Benchmark: 7 Networking Services
Networking Services
To better understand the relationship between the Foundations Benchmark and Services Benchmarks, please read the "Introduction" section of this document.
This section covers security recommendations to follow in order to set networking policies on an Azure subscription.
Azure Product Directory Reference: https://azure.microsoft.com/enus/products#networking
FEEDBACK REQUEST: Is there a specific service or recommendation in this section that you'd like to see addressed or improved? Let us know by making a ticket or starting a discussion in the CIS Microsoft Azure Community (https://workbench.cisecurity.org/communities/72).
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-azure-complianceStart the Powerpipe server:
steampipe service startpowerpipe serverOpen http://localhost:9033 in your browser and select 7 Networking Services.
Run this benchmark in your terminal:
powerpipe benchmark run azure_compliance.benchmark.cis_v500_7Snapshot and share results via Turbot Pipes:
powerpipe benchmark run azure_compliance.benchmark.cis_v500_7 --shareControls
- 7.1 Ensure that RDP access from the Internet is evaluated and restricted
- 7.2 Ensure that SSH access from the Internet is evaluated and restricted
- 7.3 Ensure that UDP access from the Internet is evaluated and restricted
- 7.4 Ensure that HTTP(S) access from the Internet is evaluated and restricted
- 7.5 Ensure that network security group flow log retention days is set to greater than or equal to 90
- 7.6 Ensure that Network Watcher is 'Enabled' for Azure Regions that are in use
- 7.7 Ensure that Public IP addresses are Evaluated on a Periodic Basis
- 7.8 Ensure that virtual network flow log retention days is set to greater than or equal to 90
- 7.9 Ensure 'Authentication type' is set to 'Azure Active Directory' only for Azure VPN Gateway point-to-site configuration
- 7.10 Ensure Azure Web Application Firewall (WAF) is enabled on Azure Application Gateway
- 7.11 Ensure subnets are associated with network security groups
- 7.12 Ensure the SSL policy's 'Min protocol version' is set to 'TLSv1_2' or higher on Azure Application Gateway
- 7.13 Ensure 'HTTP2' is set to 'Enabled' on Azure Application Gateway
- 7.14 Ensure request body inspection is enabled in Azure Web Application Firewall policy on Azure Application Gateway
- 7.15 Ensure bot protection is enabled in Azure Web Application Firewall policy on Azure Application Gateway
- 7.16 Ensure Azure Network Security Perimeter is used to secure Azure platform-as-a-service resources