Network Security Group
      Back to home
      1. CNS Policies
      2. Azure Knowledge Base
      3. Network Security Group

      Open All Ports

      Risk Level: High

      Description: 

      This plugin prevents Network Security Groups from opening all ports to the public. While some ports, such as HTTP and HTTPS, must be exposed to the public in order to function, nearly all services should be limited to known IP addresses.

      PingSafe strongly recommends restricting ports to known IP addresses.


      About the Service :

      In an Azure virtual network, a network security group may be used to restrict network traffic to and from Azure resources. A network security group is a collection of security rules that allow or disallow incoming and outgoing network traffic to and from various Azure services. Source and destination, port, and protocol can all be specified for each rule.

      Impact : 

      Opening all the ports to the public increases the chance of security risks. Hence, nearly all services should be limited to known IP addresses.

      Steps to reproduce :

      1. Sign in to your Azure portal with your Azure account.
        https://portal.azure.com/#home 
      2. Navigate to Azure’s Network Security Groups.
      3. Click on the Security Group that you want to examine. Next, click on the inbound security rules.
      4. Check if the security rules are open to all ports.  If it shows ANY for Source and Destination that means it is exposed to the public.
      5. Follow the same steps for other security groups as well.

      Steps for remediation :

      1. Sign in to your Azure portal with your Azure account.
        https://portal.azure.com/#home 
      2. Navigate to Azure’s Network Security Groups.
      3. Click on the Security Group that you want to examine. Next, click on the inbound security rules.
      4. Note the Port is set to ANY indicating traffic is allowed on all Ports.  If it shows ANY for Source and Destination that means it is exposed to the public.
      5. Next, click on the security group rule and modify the Source from ANY to specific IP addresses or select Application security group and also allows only the necessary port.
      6. Click on the Save button.
      7. Now the network security group is not open to all ports.
      8. Follow the same steps for other security groups as well.

      References :

      Please feel free to reach out to support@pingsafe.com with any questions that you may have.

      Thanks

      PingSafe Support