Control: Management ports should be closed on your virtual machines
Description
Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.
Usage
Run the control in your terminal:
powerpipe control run azure_compliance.control.network_security_group_remote_access_restrictedSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_compliance.control.network_security_group_remote_access_restricted --shareSQL
This control uses a named query:
with network_sg as ( select distinct name sg_name from azure_network_security_group nsg, jsonb_array_elements(security_rules) sg, jsonb_array_elements_text(sg -> 'properties' -> 'destinationPortRanges' || (sg -> 'properties' -> 'destinationPortRange') :: jsonb) dport, jsonb_array_elements_text(sg -> 'properties' -> 'sourceAddressPrefixes' || (sg -> 'properties' -> 'sourceAddressPrefix') :: jsonb) sip where sg -> 'properties' ->> 'access' = 'Allow' and sg -> 'properties' ->> 'direction' = 'Inbound' and (sg -> 'properties' ->> 'protocol' ilike 'TCP' or sg -> 'properties' ->> 'protocol' = '*') and sip in ('*', '0.0.0.0', '0.0.0.0/0', 'Internet', 'any', '<nw>/0', '/0') and ( dport in ('22', '3389', '*') or ( dport like '%-%' and ( ( split_part(dport, '-', 1) :: integer <= 3389 and split_part(dport, '-', 2) :: integer >= 3389 ) or ( split_part(dport, '-', 1) :: integer <= 22 and split_part(dport, '-', 2) :: integer >= 22 ) ) ) ))select sg.id resource, case when nsg.sg_name is null then 'ok' else 'alarm' end as status, case when nsg.sg_name is null then sg.title || ' restricts remote access from internet.' else sg.title || ' allows remote access from internet.' end as reason , sg.resource_group as resource_group , sub.display_name as subscriptionfrom azure_network_security_group as sg left join network_sg as nsg on nsg.sg_name = sg.name join azure_subscription as sub on sub.subscription_id = sg.subscription_id;