Control: 7.4 Ensure that HTTP(S) access from the Internet is evaluated and restricted
Description
Network security groups should be periodically evaluated for port misconfigurations. Where HTTP(S) is not explicitly required and narrowly configured for resources attached to a network security group, Internet-level access to Azure resources should be restricted or eliminated.
The potential security problem with using HTTP(S) over the Internet is that attackers can use various brute force techniques to gain access to Azure resources. Once the attackers gain access, they can use the resource as a launch point for compromising other resources within the Azure tenant.
Remediation
Remediate from Azure Portal
- Go to
Network security groups. - Click the name of a network security group.
- Under
Settings, clickInbound security rules. - Check the box next to any inbound security rule matching:
- Port:
80,443, or range including80or443 - Protocol:
TCPorAny - Source:
0.0.0.0/0,Internet, orAny - Action:
Allow
- Port:
- Click
Delete. - Click
Yes. - Repeat steps 1-6 for each network security group requiring remediation.
Remediate from Azure CLI
For each network security group rule requiring remediation, run the following command to delete the rule:
az network nsg rule delete --resource-group <resource-group> --nsg-name <network-security-group> --name <rule>
Default Value
By default, HTTP(S) access from internet is not enabled.
Usage
Run the control in your terminal:
powerpipe control run azure_compliance.control.cis_v500_7_4Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_compliance.control.cis_v500_7_4 --shareSQL
This control uses a named query:
with network_sg as ( select distinct name sg_name from azure_network_security_group nsg, jsonb_array_elements(security_rules) sg, jsonb_array_elements_text(sg -> 'properties' -> 'destinationPortRanges' || (sg -> 'properties' -> 'destinationPortRange') :: jsonb) dport, jsonb_array_elements_text(sg -> 'properties' -> 'sourceAddressPrefixes' || (sg -> 'properties' -> 'sourceAddressPrefix') :: jsonb) sip where sg -> 'properties' ->> 'access' = 'Allow' and sg -> 'properties' ->> 'direction' = 'Inbound' and sg -> 'properties' ->> 'protocol' ilike 'TCP' and sip in ( '*', '0.0.0.0', '0.0.0.0/0', 'Internet', 'any', '<nw>/0', '/0' ) and ( dport in ( '80', '443', '*' ) or ( dport like '%-%' and split_part(dport, '-', 1) :: integer <= 80 and split_part(dport, '-', 2) :: integer >= 80 and split_part(dport, '-', 1) :: integer <= 443 and split_part(dport, '-', 2) :: integer >= 443 ) ))select sg.id resource, case when nsg.sg_name is null then 'ok' else 'alarm' end as status, case when nsg.sg_name is null then sg.title || ' restricts HTTPS access from internet.' else sg.title || ' allows HTTPS access from internet.' end as reason , sg.resource_group as resource_group , sub.display_name as subscriptionfrom azure_network_security_group sg left join network_sg nsg on nsg.sg_name = sg.name left join azure_subscription sub on sub.subscription_id = sg.subscription_id;