Azure NSG insecure inbound/Outbound access rules

%3CLINGO-SUB%20id%3D%22lingo-sub-2038731%22%20slang%3D%22en-US%22%3EAzure%20NSG%20insecure%20inbound%2FOutbound%20access%20rules%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2038731%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20all%2C%20my%20Azure%20subscription%20has%20security%20groups%20that%20allow%20unrestricted%20inbound%20or%20outbound%20access%20on%20port%20and%20protocol%20combinations.%26nbsp%3BAllowing%20unrestricted%20inbound%2Fingress%20or%20outbound%2Fegress%20access%20can%20increase%20opportunities%20for%20malicious%20activity%20such%20as%20hacking%2C%20loss%20of%20data%2C%20and%20brute-force%20attacks%20or%20Denial%20of%20Service%20(DoS)%20attacks.%20How%20can%20I%20configure%20the%20allowed%20ports%20by%20assigning%20a%20policy%20to%20my%20subscription.%20Is%20there%20a%20built-in%20policy%20for%20that%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2038731%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Policy%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Enetwork%20security%20groups%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2039164%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20NSG%20insecure%20inbound%2FOutbound%20access%20rules%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2039164%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F883312%22%20target%3D%22_blank%22%3E%40UserID883312%3C%2FA%3E%26nbsp%3BTypically%20I%20would%20use%20specific%20rules%20for%20specific%20resources%20in%20NSG%20rules%2C%20rather%20than%20blanket%20policy.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFor%20example%20your%20web%20server%20for%20%22Application%20A%22%20might%20want%20to%20accept%20incoming%20traffic%20from%20your%20AppGateway%20on%20port%20443%2C%20and%20be%20able%20to%20talk%20to%20the%20database%20server%20for%20%22Application%20A%22%20on%201433.%20In%20contrast%2C%20the%20web%20server%20for%20%22Application%20B%22%20would%20have%20different%20rules%20because%20you%20don't%20want%20it%20to%20talk%20to%20the%20database%20server%20for%20%22Application%20A%22.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20NSGs%20%3CEM%3Edo%3C%2FEM%3E%20come%20with%20default%20%22allow%20all%22%20rules%2C%20and%20these%20can%20be%20turned%20off%20by%20putting%20a%20%22Deny%20All%22%20at%20the%20bottom%20of%20your%20custom%20list%20of%20rules%2C%20on%20a%20low%20priority-%20for%20example%204%2C096.%20For%20example%3A%3CBR%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%222021-01-07_08-52-49.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F244709i6591E761B7AFCD82%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%222021-01-07_08-52-49.png%22%20alt%3D%222021-01-07_08-52-49.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2039203%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20NSG%20insecure%20inbound%2FOutbound%20access%20rules%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2039203%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F883312%22%20target%3D%22_blank%22%3E%40UserID883312%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHi%20you%20need%20to%20define%20a%20flow%20matrix%20to%20have%20a%20clear%20view%20which%20service%20talk%20to%20which%20service%20through%20wich%20protocol%20.%20Do%20we%20need%20to%20open%20port%2080%20while%20the%20service%20is%20a%20dns%20%3F%20(Example).%20You%20also%20need%20to%20document%20all%20your%20NSG%20so%20people%20can%20see%20clearly%20what%20is%20the%20goal%20and%20don't%20create%20a%20rule%20a%20top%20of%20that%20.%20For%20group%20of%20servers%20create%20application%20security%20group%20to%20facilitate%20nsg%20rules%20management%20.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYou%20are%20exposed%20some%20kind%20of%20attacks%20only%20if%20you%20expose%20endpoints%20to%20the%20public%20.%20Sometimes%20you%20don't%20have%20choice%20but%20sometimes%20you%20don't%20need%20services%20publicly%20exposed%20and%20in%20this%20case%20make%20it%20private%20.%26nbsp%3B%3C%2FP%3E%3CP%3EOne%20exercise%20you%20can%20do%20is%20also%20evaluate%20the%20risks%20according%20to%20the%20type%20of%20workloads%20and%20give%20a%20status%20of%20the%20remediation%20using%20Azure%20Defender%20.In%20fact%20builtin%20many%20security%26nbsp%3B%20policies%20are%20handled%20by%20Azure%20Defender%20formerly%20Azure%20Security%20Center%20.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Hello all, my Azure subscription has security groups that allow unrestricted inbound or outbound access on port and protocol combinations. Allowing unrestricted inbound/ingress or outbound/egress access can increase opportunities for malicious activity such as hacking, loss of data, and brute-force attacks or Denial of Service (DoS) attacks. How can I configure the allowed ports by assigning a policy to my subscription. Is there a built-in policy for that?

2 Replies

@UserID883312 Typically I would use specific rules for specific resources in NSG rules, rather than blanket policy.

 

For example your web server for "Application A" might want to accept incoming traffic from your AppGateway on port 443, and be able to talk to the database server for "Application A" on 1433. In contrast, the web server for "Application B" would have different rules because you don't want it to talk to the database server for "Application A".

 

The NSGs do come with default "allow all" rules, and these can be turned off by putting a "Deny All" at the bottom of your custom list of rules, on a low priority- 4,096. For example:
2021-01-07_08-52-49.png

 

@UserID883312 

 

Hi you need to define a flow matrix to have a clear view which service talk to which service through wich protocol . Do we need to open port 80 while the service is a dns ? (Example). You also need to document all your NSG so people can see clearly what is the goal and don't create a rule a top of that . For group of servers create application security group to facilitate nsg rules management . 

 

You are exposed some kind of attacks only if you expose endpoints to the public . Sometimes you don't have choice but sometimes you don't need services publicly exposed and in this case make it private . 

One exercise you can do is also evaluate the risks according to the type of workloads and give a status of the remediation using Azure Defender .In fact builtin many security  policies are handled by Azure Defender formerly Azure Security Center .