Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Check for Unrestricted Inbound TCP or UDP Access on Selected Ports

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: Network-025

Check your Microsoft Azure network security groups (NSGs) for inbound rules that allow unrestricted access (i.e. 0.0.0.0/0) via TCP or UDP to a selected range of ports and restrain access to only those IP addresses that require the relevant access. Restrict the access in order to implement the principle of least privilege and reduce the possibility of a breach.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security

Exposing certain ports to the Internet can increase opportunities for malicious activities such as hacking, man-in-the-middle attacks (MITM) and brute-force attacks. Cloud Conformity strongly recommends that you configure your Microsoft Azure NSGs to limit inbound traffic on selected TCP and UDP ports to known IP addresses only.

Audit

To determine if your Azure network security groups (NSGs) allows unrestricted access on certain selected ports, perform the following actions:

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure resources.

03 From the Subscription filter box, select the Azure account subscription that you want to examine.

04 From the Type filter box, select Network security group to list only the security groups available in the selected Azure subscription.

05 Click on the name of the network security group that you want to examine.

06 In the navigation panel, under Settings, select Inbound security rules to access the list with the inbound rules defined for the selected security group.

07 On the Inbound security rules page, verify the value available in the SOURCE column for any inbound rules with the PORT set to a given port of concern and the PROTOCOL set to either TCP, UDP or All. If one or more rules have the SOURCE set to Any (i.e. 0.0.0.0/0), the selected network security group allows unrestricted traffic on the relevant port. Therefore the access to the associated resources is not secured.

08 Repeat steps no. 5 – 7 for each network security group available in the current Azure subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run network nsg list command (Windows/macOS/Linux) using custom query filters to list the names of all network security groups and their associated resource groups, available in the current Azure subscription: 

az network nsg list
    --output table
    --query '[*].{name:name, resourceGroup:resourceGroup}'

02 The command output should return a table with requested resource information: 

Name ResourceGroup
------------------------     ------------------------------
cc-production-vm-nsg         cloud-shell-storage-westeurope
cc-project5-server-nsg       cloud-shell-storage-westeurope

03 Run az network nsg rule list command (Windows/macOS/Linux) using the name of the Azure network security group that you want to examine and its associated resource group as identifier parameters to describe the relevant inbound rule defined for the selected network security group using custom query filters. In the below example the chosen protocol is ‘TCP’ and the chosen port is ‘22’, but you may choose another protocol and port to check: 

az network nsg rule list
  --nsg-name cc-production-vm-nsg
  --resource-group cloud-shell-storage-westeurope
  --query "[?direction=='Inbound' && access=='Allow' && protocol=='TCP' && destinationPortRange=='22']"

04 The command output should return the requested security group rule metadata or an empty array such as [], if there are no rule for chosen TCP port 22 defined: 

[
  {
    "access": "Allow",
    "description": null,
    "destinationAddressPrefix": "*",
    "destinationAddressPrefixes": [],
    "destinationApplicationSecurityGroups": null,
    "destinationPortRange": "22",
    "destinationPortRanges": [],
    "direction": "Inbound",
    "etag": "W/\"abcdabcd-1234-abcd-1234-abcdabcdabcd\"",
    "id": "/subscriptions/abcd1234-abcd-1234-abcd-1234abcd1234/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/networkSecurityGroups/cc-production-nsg/securityRules/SSH",
    "name": "SSH",
    "priority": 300,
    "protocol": "TCP",
    "provisioningState": "Succeeded",
    "resourceGroup": "cloud-shell-storage-westeurope",
    "sourceAddressPrefix": "*",
    "sourceAddressPrefixes": [],
    "sourceApplicationSecurityGroups": null,
    "sourcePortRange": "*",
    "sourcePortRanges": [],
    "type": "Microsoft.Network/networkSecurityGroups/securityRules"
  }
]

If the "sourceAddressPrefix" configuration attribute value is set to "*", "internet" or "any", as shown in the output example above, the selected network security group allows unrestricted traffic via the chosen port.

05 Repeat step no. 3 and 4 for each Azure network security group created in the selected subscription.

06 Repeat steps no. 1 – 5 for each subscription available within your Microsoft Azure cloud account.

Remediation / Resolution

To update your Azure network security group security rules in order to restrict access to specific, authorized entities only (such as IP addresses or IP ranges), perform the following actions:

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure resources.

03 From the Subscription filter box, select the Azure account subscription that you want to access.

04 From the Type filter box, select Network security group to list only the security groups available in the selected Azure subscription.

05 Click on the name of the network security group that you want to reconfigure.

06 In the navigation panel, under Settings, select Inbound security rules to access the list with the inbound rules defined for the selected security group.

07 On the Inbound security rules page, click on the noncompliant security group rule that you want to reconfigure (see Audit section part I to identify the right NSG rule).

08 On the selected security group rule configuration panel, perform the following:

  1. Select IP Addresses from the Source dropdown list to allow inbound traffic on the chosen port from specified IP addresses only.
  2. For Source IP addresses/CIDR ranges, provide the source IP address, IP addresses or IP address ranges that will be allowed to access the virtual machines associated with the selected network security group (NSG). You can specify a single value or comma-separated list of multiple values. An example of multiple values is 10.0.1.5/32, 10.0.1.6/32.
  3. Click Save to apply the configuration changes.

09 Repeat steps no. 5 – 8 for each network security group that allows unrestricted inbound access on the chosen port, available in the current Azure subscription.

10 Repeat steps no. 3 – 9 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run network nsg rule update command (Windows/macOS/Linux) using the name of the network security group rule that you want to reconfigure as identifier parameter (see Audit section part II to identify the right rule) to restrict access on the chosen TCP or UDP port to specific IP address(es) by setting the --source-address-prefixes parameter to the IP address, IP addresses or IP address ranges that can be allowed to access the virtual machines associated with the selected network security group. You can specify a single value (e.g. 10.0.1.6/32) or a space-separated list of multiple values (e.g. 10.0.1.5/32 10.0.1.6/32): 

az network nsg rule update
  --name SSH
  --nsg-name cc-production-vm-nsg
  --resource-group cloud-shell-storage-westeurope
  --source-address-prefixes 10.0.1.6/32

02 The command output should return the metadata for the reconfigured Azure NSG rule: 

{
  "access": "Allow",
  "description": null,
  "destinationAddressPrefix": "*",
  "destinationAddressPrefixes": [],
  "destinationApplicationSecurityGroups": null,
  "destinationPortRange": "22",
  "destinationPortRanges": [],
  "direction": "Inbound",

  ...

  "name": "SSH",
  "priority": 300,
  "protocol": "TCP",
  "provisioningState": "Succeeded",
  "resourceGroup": "cloud-shell-storage-westeurope",
  "sourceAddressPrefix": "10.0.1.6/32",
  "sourceAddressPrefixes": [],
  "sourceApplicationSecurityGroups": null,
  "sourcePortRange": "*",
  "sourcePortRanges": [],
  "type": "Microsoft.Network/networkSecurityGroups/securityRules"
}

03 Repeat step no. 1 and 2 for each network security group that allows unrestricted inbound access on the chosen TCP port, available in the current Azure subscription.

04 Repeat steps no. 1 – 3 for each subscription created within your Microsoft Azure cloud account.

References

Publication date Feb 15, 2022

Related Network rules