:
- Name: A unique name for the rule (e.g., “RPC Access Restricted”).
- Priority: A number that determines the order in which the rule is applied (e.g., 100).
- Protocol: Select “TCP”.
- Port range: Enter “135-139, 445”.
- Action: Select “Deny”.
- Source: Select “Any”.
-
Click “Add” to create the new rule.
-
Repeat steps 4-6 for any other virtual machines that have the same misconfiguration.
By following these steps, you will have restricted RPC access to the virtual machine, which will help mitigate the risk of unauthorized access.
To remediate unrestricted RPC access in Azure using Azure CLI, follow these steps:
-
Open the Azure CLI command prompt.
-
Run the following command to get a list of all virtual machines in your Azure subscription:
az vm list --query "[].{Name:name, ResourceGroup:resourceGroup}"
This will give you a list of all the virtual machines in your subscription along with their resource group names.
-
Identify the virtual machine that has unrestricted RPC access.
-
Run the following command to get the public IP address of the virtual machine:
az vm show -d -g <resource-group-name> -n <vm-name> --query publicIps -o tsv
Replace
<resource-group-name>
with the name of the resource group where the virtual machine is located and<vm-name>
with the name of the virtual machine. -
Note down the public IP address of the virtual machine.
-
Run the following command to create a network security group:
az network nsg create -g <resource-group-name> -n <nsg-name>
Replace
<resource-group-name>
with the name of the resource group where the virtual machine is located and<nsg-name>
with a name for the network security group. -
Run the following command to create a rule in the network security group to block all incoming traffic on port 135:
az network nsg rule create -g <resource-group-name> --nsg-name <nsg-name> -n block-rpc --priority 100 --source-address-prefixes '*' --destination-port-ranges 135 --access Deny --protocol Tcp --description "Block all incoming traffic on port 135"
Replace
<resource-group-name>
with the name of the resource group where the virtual machine is located and<nsg-name>
with the name of the network security group that you created in step 6. -
Run the following command to associate the network security group with the virtual machine’s network interface:
az network nic update -g <resource-group-name> -n <nic-name> --network-security-group <nsg-name>
Replace
<resource-group-name>
with the name of the resource group where the virtual machine is located,<nic-name>
with the name of the virtual machine’s network interface, and<nsg-name>
with the name of the network security group that you created in step 6. -
Verify that the network security group is associated with the virtual machine’s network interface by running the following command:
az network nic show -g <resource-group-name> -n <nic-name> --query networkSecurityGroup
Replace
<resource-group-name>
with the name of the resource group where the virtual machine is located and<nic-name>
with the name of the virtual machine’s network interface. -
Verify that the rule to block incoming traffic on port 135 is applied by running the following command:
az network nsg rule show -g <resource-group-name> --nsg-name <nsg-name> -n block-rpc
Replace
<resource-group-name>
with the name of the resource group where the virtual machine is located and<nsg-name>
with the name of the network security group that you created in step 6.
By following these steps, you have remediated unrestricted RPC access in Azure using Azure CLI.
To remediate the Unrestricted RPC Access misconfiguration in AZURE using Python, you can follow the below steps:
-
Import the required Python libraries:
from azure.identity import DefaultAzureCredential from azure.mgmt.network import NetworkManagementClient from azure.mgmt.network.models import SecurityRule, SecurityGroup
-
Authenticate with the Azure cloud using the
DefaultAzureCredential
class:credential = DefaultAzureCredential()
-
Instantiate a
NetworkManagementClient
object using thecredential
object:network_client = NetworkManagementClient(credential, subscription_id)
-
Get the
SecurityGroup
object that contains the rule you want to remediate:security_group = network_client.security_groups.get(resource_group_name, security_group_name)
-
Get the
SecurityRule
object that contains the unrestricted RPC access:rpc_rule = next((rule for rule in security_group.security_rules if rule.name == 'Allow-RPC-Inbound'), None)
-
Update the
SecurityRule
object to restrict the RPC access:rpc_rule.access = 'Deny' rpc_rule.direction = 'Inbound' rpc_rule.protocol = 'TCP' rpc_rule.source_address_prefix = '*' rpc_rule.destination_address_prefix = '*' rpc_rule.destination_port_range = '135-139'
-
Update the
SecurityGroup
object in Azure with the newSecurityRule
object:network_client.security_rules.create_or_update(resource_group_name, security_group_name, rpc_rule.name, rpc_rule)
With these steps, you can remediate the Unrestricted RPC Access misconfiguration in AZURE using Python.