Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Check for Network Security Groups with Port Ranges

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: Network-011

Ensure that your Azure network security groups (NSGs) don't have range of ports configured to allow inbound traffic in order to protect associated virtual machine instances against Denial-of-Service (DoS) attacks or brute-force attacks. To follow cloud security best practices, it is strongly recommended to open only specific ports within your NSGs, based on your application requirements.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security

Microsoft Azure network security groups are used to filter network traffic to and from virtual machine instances running inside a virtual network. A network security group (NSG) contains security rules that allow or deny inbound network traffic to your VM resources. For each NSG rule, you can specify source, destination, port, and network protocol. Opening range of ports within your Azure network security groups is not a good practice because it can allow attackers to use port scanners and other probing techniques to identify services running on your instances and exploit their vulnerabilities.

Audit

To determine if your network security groups (NSGs) are using range of ports to allow inbound traffic, perform the following operations:

Using Azure Portal

01 Sign in to Azure Management Portal.

02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure resources.

03 From the Subscription filter box, select the Azure account subscription that you want to examine.

04 From the Type filter box, select Network security group to list only the security groups available in the selected Azure subscription.

05 Click on the name of the network security group that you want to examine.

06 In the navigation panel, under Settings, select Inbound security rules to access the list with the inbound rules defined for the selected security group.

07 On the Inbound security rules page, verify the value available in the Port column for each inbound/ingress rule defined. If one or more rules have the Port attribute set to range or ports (e.g. 0 – 65535, 80 – 8080, 111 – 32800), the selected Azure network security group (NSG) is using range of ports to allow traffic, therefore the inbound access to the associated Microsoft Azure virtual machine(s) is not secured.

08 Repeat steps no. 5 – 7 for each network security group available in the selected subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) using custom query filters to list the IDs of the subscriptions available in your Azure account: 

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers: 

[
  "abcdabcd-1234-abcd-1234-abcdabcdabcd",
  "abcd1234-abcd-1234-abcd-abcd1234abcd",
]

03 Run network nsg list command (Windows/macOS/Linux) using custom query filters to list the names of all network security groups (and the name of their associated resource groups) available in the selected Azure subscription: 

az network nsg list
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd
	--output table
	--query '[*].{name:name, resourceGroup:resourceGroup}'

04 The command output should return a table with requested information: 

Name                       ResourceGroup
---------------------   ------------------------------
cc-prod-endpoint-nsg    cloud-shell-storage-westeurope
cc-dev-web-server-nsg   cloud-shell-storage-westeurope

05 Run az network nsg rule list command (Windows/macOS/Linux) using the name of the Azure network security group (NSG) that you want to examine and its associated resource group as identifier parameters, to describe the NSG rules that allow inbound/ingress traffic to the virtual machines associated with the selected network security group: 

az network nsg rule list
	--nsg-name cc-prod-endpoint-nsg
	--resource-group cloud-shell-storage-westeurope
	--query "[?direction=='Inbound' && access=='Allow']"

06 The command output should return the requested network security group rule(s) metadata: 

[
  {
    "access": "Allow",
    "description": null,
    "destinationAddressPrefix": "*",
    "destinationAddressPrefixes": [],
    "destinationApplicationSecurityGroups": null,
    "destinationPortRange": "0-65535",
    "destinationPortRanges": [],
    "direction": "Inbound",
    "id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/networkSecurityGroups/cc-prod-endpoint-nsg/securityRules/cc-web-inbound-access",
    "name": "cc-web-inbound-access",
    "priority": 100,
    "protocol": "TCP",
    "provisioningState": "Succeeded",
    "resourceGroup": "cloud-shell-storage-westeurope",
    "sourceAddressPrefix": "*",
    "sourceAddressPrefixes": [],
    "sourceApplicationSecurityGroups": null,
    "sourcePortRange": "*",
    "sourcePortRanges": [],
    "type": "Microsoft.Network/networkSecurityGroups/securityRules"
  }
]
If the "destinationPortRange" and/or "destinationPortRanges" attributes value is set to range or ports such as 0 – 65535, 80 – 8080 and 111 – 32800, the selected Azure network security group (NSG) is using range of ports to allow traffic, therefore the inbound/ingress access to the associated Microsoft Azure virtual machine(s) is not secured.

07 Repeat step no. 5 and 6 for each Azure network security group created within the selected subscription.

08 Repeat steps no. 3 – 7 for each subscription available in your Microsoft Azure cloud account.

Remediation / Resolution

To update your Microsoft Azure NSG rule(s) configuration in order to restrict inbound access to specific ports only rather than range of ports, perform the following operations:

Using Azure Portal

01 Sign in to Azure Management Portal.

02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure resources.

03 From the Subscription filter box, select the Azure account subscription that you want to access.

04 From the Type filter box, select Network security group to list only the security groups available in the selected Azure subscription.

05 Click on the name of the network security group that you want to reconfigure.

06 In the navigation panel, under Settings, select Inbound security rules to access the list with the inbound rules defined for the selected security group.

07 On the Inbound security rules page, click on the non-compliant rule that you want to reconfigure (see Audit section part I to identify the right rule).

08 On the selected security group rule configuration panel, perform the following:

  1. For Destination port ranges, provide a single port such as 443 (HTTPS) or a comma-separated list of single ports such as 80 (HTTP) and 443 (HTTPS). This specifies on which port(s) the inbound traffic will be allowed or denied by the selected NSG rule.
  2. From Protocol, select the appropriate network protocol (e.g. TCP).
  3. Make sure that Action is set to Allow and leave the rest of the NSG configuration settings unchanged.
  4. Click Save to apply the changes.

09 Repeat step no. 7 and 8 for each NSG rule that allows inbound traffic using wide range of ports, created for the selected security group.

10 Repeat steps no. 5 – 9 for each non-compliant network security group available in the selected Azure subscription.

11 Repeat steps no. 3 – 10 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run network nsg rule update command (Windows/macOS/Linux) using the name of the network security group (NSG) rule that you want to reconfigure as identifier parameter (see Audit section part II to identify the right rule) to restrict inbound access to specific ports only by setting the --destination-port-ranges parameter to those ports on which inbound traffic will be allowed by the selected NSG rule. You can specify a single value or a space-separated list of multiple values, as shown in the example below: 

az network nsg rule update
	--name cc-web-inbound-access
	--nsg-name cc-prod-endpoint-nsg
	--resource-group cloud-shell-storage-westeurope
	--access Allow
	--protocol Tcp
	--destination-port-ranges 80 443
	--description "Allow traffic on specific ports only, i.e. TCP port 80 (HTTP) and TCP port 443 (HTTPS)"

02 The command output should return the metadata for the reconfigured Azure NSG rule: 

{
  "access": "Allow",
  "description": "Allow traffic on specific ports only, i.e. TCP port 80 (HTTP) and TCP port 443 (HTTPS)",
  "destinationAddressPrefix": "*",
  "destinationAddressPrefixes": [],
  "destinationApplicationSecurityGroups": null,
  "destinationPortRange": null,
  "destinationPortRanges": [
    "80",
    "443"
  ],
  "direction": "Inbound",
  "id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/networkSecurityGroups/cc-prod-endpoint-nsg/securityRules/cc-web-inbound-access",
  "name": "cc-web-inbound-access",
  "priority": 100,
  "protocol": "Tcp",
  "provisioningState": "Succeeded",
  "resourceGroup": "cloud-shell-storage-westeurope",
  "sourceAddressPrefix": "*",
  "sourceAddressPrefixes": [],
  "sourceApplicationSecurityGroups": null,
  "sourcePortRange": "*",
  "sourcePortRanges": [],
  "type": "Microsoft.Network/networkSecurityGroups/securityRules"
}

03 Repeat step no. 1 and 2 for each NSG rule that allows inbound traffic using wide range of ports, defined for the selected security group.

04 Repeat steps no. 1 – 3 for each non-compliant network security group (NSG) available in the selected Azure subscription.

05 Repeat steps no. 1 – 4 for each subscription created within your Microsoft Azure cloud account.

References

Publication date Jul 8, 2020

Related Network rules