module/ConfigurationProvider/ControlConfigurations/Services/NSG.json
|
{
"FeatureName": "NSG", "Reference": "aka.ms/azsktcp/nsg", "IsMaintenanceMode": false, "Controls": [ { "ControlID": "Azure_NSG_NetSec_Dont_Open_Restricted_Ports", "Description": "Do not leave restricted ports open on NSG", "Id": "NSG100", "DisplayName": "Do not use risky ports on firewall and NSGs", "Category": "Deploy controls to restrict network traffic", "ControlRequirements": "Restrict network traffic flows", "ControlSeverity": "Critical", "Automated": "Yes", "MethodName": "CheckRestrictedPortsOnNSG", "Rationale": "Open restricted ports expose a NSG to a high level of risk from internet-based attacks that attempt to brute force credentials to gain admin access to the machine.", "Recommendation": "Go to Azure Portal --> NSG Settings --> Inbound security rules --> Select security rule which allows management ports (e.g. RDP-3389, WINRM-5985, SSH-22, SMB-445) --> Click 'Deny' under Action --> Click Save.", "Tags": [ "NetSec", "Baseline", "Weekly" ], "Enabled": true, "ControlSettings": { "RestrictedPorts": "445,3389,5985,22", "ExclusionTags": [ { "Description": "VM is part of ADB cluster.", "TagName": "databricks-environment", "TagValue": "true" }, { "Description": "VM is part of ADB cluster.", "TagName": "application", "TagValue": "databricks" } ] }, "CustomTags": [ "Windows", "Linux", "P0", "SN:Risky_ports" ] }, { "ControlID": "Azure_NSG_NetSec_Dont_Open_Restricted_Ports_Trial", "Description": "[Trial] Do not leave restricted ports open on NSG", "Id": "NSG110", "DisplayName": "[Trial] Do not use risky ports on firewall and NSGs", "Category": "Deploy controls to restrict network traffic", "ControlRequirements": "Restrict network traffic flows", "ControlSeverity": "Critical", "Automated": "No", "MethodName": "CheckRestrictedPortsOnNSGTrial", "Rationale": "Open restricted ports expose a NSG to a high level of risk from internet-based attacks that attempt to brute force credentials to gain admin access to the machine.", "Recommendation": "Go to Azure Portal --> NSG Settings --> Inbound security rules --> Select security rule which allows management ports (e.g. RDP-3389, WINRM-5985, SSH-22, SMB-445) --> Click 'Deny' under Action --> Click Save.", "Tags": [ "Baseline", "Daily", "ExtScanned", "NetSec", "Trial" ], "Enabled": true, "CustomTags": [] }, { "ControlID": "Azure_NSG_NetSec_Dont_Open_InBound_Any_Any", "Description": "Do not leave restricted ports on NSG open for inbound traffic", "Id": "NSG200", "DisplayName": "Firewall/NSG rules must not allow unrestricted traffic (any-any rule)", "Category": "Deploy controls to restrict network traffic", "ControlRequirements": "Restrict network traffic flows", "ControlSeverity": "Critical", "Automated": "Yes", "MethodName": "CheckAnyAnyRuleOnNSG", "Rationale": "Open restricted ports expose a NSG to a high level of risk from internet-based attacks that attempt to brute force credentials to gain admin access to the machine.", "Recommendation": "Go to Azure Portal --> NSG Settings --> Inbound security rules --> Select security rule which allows Any-Any inbound port --> Click 'Deny' under Action --> Click Save.", "Tags": [ "NetSec", "VirtualMachine", "Baseline", "Weekly" ], "Enabled": true, "ControlSettings": { "ExclusionTags": [ { "Description": "VM is part of ADB cluster.", "TagName": "databricks-environment", "TagValue": "true" }, { "Description": "VM is part of ADB cluster.", "TagName": "application", "TagValue": "databricks" } ], "UniversalPortRange": [ "*", "0-65535" ], "ValidRules": [ { "Protocol": "ICMP", "NonCompliantSourceAddressPrefixes": [ "*", "Internet" ] } ] }, "CustomTags": [ "Windows", "Linux" ] } ] } |