Azure Introduction
Azure Pricing
Azure Threats
Check for Unrestricted Inbound TCP or UDP Access on Selected Ports
More Info:
Ensure that no network security groups allow unrestricted inbound access via TCP or UDP on selected ports.
Risk Level
High
Address
Security
Compliance Standards
CISAZURE, CBP, HITRUST, GDPR, SOC2, NISTCSF, PCIDSS, FedRAMP
Triage and Remediation
Remediation
Sure, here are the step-by-step instructions to remediate the issue of unrestricted inbound TCP or UDP access on selected ports in Azure:
- Log in to the Azure portal using your credentials.
- Navigate to the ‘Security Center’ from the left-hand side menu.
- Click on ‘Security Alerts’ and then select the alert that says ‘Unrestricted inbound TCP/UDP access to a port in a Network Security Group (NSG)’.
- Review the details of the alert, including the affected NSG and the specific port(s) that have unrestricted access.
- Click on the ‘Remediate’ button at the top of the alert details page.
- Select the ‘Deploy to Resource Group’ option and then click on ‘Create’.
- In the ‘Basics’ tab of the deployment wizard, select the affected subscription, resource group, and location.
- In the ‘Template’ tab, select the ‘Edit Template’ option and then make the following changes:
-
Under ‘parameters’, select the appropriate NSG from the dropdown menu.
-
Under ‘variables’, add a new variable for the port(s) that need to be restricted, such as:
"restrictedPorts": { "value": [ "22", "3389" ] }
-
Under ‘resources’, add a new resource for the NSG rule that will restrict access to the specified port(s), such as:
{ "type": "Microsoft.Network/networkSecurityGroups/securityRules", "apiVersion": "2021-02-01", "name": "restrictInboundPorts", "location": "[parameters('location')]", "dependsOn": [ "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('networkSecurityGroupName'))]" ], "properties": { "description": "Restrict inbound access to specified ports", "protocol": "Tcp", "sourcePortRange": "*", "destinationPortRange": "[variables('restrictedPorts')]", "sourceAddressPrefix": "*", "destinationAddressPrefix": "*", "access": "Deny", "priority": 200, "direction": "Inbound" } }
-
- Save the template and then click on
Review + create
. - Review the deployment settings and then click on ‘Create’ to initiate the deployment.
Once the deployment is complete, the NSG rule will be in effect and inbound access to the specified port(s) will be restricted. You can verify the changes by reviewing the NSG rules in the Azure portal.
To remediate the misconfiguration of unrestricted inbound TCP or UDP access on selected ports in Azure using Azure CLI, you can follow the below steps:
Step 1: Open the Azure CLI and run the following command to list all the network security groups (NSGs) in your subscription:
az network nsg list
Step 2: Identify the NSG that is associated with the virtual machine (VM) or network interface (NIC) that has the unrestricted inbound TCP or UDP access on selected ports.
Step 3: Run the following command to identify the NSG rules that allow unrestricted inbound access:
az network nsg rule list --nsg-name <NSG name> --query "[?destinationPortRange=='*']"
Replace <NSG name>
with the name of the NSG identified in step 2.
Step 4: Identify the rule that needs to be remediated and note down its name.
Step 5: Run the following command to update the NSG rule and restrict the inbound access:
az network nsg rule update --nsg-name <NSG name> --name <rule name> --access Deny
Replace <NSG name>
with the name of the NSG identified in step 2 and <rule name>
with the name of the rule identified in step 4.
Step 6: Verify that the rule has been updated by running the following command:
az network nsg rule show --nsg-name <NSG name> --name <rule name>
Replace <NSG name>
with the name of the NSG identified in step 2 and <rule name>
with the name of the rule identified in step 4.
Step 7: Repeat steps 3-6 for all the NSGs that have unrestricted inbound TCP or UDP access on selected ports.
By following these steps, you can remediate the misconfiguration of unrestricted inbound TCP or UDP access on selected ports in Azure using Azure CLI.
To remediate the misconfiguration of unrestricted inbound TCP or UDP access on selected ports in Azure using Python, follow these steps:
- Install the Azure SDK for Python using the following command:
pip install azure
- Authenticate to Azure using the following code:
from azure.identity import DefaultAzureCredential
from azure.mgmt.network import NetworkManagementClient
credential = DefaultAzureCredential()
network_client = NetworkManagementClient(credential, subscription_id)
Replace <subscription_id>
with your Azure subscription ID.
- Get the list of network security groups in the resource group using the following code:
nsg_list = network_client.network_security_groups.list(resource_group_name)
Replace resource_group_name
with the name of your resource group.
- Iterate through each network security group and get the list of security rules using the following code:
for nsg in nsg_list:
rule_list = network_client.security_rules.list(resource_group_name, nsg.name)
Replace <resource_group_name>
with the name of your resource group.
- Iterate through each security rule and check if it allows unrestricted inbound TCP or UDP access on selected ports using the following code:
for rule in rule_list:
if rule.destination_port_range == '*' and rule.protocol in ['Tcp', 'Udp'] and rule.source_address_prefix == '*':
# Delete the security rule
network_client.security_rules.delete(resource_group_name, nsg.name, rule.name)
- If the security rule allows unrestricted inbound TCP or UDP access on selected ports, delete the security rule using the following code:
network_client.security_rules.delete(resource_group_name, nsg.name, rule.name)
Replace <resource_group_name>
with the name of your resource group and <nsg.name>
with the name of the network security group.
- Save the Python script and run it using the following command:
python <script_name>.py
Replace <script_name>
with the name of your Python script.
By following these steps, you can remediate the misconfiguration of unrestricted inbound TCP or UDP access on selected ports in Azure using Python.