AlgoSec Best Practices for Microsoft Azure provide a baseline for your cloud network configuration and security policy across all your Azure subscriptions, assets, and security controls.
To read more about AlgoSec Best Practices, please visit AlgoSec home page .
AlgoSec Best Practices requirements (170)
| Severity | Requirement | Title | Description | Remediation | |
|---|---|---|---|---|---|
| O01-I-NSG | Critical | AlgoSec O01-I-NSG | Outbound "To Any allow Any service" rules to Public IPs | Outbound rules of the form "to Any with service Any" are usually more open than is necessary. Allowing all services allows many services that are known to be risky, most of which you probably do not use in your business. Allowing access to all destinations may allow exfiltration of information. | Restrict the rules to refer to the destination IPs you really use, and to the the services your applications rely on by deploying a stateful firewall for outbound traffic. |
| O02-I-NSG | Critical | AlgoSec O02-I-NSG | Outbound "To Any allow all TCP" rules to Public IPs | Outbound rules of the form "to Any with all TCP" are usually more open than is necessary. Allowing all TCP allows many services that are known to be risky, most of which you probably do not use in your business. Allowing access to all destinations may allow exfiltration of information. | Restrict the rules to refer to the destination IPs you really use, and to the the services your applications rely on by deploying a stateful firewall for outbound traffic. |
| O03-I-NSG | Critical | AlgoSec O03-I-NSG | Outbound "To Any allow all UDP" rules to Public IPs | Outbound rules of the form "to Any with all UDP" are usually more open than is necessary. Allowing all UDP allows many services that are known to be risky, most of which you probably do not use in your business. Allowing access to all destinations may allow exfiltration of information. | Restrict the rules to refer to the destination IPs you really use, and to the the services your applications rely on by deploying a stateful firewall for outbound traffic. |
| O04-I-NSG | High | AlgoSec O04-I-NSG | TCP on all ports can exit your network to Public IPs | Allowing TCP on all ports to exit your network is extremely risky since this includes many vulnerable services. The largest threat is that of Trojan horses contacting their controllers, followed by unintended information leakage, and spreading of malicious code like viruses and worms. | Review all the rules that allow outbound traffic with TCP on all ports, and limit them to those services you actually require by deploying a stateful firewall for outbound traffic. |
| O05-I-NSG | High | AlgoSec O05-I-NSG | "Any" service can exit your network to Public IPs | Allowing "Any" service to exit your network is extremely risky since the "Any" service includes many vulnerable services. The largest threat is that of Trojan horses contacting their controllers, followed by unintended information leakage, and spreading of malicious code like viruses and worms. | Review all the rules that allow outbound traffic with the service "Any" service, and limit them to those services you actually require. |
| O06-I-NSG | High | AlgoSec O06-I-NSG | UDP on all ports can exit your network to Public IPs | Allowing UDP on all ports to exit your network is extremely risky since this includes many vulnerable services. The largest threat is that of Trojan horses contacting their controllers, followed by unintended information leakage, and spreading of malicious code like viruses and worms. | Review all the rules that allow outbound traffic with UDP on all ports, and limit them to those services you actually require by deploying a stateful firewall for outbound traffic. |
| O07-I-NSG | High | AlgoSec O07-I-NSG | FTP can exit your network to Public IPs | Letting FTP (File Transfer Protocol) exit your network is risky as it is not encrypted. It is only authenticated by simple passwords, that are transmitted in the clear. Serious vulnerabilities have been found in many versions of FTP server software. You may have many FTP servers on your internal networks and it is difficult to ensure that they are all properly hardened. A compromised or infected machine could access or damage the data on these servers. | Eliminate rules which allow access to this port to Public IPs. For file upload- use secure alternatives such as SFTP. |
| O08-I-NSG | Medium | AlgoSec O08-I-NSG | Risky TCP Microsoft services can exit your network to Public IPs | Allowing Microsoft's NetBIOS services (TCP/135, TCP/139, TCP/445, TCP/593) to exit your network is risky. These services provide file and printer sharing for Microsoft Windows machines, and are among the most attacked services on the Internet. These Microsoft services are a vector for worms and viruses, and they potentially expose your network and data. | Eliminate rules which allow access to this port to public IPs. |
| O09-I-NSG | Medium | AlgoSec O09-I-NSG | Risky UDP Microsoft services can exit your network to Public IPs | Allowing Microsoft's NetBIOS services (UDP/137, UDP/138) to exit your network is risky. These services provide file and printer sharing for Microsoft Windows machines, and are among the most attacked services on the Internet. These Microsoft services are a vector for worms and viruses, and they potentially expose your network and data. | Eliminate rules which allow access to this port to public IPs. |
| O10-I-NSG | Medium | AlgoSec O10-I-NSG | SMTP can exit your network to more than 256 Public IPs | Allowing outbound SMTP access on TCP port 25/465/587 from many internal machines is risky. Outbound SMTP (E-mail) should only originate from your public mail servers. E-mail is a vector for many viruses and worms. Computers that can send E-mail directly (not through your organization's designated mail servers) can bypass your network's E-mail filters, and spread viruses and worms to other networks. Therefore, outbound SMTP access should be limited to your properly hardened public mail servers. | Restrict the rules to refer to only the destination IPs you really use, and limit the number of public IP addresses that can be reached on this port. |
| O11-I-NSG | Critical | AlgoSec O11-I-NSG | Outbound "To Internet allow Any service" rules | Allowing any service to the Internet is risky. Allowing access to all destinations in the Internet may allow exfiltration of information. | Eliminate rules which allow such access and restict the access to specific protocol and ports which are needed. |
| O12-I-NSG | Critical | AlgoSec O12-I-NSG | Outbound "To Internet allow All TCP" rules | Allowing All TCP services to the Internet is risky. Allowing access to all destinations in the Internet may allow exfiltration of information. | Eliminate rules which allow such access and restict the access to specific ports which are needed. |
| O13-I-NSG | Critical | AlgoSec O13-I-NSG | Outbound "To Internet allow All UDP" rules | Allowing All UDP services to the Internet is risky. Allowing access to all destinations in the Internet may allow exfiltration of information. | Eliminate rules which allow such access and restict the access to specific ports which are needed. |
| O14-I-NSG | High | AlgoSec O14-I-NSG | Any service can exit your network to VirtualNetwork | Allowing any service to the whole VirtualNetwork is risky as VirtualNetwork includes many types of your resources, such as your Azure Virtual Machines (VM). Allowing such access may allow exfiltration of information. | Eliminate rules which allow such access and restict the access to specific protocol and ports which are needed. |
| O15-I-NSG | High | AlgoSec O15-I-NSG | TCP on all ports can exit your network to VirtualNetwork | Allowing All TCP services to the whole VirtualNetwork is risky as VirtualNetwork includes many types of your resources, such as your Azure Virtual Machines (VM). Allowing such access may allow exfiltration of information. | Eliminate rules which allow such access and restict the access to specific ports which are needed. |
| O16-I-NSG | High | AlgoSec O16-I-NSG | UDP on all ports can exit your network to VirtualNetwork | Allowing All UDP services to the whole VirtualNetwork is risky as VirtualNetwork includes many types of your resources, such as your Azure Virtual Machines (VM). Allowing such access may allow exfiltration of information. | Eliminate rules which allow such access and restict the access to specific ports which are needed. |
| O17-I-NSG | High | AlgoSec O17-I-NSG | Any service can exit your network to AzureActiveDirectory | AzureActiveDirectory is used to sign in and access public resources, such as Microsoft Office 365, the Azure portal, and thousands of other SaaS applications. Allowing any service to AzureActiveDirectory from your network is risky and redundant. | Eliminate rules which allow such access and restict the access to specific protocol and ports which are needed. |
| O18-I-NSG | High | AlgoSec O18-I-NSG | TCP on all ports can exit your network to AzureActiveDirectory | AzureActiveDirectory is used to sign in and access public resources, such as Microsoft Office 365, the Azure portal, and thousands of other SaaS applications. Allowing All TCP services to AzureActiveDirectory from your network is risky and redundant. | Eliminate rules which allow such access and restict the access to specific ports which are needed. |
| O19-I-NSG | High | AlgoSec O19-I-NSG | UDP on all ports can exit your network to AzureActiveDirectory | AzureActiveDirectory is used to sign in and access public resources, such as Microsoft Office 365, the Azure portal, and thousands of other SaaS applications. Allowing All UDP services to AzureActiveDirectory from your network is risky and redundant. | Eliminate rules which allow such access and restict the access to specific ports which are needed. |
| O20-I-NSG | High | AlgoSec O20-I-NSG | Any service can exit your network to Sql | Allowing any service to Azure SQL Database service from your network is risky. Azure SQL Database is a fully managed service that has built-in high availability, backups, and other common maintenance operations. | Eliminate rules which allow such access and restict the access to specific protocol and ports which are needed. |
| O21-I-NSG | High | AlgoSec O21-I-NSG | TCP on all ports can exit your network to Sql | Allowing All TCP services to Azure SQL Database service from your network is risky. Azure SQL Database is a fully managed service that has built-in high availability, backups, and other common maintenance operations. | Eliminate rules which allow such access and restict the access to specific ports which are needed. |
| O22-I-NSG | High | AlgoSec O22-I-NSG | UDP on all ports can exit your network to Sql | Allowing All UDP services to Azure SQL Database service from your network is risky. Azure SQL Database is a fully managed service that has built-in high availability, backups, and other common maintenance operations. | Eliminate rules which allow such access and restict the access to specific ports which are needed. |
| O23-I-NSG | High | AlgoSec O23-I-NSG | Any service can exit your network to Storage | Allowing any service to Azure Storage service from your network is risky. Azure Storage offers a massively scalable object store for data objects, a file system service for the cloud, a messaging store for reliable messaging, and a NoSQL store. | Eliminate rules which allow such access and restict the access to specific protocol and ports which are needed. |
| O24-I-NSG | High | AlgoSec O24-I-NSG | TCP on all ports can exit your network to Storage | Allowing All TCP services to Azure Storage service from your network is risky. Azure Storage offers a massively scalable object store for data objects, a file system service for the cloud, a messaging store for reliable messaging, and a NoSQL store. | Eliminate rules which allow such access and restict the access to specific ports which are needed. |
| O25-I-NSG | High | AlgoSec O25-I-NSG | UDP on all ports can exit your network to Storage | Allowing All UDP services to Azure Storage service from your network is risky. Azure Storage offers a massively scalable object store for data objects, a file system service for the cloud, a messaging store for reliable messaging, and a NoSQL store. | Eliminate rules which allow such access and restict the access to specific ports which are needed. |
| O26-I-NSG | High | AlgoSec O26-I-NSG | Any service can exit your network to AzureCosmosDB | Allowing any service to AzureCosmosDB service from your network is risky. Azure Cosmos DB is Microsoft's globally distributed, multi-model database service which enables you to elastically and independently scale throughput and storage across any number of Azure regions worldwide. | Eliminate rules which allow such access and restict the access to specific protocol and ports which are needed. |
| O27-I-NSG | High | AlgoSec O27-I-NSG | TCP on all ports can exit your network to AzureCosmosDB | Allowing All TCP services to AzureCosmosDB service from your network is risky. Azure Cosmos DB is Microsoft's globally distributed, multi-model database service which enables you to elastically and independently scale throughput and storage across any number of Azure regions worldwide. | Eliminate rules which allow such access and restict the access to specific ports which are needed. |
| O28-I-NSG | High | AlgoSec O28-I-NSG | UDP on all ports can exit your network to AzureCosmosDB | Allowing All UDP services to AzureCosmosDB service from your network is risky. Azure Cosmos DB is Microsoft's globally distributed, multi-model database service which enables you to elastically and independently scale throughput and storage across any number of Azure regions worldwide. | Eliminate rules which allow such access and restict the access to specific ports which are needed. |
| O29-I-NSG | Critical | AlgoSec O29-I-NSG | Any service can exit your network to AzureKeyVault | Allowing any service to AzureKeyVault service from your network is very risky. Azure Key Vault is a tool for securely storing and accessing secrets. A secret is anything that you want to tightly control access to, such as API keys, passwords, or certificates. A vault is a logical group of secrets. | Eliminate rules which allow such access and restict the access to specific protocol and ports which are needed. |
| O30-I-NSG | Critical | AlgoSec O30-I-NSG | TCP on all ports can exit your network to AzureKeyVault | Allowing All TCP services to AzureKeyVault service from your network is very risky. Azure Key Vault is a tool for securely storing and accessing secrets. A secret is anything that you want to tightly control access to, such as API keys, passwords, or certificates. A vault is a logical group of secrets. | Eliminate rules which allow such access and restict the access to specific ports which are needed. |
| O31-I-NSG | Critical | AlgoSec O31-I-NSG | UDP on all ports can exit your network to AzureKeyVault | Allowing All UDP services to AzureKeyVault service from your network is very risky. Azure Key Vault is a tool for securely storing and accessing secrets. A secret is anything that you want to tightly control access to, such as API keys, passwords, or certificates. A vault is a logical group of secrets. | Eliminate rules which allow such access and restict the access to specific ports which are needed. |
| O32-I-NSG | High | AlgoSec O32-I-NSG | Any service can exit your network to AzureDataLake | Allowing any service to AzureDataLake service from your network is risky. Azure Data Lake includes all the capabilities required to make it easy for developers, data scientists and analysts to store data of any size, shape and speed, and do all types of processing and analytics across platforms and languages. | Eliminate rules which allow such access and restict the access to specific protocol and ports which are needed. |
| O33-I-NSG | High | AlgoSec O33-I-NSG | TCP on all ports can exit your network to AzureDataLake | Allowing All TCP services to AzureDataLake service from your network is risky. Azure Data Lake includes all the capabilities required to make it easy for developers, data scientists and analysts to store data of any size, shape and speed, and do all types of processing and analytics across platforms and languages. | Eliminate rules which allow such access and restict the access to specific ports which are needed. |
| O34-I-NSG | High | AlgoSec O34-I-NSG | UDP on all ports can exit your network to AzureDataLake | Allowing All UDP service to AzureDataLake service from your network is risky. Azure Data Lake includes all the capabilities required to make it easy for developers, data scientists and analysts to store data of any size, shape and speed, and do all types of processing and analytics across platforms and languages. | Eliminate rules which allow such access and restict the access to specific ports which are needed. |
| O35-I-NSG | High | AlgoSec O35-I-NSG | Any service can exit your network to SqlManagement | Allowing any service to AzureDataLake service from your network is risky. Azure Data Lake includes all the capabilities required to make it easy for developers, data scientists and analysts to store data of any size, shape and speed, and do all types of processing and analytics across platforms and languages. | Eliminate rules which allow such access and restict the access to specific protocol and ports which are needed. |
| O36-I-NSG | High | AlgoSec O36-I-NSG | TCP on all ports can exit your network to SqlManagement | Allowing All TCP services to AzureDataLake service from your network is risky. Azure Data Lake includes all the capabilities required to make it easy for developers, data scientists and analysts to store data of any size, shape and speed, and do all types of processing and analytics across platforms and languages. | Eliminate rules which allow such access and restict the access to specific ports which are needed. |
| O37-I-NSG | High | AlgoSec O37-I-NSG | UDP on all ports can exit your network to SqlManagement | Allowing All UDP service to AzureDataLake service from your network is risky. Azure Data Lake includes all the capabilities required to make it easy for developers, data scientists and analysts to store data of any size, shape and speed, and do all types of processing and analytics across platforms and languages. | Eliminate rules which allow such access and restict the access to specific ports which are needed. |
| I01-I-NSG | Critical | AlgoSec I01-I-NSG | Inbound "From Any allow Any service" rules from Public IPs | Inbound rules of the form "From Any with service Any : PASS" are usually more open than is necessary. Allowing all services allows many services that are known to be risky, most of which you probably do not use in your business. Allowing access from all sources may allow access to from risky locations. This subnet is connected from internet, elevating the level of risk. | Restrict the rules to refer to only the source IPs and services you really use. |
| I02-I-NSG | Critical | AlgoSec I02-I-NSG | Inbound "From Any allow all TCP" rules from Public IPs | Inbound rules of the form "From Any with all TCP : PASS" are usually more open than is necessary. Allowing all TCP allows many services that are known to be risky, most of which you probably do not use in your business. Allowing access from all sources may allow access to from risky locations. This subnet is connected to the Internet, elevating the level of risk. | Restrict the rules to refer to only the source IPs and services you really use. |
| I03-I-NSG | Critical | AlgoSec I03-I-NSG | Inbound "From Any allow all UDP" rules from Public IPs | Inbound rules of the form "From Any with all UDP : PASS" are usually more open than is necessary. Allowing all UDP allows many services that are known to be risky, most of which you probably do not use in your business. Allowing access from all sources may allow access to from risky locations. This subnet is connected to the Internet, elevating the level of risk. | Restrict the rules to refer to only the source IPs and services you really use. |
| I04-I-NSG | High | AlgoSec I04-I-NSG | "Any" service can enter your network from Public IPs | Allowing the "Any" service to enter your network is extremely risky since the "Any" service includes many vulnerable services. This is risky even if the traffic is only allowed from business partners or through VPNs. | Review all the rules that allow inbound traffic with "Any" service, and limit them to those services you actually require. |
| I05-I-NSG | High | AlgoSec I05-I-NSG | TCP on all ports can enter your network from Public IPs | Allowing TCP on all ports to enter your network is extremely riskysince this includes many vulnerable services. This is risky even if the traffic is only allowed from business partners or through VPNs: a remote laptop connecting through a VPN could easily infect your network with a worm or virus. | Review all the rules that allow inbound traffic with TCP on all ports, and limit them to those services you actually require. |
| I06-I-NSG | High | AlgoSec I06-I-NSG | UDP on all ports can enter your network from Public IPs | Allowing UDP on all ports to enter your network is extremely risky since this includes many vulnerable services. This is risky even if the traffic is only allowed from business partners or through VPNs: a remote laptop connecting through a VPN could easily infect your network with a worm or virus. | Review all the rules that allow inbound traffic with UDP on all ports, and limit them to those services you actually require. |
| I07-I-NSG | High | AlgoSec I07-I-NSG | LDAP Port TCP/389, UDP/389 open from Public IPs | Your cloud LDAP server is accessible using the LDAP port (UDP/389, TCP/389). LDAP (Lightweight Directory Access Protocol) is a directory service for controling access to network capable devices. Allowing access to these ports from public IP addresses is risky. | Eliminate rules which allow access to this port from the Internet. |
| I08-I-NSG | High | AlgoSec I08-I-NSG | Port 3020 can enter your network from Public IPs | Your cloud estate is accessible using file sharing Protocol CIFS over port 3020. Allowing file sharing access from public IP addresses is risky. | Eliminate rules which allow access to this port from the Internet. |
| I09-I-NSG | High | AlgoSec I09-I-NSG | Database port TCP/9000 can enter your network from Public IPs | Your cloud Hadoop database is accessible using administrative port TCP/9000. Hadoop is a framework for distributed data processing that allows access to the data and may act as database. Opening Hadoop port for public IPs is risky | Eliminate rules which allow access to this port from the Internet. |
| I10-I-NSG | High | AlgoSec I10-I-NSG | Administrative port TCP/1434 can enter your network from Public IPs | Your cloud database managment system is accessible using the MSSQL administrative port TCP/1434. MSSQL is a Microsoft SQL server database managment system. Databases are the elements of Electronic Business, Financial, Banking, and Enterprise Resource Planning (ERP) system, and include critical information from partners, customers, and employees. Databases are extremely complex application and are, often times, difficult to correctly configure and secure. As a result serious security vulnerabilities and mis-configurations frequently go unchecked or completely undetected. For this reason, allowing direct inbound access to your corporate databases is risky. | Eliminate rules which allow access to this port from the Internet. |
| I11-I-NSG | High | AlgoSec I11-I-NSG | MSSQL(UDP/1434) can enter your network from Public IPs | Your cloud database managment system is accessible using the MSSQL port UDP/1434. MSSQL is a Microsoft SQL server database managment system. Databases are the elements of Electronic Business, Financial, Banking, and Enterprise Resource Planning (ERP) system, and include critical information from partners, customers, and employees. Databases are extremely complex application and are, often times, difficult to correctly configure and secure. As a result serious security vulnerabilities and mis-configurations frequently go unchecked or completely undetected. For this reason, allowing direct inbound access to your corporate databases is risky. | Eliminate rules which allow access to this port from the Internet. |
| I12-I-NSG | High | AlgoSec I12-I-NSG | Database port TCP/27017-27019 can enter your network from Public IPs | Your cloud database managment system is accessible using the Mongo Web Portal port with TCP/27018. Mongo Web Portal is a "mongodb" named protocol that allows access to MongoDB API. Databases are the elements of Electronic Business, Financial, Banking, and Enterprise Resource Planning (ERP) system, and include critical information from partners, customers, and employees. Databases are extremely complex application and are, often times, difficult to correctly configure and secure. As a result serious security vulnerabilities and mis-configurations frequently go unchecked or completely undetected. For this reason, allowing direct inbound access to your corporate databases is risky. | Eliminate rules which allow access to this port from the Internet. |
| I13-I-NSG | High | AlgoSec I13-I-NSG | Database port TCP/3306 can enter your network from Public IPs | Your cloud database managment system is accessible using the MySQL debug port TCP/3306. MySQL is a database managment system (RDBMS). Databases are the elements of Electronic Business, Financial, Banking, and Enterprise Resource Planning (ERP) system, and include critical information from partners, customers, and employees. Databases are extremely complex application and are, often times, difficult to correctly configure and secure. As a result serious security vulnerabilities and mis-configurations frequently go unchecked or completely undetected. For this reason, allowing direct inbound access to your corporate databases is risky. | Eliminate rules which allow access to this port from the Internet. |
| I14-I-NSG | High | AlgoSec I14-I-NSG | Administrative port UDP/161 can enter your network from Public IPs | Your cloud estate is accessible using the SNMP service (UDP/161). SNMP (Simple Network Management Protocol) is a protocol used to manage networking and edge devices. Allowing SNMP from public IP addresses is risky. | Eliminate rules which allow access to this port from the Internet. |
| I15-I-NSG | High | AlgoSec I15-I-NSG | Telnet can enter your network from Public IPs | Telnet is a remote-login service that is not encrypted. It is only authenticated by simple passwords, that are transmitted in the clear. | Eliminate rules which allow access to this port from the Internet. |
| I16-I-NSG | High | AlgoSec I16-I-NSG | Risky TCP Microsoft services can enter your network from Public IPs | Allowing Microsoft's NetBIOS services (TCP/135, TCP/139, TCP/445, TCP/593) to cross into your network is extremely risky. These services provide file sharing Protocol SMB and printer sharing for Microsoft Windows machines, and are among the most attacked services on the Internet. These Microsoft services are a vector for worms and viruses, and they potentially expose your network and data. | Eliminate rules which allow access to this port from the Internet. |
| I17-I-NSG | High | AlgoSec I17-I-NSG | Database port TCP/1433 can enter your network from Public IPs | Your cloud database managment system is accessible using the MSSQL port TCP/1433. MSSQL is a Microsoft SQL server database managment system. Databases are the elements of Electronic Business, Financial, Banking, and Enterprise Resource Planning (ERP) system, and include critical information from partners, customers, and employees. Databases are extremely complex application and are, often times, difficult to correctly configure and secure. As a result serious security vulnerabilities and mis-configurations frequently go unchecked or completely undetected. For this reason, allowing direct inbound access to your corporate databases is risky. | Eliminate rules which allow access to this port from the Internet. |
| I18-I-NSG | High | AlgoSec I18-I-NSG | Database port TCP/5432 can enter your network from Public IPs | Allowing inbound access using database-access protocol PostgreSQL (TCP/5432) may expose your most critical databases to attack. Databases are the elements of Electronic Business, Financial, Banking, and Enterprise Resource Planning (ERP) system, and include critical information from partners, customers, and employees. Databases are extremely complex application and are, often times, difficult to correctly configure and secure. As a result serious security vulnerabilities and mis-configurations frequently go unchecked or completely undetected. For this reason, allowing direct inbound access to your corporate databases is risky. | Eliminate rules which allow access to this port from the Internet. |
| I19-I-NSG | High | AlgoSec I19-I-NSG | Database port TCP/523 can enter your network from Public IPs | Allowing inbound access using database-access protocol IBM DB2 (TCP/523) may expose your most critical databases to attack. Databases are the elements of Electronic Business, Financial, Banking, and Enterprise Resource Planning (ERP) system, and include critical information from partners, customers, and employees. Databases are extremely complex application and are, often times, difficult to correctly configure and secure. As a result serious security vulnerabilities and mis-configurations frequently go unchecked or completely undetected. For this reason, allowing direct inbound access to your corporate databases is risky. | Eliminate rules which allow access to this port from the Internet. |
| I20-I-NSG | High | AlgoSec I20-I-NSG | Database port TCP/1521 can enter your network from Public IPs | Allowing inbound access using database-access protocol Oracle's sqlnet (TCP/1521) may expose your most critical databases to attack. Databases are the elements of Electronic Business, Financial, Banking, and Enterprise Resource Planning (ERP) system, and include critical information from partners, customers, and employees. Databases are extremely complex application and are, often times, difficult to correctly configure and secure. As a result serious security vulnerabilities and mis-configurations frequently go unchecked or completely undetected. For this reason, allowing direct inbound access to your corporate databases is risky. | Eliminate rules which allow access to this port from the Internet. |
| I21-I-NSG | Medium | AlgoSec I21-I-NSG | RPC can enter your network from Public IPs | The Sunrpc service(TCP/UDP port 111) is used by the Unix "portmapper" daemon to support services like NFS. Allowing such traffic in could expose your data if you have Unix file servers. | Eliminate rules which allow access to this port from the Internet. |
| I22-I-NSG | High | AlgoSec I22-I-NSG | FTP can enter your network from Public IPs | Letting FTP (File Transfer Protocol) reach internal servers is risky as it is not encrypted. It is only authenticated by simple passwords, that are transmitted in the clear. Serious vulnerabilities have been found in many versions of FTP server software. You may have many FTP servers on your internal networks and it is difficult to ensure that they are all properly hardened. A compromised or infected machine could access or damage the data on these servers. | Eliminate rules which allow access to this port from the Internet. For file upload from the Internet - use secure alternatives such as SFTP. |
| I23-I-NSG | Low | AlgoSec I23-I-NSG | Version control services can enter your network from Public IPs | Allowing inbound access to version control systems like CVS (TCP/2401) or Subversion (TCP/3690) may be risky if you use these systems. Version control systems provide tools to manage different versions of documents or source code and facilitate multiple users to concurrently work on the same set of files. These systems have serious known vulnerabilities. | If you use either the CVS or the Subversion version control systems, eliminate rules which allow access to this port from the Internet. |
| I24-I-NSG | High | AlgoSec I24-I-NSG | Administrative port 22 (ssh) can enter your network from more than 256 Public IPs | Allowing access from more than 256 Public IP addresses using the SSH service (TCP/22) is risky. SSH is a remote-login service that allows command-line access to Linux/Unix-based servers and is generally used for server administration. Allowing administrative access from too many public IP addresses is risky. | Restrict the rules to refer to only the source IPs you really use, and limit the number of public IP addresses that have this administrative access. |
| I25-I-NSG | High | AlgoSec I25-I-NSG | Administrative port 3389(RDP) can enter your network from more than 256 Public IPs | Allowing access from more than 256 Public IP addresses using the Microsoft RDP protocol over port 3389 is risky. RDP stands for Remote-Desktop and is a Windows service that allows remote-login to windows machines. RDP is used for Windows-based server administration. Allowing administrative access from too many public IP addresses is risky. | Restrict the rules to refer to only the source IPs you really use, and limit the number of public IP addresses that have this administrative access. |
| I26-I-NSG | High | AlgoSec I26-I-NSG | Risky UDP Microsoft services can enter your network from Public IPs | Allowing Microsoft's NetBIOS services (UDP/137, UDP/138) to cross into your network is extremely risky. These services provide file sharing Protocol SMB and printer sharing for Microsoft Windows machines, and are among the most attacked services on the Internet. These Microsoft services are a vector for worms and viruses, and they potentially expose your network and data. | Eliminate rules which allow access to this port from the Internet. |
| I27-I-NSG | Critical | AlgoSec I27-I-NSG | Inbound "From Internet allow Any service" rules | Allowing any service from the Internet is risky. Allowing access to all destinations in the Internet may allow exfiltration of information. | Eliminate rules which allow such access and restict the access to specific protocol and ports which are needed. |
| I28-I-NSG | Critical | AlgoSec I28-I-NSG | Inbound "From Internet allow All TCP" rules | Allowing All TCP services from the Internet is risky. Allowing access to all destinations in the Internet may allow exfiltration of information. | Eliminate rules which allow such access and restict the access to specific ports which are needed. |
| I29-I-NSG | Critical | AlgoSec I29-I-NSG | Inbound "From Internet allow ALL UDP" rules | Allowing All UDP services from the Internet is risky. Allowing access to all destinations in the Internet may allow exfiltration of information. | Eliminate rules which allow such access and restict the access to specific ports which are needed. |
| I30-I-NSG | High | AlgoSec I30-I-NSG | Any service can enter your network from VirtualNetwork | Allowing any services from the whole VirtualNetwork is risky as VirtualNetwork includes many types of your resources, such as your Azure Virtual Machines (VM). Allowing such access may allow exfiltration of information. | Eliminate rules which allow such access and restict the access to specific protocol and ports which are needed. |
| I31-I-NSG | High | AlgoSec I31-I-NSG | TCP on all ports can enter your network from VirtualNetwork | Allowing All TCP services from the whole VirtualNetwork is risky as VirtualNetwork includes many types of your resources, such as your Azure Virtual Machines (VM). Allowing such access may allow exfiltration of information. | Eliminate rules which allow such access and restict the access to specific ports which are needed. |
| I32-I-NSG | High | AlgoSec I32-I-NSG | UDP on all ports can enter your network from VirtualNetwork | Allowing All UDP services from the whole VirtualNetwork is risky as VirtualNetwork includes many types of your resources, such as your Azure Virtual Machines (VM). Allowing such access may allow exfiltration of information. | Eliminate rules which allow such access and restict the access to specific ports which are needed. |
| I33-I-NSG | High | AlgoSec I33-I-NSG | Any service can enter your network from AzureTrafficManager | Allowing any service from the AzureTrafficManager service is risky. Azure Traffic Manager enables you to control the distribution of traffic across your application endpoints. An endpoint is any Internet-facing service hosted inside or outside of Azure. | Eliminate rules which allow such access and restict the access to specific protocol and ports which are needed. |
| I34-I-NSG | High | AlgoSec I34-I-NSG | TCP on all ports can enter your network from AzureTrafficManager | Allowing All TCP services from the AzureTrafficManager service is risky. Azure Traffic Manager enables you to control the distribution of traffic across your application endpoints. An endpoint is any Internet-facing service hosted inside or outside of Azure. | Eliminate rules which allow such access and restict the access to specific ports which are needed. |
| I35-I-NSG | High | AlgoSec I35-I-NSG | UDP on all ports can enter your network from AzureTrafficManager | Allowing All UDP services from the AzureTrafficManager is risky. Azure Traffic Manager enables you to control the distribution of traffic across your application endpoints. An endpoint is any Internet-facing service hosted inside or outside of Azure. | Eliminate rules which allow such access and restict the access to specific ports which are needed. |
| I36-I-NSG | High | AlgoSec I36-I-NSG | Any service can enter your network from GatewayManager | Allowing any service from the GatewayManager service is risky. Azure GatewayManager manages the management traffic for deployments dedicated to Azure VPN Gateway and Application Gateway. | Eliminate rules which allow such access and restict the access to specific protocol and ports which are needed. |
| I37-I-NSG | High | AlgoSec I37-I-NSG | TCP on all ports can enter your network from GatewayManager | Allowing All TCP services from the GatewayManager service is risky. Azure GatewayManager manages the management traffic for deployments dedicated to Azure VPN Gateway and Application Gateway. | Eliminate rules which allow such access and restict the access to specific ports which are needed. |
| I38-I-NSG | High | AlgoSec I38-I-NSG | UDP on all ports can enter your network from GatewayManager | Allowing All UDP services from the GatewayManager is risky. Azure GatewayManager manages the management traffic for deployments dedicated to Azure VPN Gateway and Application Gateway. | Eliminate rules which allow such access and restict the access to specific ports which are needed. |
| I39-I-NSG | High | AlgoSec I39-I-NSG | Any service can enter your network from SqlManagement | Allowing any service from the SqlManagement service is risky. Azure SqlManagement manages the management traffic for SQL-dedicated deployments. | Eliminate rules which allow such access and restict the access to specific protocol and ports which are needed. |
| I40-I-NSG | High | AlgoSec I40-I-NSG | TCP on all ports can enter your network from SqlManagement | Allowing All TCP services from the SqlManagement service is risky. Azure SqlManagement manages the management traffic for SQL-dedicated deployments. | Eliminate rules which allow such access and restict the access to specific ports which are needed. |
| I41-I-NSG | High | AlgoSec I41-I-NSG | UDP on all ports can enter your network from SqlManagement | Allowing All UDP services from the SqlManagement is risky. Azure SqlManagement manages the management traffic for SQL-dedicated deployments. | Eliminate rules which allow such access and restict the access to specific ports which are needed. |
| I42-I-NSG | High | AlgoSec I42-I-NSG | Inbound "From Any allow HTTP" rules from Public IPs | HTTP traffic is unencrypted and therefore insecure. All inbound web traffic should use HTTPS. | Restrict the rules to refer to only the source IPs you really use and change the application to use HTTPS. |
| I43-I-NSG | Medium | AlgoSec I43-I-NSG | Inbound "From Any allow HTTPS" rules from Public IPs | Allowing HTTPS from anywhere is risky unless it is to a public facing website. | Restrict the rules to refer to only the source IPs that need access to the protected site. |
| O01-NI-NSG | Medium | AlgoSec O01-NI-NSG | TCP on all ports can exit your network to Private IPs | Allowing TCP on all ports to exit your network is extremely risky since this includes many vulnerable services. The largest threat is that of Trojan horses contacting their controllers, followed by unintended information leakage, and spreading of malicious code like viruses and worms. | Review all the rules that allow outbound traffic with TCP on all ports, and limit them to those services you actually require by deploying a stateful firewall for outbound traffic. |
| O02-NI-NSG | Medium | AlgoSec O02-NI-NSG | "Any" service can exit your network to Private IPs | Allowing "Any" service to exit your network is extremely risky since the "Any" service includes many vulnerable services. The largest threat is that of Trojan horses contacting their controllers, followed by unintended information leakage, and spreading of malicious code like viruses and worms. | Review all the rules that allow outbound traffic with the service "Any" service, and limit them to those services you actually require by deploying a stateful firewall for outbound traffic. |
| O03-NI-NSG | Medium | AlgoSec O03-NI-NSG | UDP on all ports can exit your network to Private IPs | Allowing UDP on all ports to exit your network is extremely risky since this includes many vulnerable services. The largest threat is that of Trojan horses contacting their controllers, followed by unintended information leakage, and spreading of malicious code like viruses and worms. | Review all the rules that allow outbound traffic with UDP on all ports, and limit them to those services you actually require by deploying a stateful firewall for outbound traffic. |
| O04-NI-NSG | Medium | AlgoSec O04-NI-NSG | Risky TCP Microsoft services can exit your network to Private IPs | Allowing Microsoft's NetBIOS services (TCP/135, TCP/139, TCP/445, TCP/593) to exit your network is risky. These services provide file and printer sharing for Microsoft Windows machines, and are among the most attacked services on the Internet. These Microsoft services are a vector for worms and viruses, and they potentially expose your network and data. | Eliminate rules which allow access to this port to Private IPs. |
| O05-NI-NSG | Medium | AlgoSec O05-NI-NSG | FTP can exit your network to Private IPs | Letting FTP (File Transfer Protocol) exit your network is risky as it is not encrypted. It is only authenticated by simple passwords, that are transmitted in the clear. Serious vulnerabilities have been found in many versions of FTP server software. You may have many FTP servers on your internal networks and it is difficult to ensure that they are all properly hardened. A compromised or infected machine could access or damage the data on these servers. | Eliminate rules which allow access to this port to Private IPs. For file upload- use secure alternatives such as SFTP. |
| O06-NI-NSG | Low | AlgoSec O06-NI-NSG | SMTP can exit your network to more than 256 Private IPs | Allowing outbound SMTP access on TCP port 25/465/587 from many internal machines is risky. Outbound SMTP (E-mail) should only originate from your public mail servers. E-mail is a vector for many viruses and worms. Computers that can send E-mail directly (not through your organization's designated mail servers) can bypass your network's E-mail filters, and spread viruses and worms to other networks. Therefore, outbound SMTP access should be limited to your properly hardened public mail servers. | Restrict the rules to refer to only the destination IPs you really use, and limit the number of public IP addresses that can be reached on this port. |
| O07-NI-NSG | Medium | AlgoSec O07-NI-NSG | Risky UDP Microsoft services can exit your network to Private IPs | Allowing Microsoft's NetBIOS services (UDP/137, UDP/138) to exit your network is risky. These services provide file and printer sharing for Microsoft Windows machines, and are among the most attacked services on the Internet. These Microsoft services are a vector for worms and viruses, and they potentially expose your network and data. | Eliminate rules which allow access to this port to Private IPs. |
| I01-NI-NSG | Medium | AlgoSec I01-NI-NSG | "Any" service can enter your network from Private IPs | Allowing the "Any" service to enter your network is extremely risky since the "Any" service includes many vulnerable services. This is risky even if the traffic is only allowed from business partners or through VPNs. | Review all the rules that allow inbound traffic with "Any" service, and limit them to those services you actually require. |
| I02-NI-NSG | Medium | AlgoSec I02-NI-NSG | TCP on all ports can enter your network from Private IPs | Allowing TCP on all ports to enter your network is extremely riskysince this includes many vulnerable services. This is risky even if the traffic is only allowed from business partners or through VPNs: a remote laptop connecting through a VPN could easily infect your network with a worm or virus. | Review all the rules that allow inbound traffic with TCP on all ports, and limit them to those services you actually require. |
| I03-NI-NSG | Medium | AlgoSec I03-NI-NSG | UDP on all ports can enter your network from Private IPs | Allowing UDP on all ports to enter your network is extremely risky since this includes many vulnerable services. This is risky even if the traffic is only allowed from business partners or through VPNs: a remote laptop connecting through a VPN could easily infect your network with a worm or virus. | Review all the rules that allow inbound traffic with UDP on all ports, and limit them to those services you actually require. |
| I04-NI-NSG | Medium | AlgoSec I04-NI-NSG | LDAP Port TCP/389, UDP/389 open from Private IPs | Your cloud LDAP server is accessible using the LDAP port (UDP/389, TCP/389). LDAP (Lightweight Directory Access Protocol) is a directory service for controling access to network capable devices. Allowing access to these ports is risky. | Eliminate rules which allow access to this port from private IPs. |
| I05-NI-NSG | Medium | AlgoSec I05-NI-NSG | Port 3020 can enter your network from Private IPs | Your cloud estate is accessible using file sharing Protocol CIFS over port 3020. Allowing file sharing accesson this port is risky. | Eliminate rules which allow access to this port from private IPs. |
| I06-NI-NSG | Medium | AlgoSec I06-NI-NSG | Database port TCP/9000 can enter your network from Private IPs | Your cloud Hadoop database is accessible using administrative port TCP/9000. Hadoop is a framework for distributed data processing that allows access to the data and may act as database. Opening Hadoop port is risky | Eliminate rules which allow access to this port private IPs. |
| I07-NI-NSG | Medium | AlgoSec I07-NI-NSG | Administrative port TCP/1434 can enter your network from Private IPs | Your cloud database managment system is accessible using the MSSQL administrative port TCP/1434. MSSQL is a Microsoft SQL server database managment system. Databases are the elements of Electronic Business, Financial, Banking, and Enterprise Resource Planning (ERP) system, and include critical information from partners, customers, and employees. Databases are extremely complex application and are, often times, difficult to correctly configure and secure. As a result serious security vulnerabilities and mis-configurations frequently go unchecked or completely undetected. For this reason, allowing direct inbound access to your corporate databases is risky. | Eliminate rules which allow access to this port private IPs. |
| I08-NI-NSG | Medium | AlgoSec I08-NI-NSG | MSSQL(UDP/1434) can enter your network from Private IPs | Your cloud database managment system is accessible using the MSSQL port UDP/1434. MSSQL is a Microsoft SQL server database managment system. Databases are the elements of Electronic Business, Financial, Banking, and Enterprise Resource Planning (ERP) system, and include critical information from partners, customers, and employees. Databases are extremely complex application and are, often times, difficult to correctly configure and secure. As a result serious security vulnerabilities and mis-configurations frequently go unchecked or completely undetected. For this reason, allowing direct inbound access to your corporate databases is risky. | Eliminate rules which allow access to this port from private IPs. |
| I09-NI-NSG | Medium | AlgoSec I09-NI-NSG | Database port TCP/27017-27019 can enter your network from Private IPs | Your cloud database managment system is accessible using the Mongo Web Portal port with TCP/27018. Mongo Web Portal is a "mongodb" named protocol that allows access to MongoDB API. Databases are the elements of Electronic Business, Financial, Banking, and Enterprise Resource Planning (ERP) system, and include critical information from partners, customers, and employees. Databases are extremely complex application and are, often times, difficult to correctly configure and secure. As a result serious security vulnerabilities and mis-configurations frequently go unchecked or completely undetected. For this reason, allowing direct inbound access to your corporate databases is risky. | Eliminate rules which allow access to this port private IPs. |
| I10-NI-NSG | Medium | AlgoSec I10-NI-NSG | Database port TCP/3306 can enter your network from Private IPs | Your cloud database managment system is accessible using the MySQL debug port TCP/3306. MySQL is a database managment system (RDBMS). Databases are the elements of Electronic Business, Financial, Banking, and Enterprise Resource Planning (ERP) system, and include critical information from partners, customers, and employees. Databases are extremely complex application and are, often times, difficult to correctly configure and secure. As a result serious security vulnerabilities and mis-configurations frequently go unchecked or completely undetected. For this reason, allowing direct inbound access to your corporate databases is risky. | Eliminate rules which allow access to this port private IPs. |
| I11-NI-NSG | Medium | AlgoSec I11-NI-NSG | Administrative port UDP/161 can enter your network from Private IPs | Your cloud estate is accessible using the SNMP service (UDP/161). SNMP (Simple Network Management Protocol) is a protocol used to manage networking and edge devices. Allowing SNMP port UDP/161 is risky. | Eliminate rules which allow access to this port from private IPs. |
| I12-NI-NSG | Medium | AlgoSec I12-NI-NSG | Telnet can enter your network from Private IPs | Telnet is a remote-login service that is not encrypted. It is only authenticated by simple passwords, that are transmitted in the clear. | Eliminate rules which allow access to this port from private IPs. |
| I13-NI-NSG | Medium | AlgoSec I13-NI-NSG | Risky TCP Microsoft services can enter your network from Private IPs | Allowing Microsoft's NetBIOS services (TCP/135, TCP/139, TCP/445, TCP/593) to cross into your network is extremely risky. These services provide file and printer sharing for Microsoft Windows machines, and are among the most attacked services on the Internet. These Microsoft services are a vector for worms and viruses, and they potentially expose your network and data. | Eliminate rules which allow access to this port from private IPs. |
| I14-NI-NSG | Medium | AlgoSec I14-NI-NSG | Database port TCP/1433 can enter your network from Private IPs | Your cloud database managment system is accessible using the MSSQL port TCP/1433. MSSQL is a Microsoft SQL server database managment system. Databases are the elements of Electronic Business, Financial, Banking, and Enterprise Resource Planning (ERP) system, and include critical information from partners, customers, and employees. Databases are extremely complex application and are, often times, difficult to correctly configure and secure. As a result serious security vulnerabilities and mis-configurations frequently go unchecked or completely undetected. For this reason, allowing direct inbound access to your corporate databases is risky. | Eliminate rules which allow access to this port from private IPs. |
| I15-NI-NSG | Medium | AlgoSec I15-NI-NSG | Database port TCP/5432 can enter your network from Private IPs | Allowing inbound access using database-access protocol PostgreSQL (TCP/5432) may expose your most critical databases to attack. Databases are the elements of Electronic Business, Financial, Banking, and Enterprise Resource Planning (ERP) system, and include critical information from partners, customers, and employees. Databases are extremely complex application and are, often times, difficult to correctly configure and secure. As a result serious security vulnerabilities and mis-configurations frequently go unchecked or completely undetected. For this reason, allowing direct inbound access to your corporate databases is risky. | Eliminate rules which allow access to this port from private IPs. |
| I16-NI-NSG | Medium | AlgoSec I16-NI-NSG | Database port TCP/523 can enter your network from Private IPs | Allowing inbound access using database-access protocol IBM DB2 (TCP/523) may expose your most critical databases to attack. Databases are the elements of Electronic Business, Financial, Banking, and Enterprise Resource Planning (ERP) system, and include critical information from partners, customers, and employees. Databases are extremely complex application and are, often times, difficult to correctly configure and secure. As a result serious security vulnerabilities and mis-configurations frequently go unchecked or completely undetected. For this reason, allowing direct inbound access to your corporate databases is risky. | Eliminate rules which allow access to this port from private IPs. |
| I17-NI-NSG | Medium | AlgoSec I17-NI-NSG | Database port TCP/1521 can enter your network from Private IPs | Allowing inbound access using database-access protocol Oracle's sqlnet (TCP/1521) may expose your most critical databases to attack. Databases are the elements of Electronic Business, Financial, Banking, and Enterprise Resource Planning (ERP) system, and include critical information from partners, customers, and employees. Databases are extremely complex application and are, often times, difficult to correctly configure and secure. As a result serious security vulnerabilities and mis-configurations frequently go unchecked or completely undetected. For this reason, allowing direct inbound access to your corporate databases is risky. | Eliminate rules which allow access to this port from the Internet. |
| I18-NI-NSG | Low | AlgoSec I18-NI-NSG | RPC can enter your network from Private IPs | The Sunrpc service(TCP/UDP port 111) is used by the Unix "portmapper" daemon to support services like NFS. Allowing such traffic in could expose your data if you have Unix file servers. | Eliminate rules which allow access to this port from private IPs. |
| I19-NI-NSG | Medium | AlgoSec I19-NI-NSG | FTP can enter your network from Private IPs | Letting FTP (File Transfer Protocol) reach internal servers is risky as it is not encrypted. It is only authenticated by simple passwords, that are transmitted in the clear. Serious vulnerabilities have been found in many versions of FTP server software. You may have many FTP servers on your internal networks and it is difficult to ensure that they are all properly hardened. A compromised or infected machine could access or damage the data on these servers. | Eliminate rules which allow access to this port from private IPs. For file upload- use secure alternatives such as SFTP. |
| I20-NI-NSG | Low | AlgoSec I20-NI-NSG | Version control services can enter your network from Private IPs | Allowing inbound access to Unix version control systems like CVS (TCP/2401) or Subversion (TCP/3690) may be risky if you use these systems. Version control systems provide tools to manage different versions of documents or source code and facilitate multiple users to concurrently work on the same set of files. These systems have serious known vulnerabilities. | If you use either the CVS or the Subversion version control systems, eliminate rules which allow access to this port from private IPs. |
| I21-NI-NSG | Medium | AlgoSec I21-NI-NSG | Administrative port 22 (ssh) can enter your network from more than 256 Private IPs | Allowing access from more than 256 Private IP addresses using the SSH service (TCP/22) is risky. SSH is a remote-login service that allows command-line access to Linux/Unix-based servers and is generally used for server administration. Allowing administrative access from too many public IP addresses is risky. | Restrict the rules to refer to only the source IPs you really use, and limit the number of public IP addresses that have this administrative access. |
| I22-NI-NSG | Medium | AlgoSec I22-NI-NSG | Administrative port 3389(RDP) can enter your network from more than 256 Private IPs | Allowing access from from more than 256 Private IP addresses using the Microsoft RDP protocol over port 3389 is risky. RDP stands for Remote-Desktop and is a Windows service that allows remote-login to windows machines. RDP is used for Windows-based server administration. Allowing administrative access from too many public IP addresses is risky. | Restrict the rules to refer to only the source IPs you really use, and limit the number of public IP addresses that have this administrative access. |
| I23-NI-NSG | Medium | AlgoSec I23-NI-NSG | Risky UDP Microsoft services can enter your network from Private IPs | Allowing Microsoft's NetBIOS services (UDP/137, UDP/138) to cross into your network is extremely risky. These services provide file and printer sharing for Microsoft Windows machines, and are among the most attacked services on the Internet. These Microsoft services are a vector for worms and viruses, and they potentially expose your network and data. | Eliminate rules which allow access to this port from private IPs. |
| R01-AZFW | Medium | AlgoSec R01-AZFW | "From somewhere to Any allow Any service" rules | Rules of the form From <My Source> to Any with service Any : PASS Are usually more open than is necessary. Allowing all services allows many services that are known to be risky, most of which you probably do not use in your business. Allowing access to all destinations gives access to all the hosts within your perimeter, including the device itself, (in addition to all Internet hosts). | Review these rules, determine which destinations are necessary, which services are actually required, and modify the rules according to the narrowest actual security needs. |
| R08-AZFW | Medium | AlgoSec R08-AZFW | "Allow Any service" rules | Rules of the form From <My Source> to <My Destination> with service Any : PASS Are usually more open than is necessary. Allowing all services allows many services that are known to be risky, most of which you probably do not use in your business. | Review these rules, determine which services are actually required, and modify the rules according to the narrowest actual security needs. |
| R09-AZFW | Medium | AlgoSec R09-AZFW | "Any destination" rules | Rules of the form From <My Source> to Any with service <My Service> : PASS Are usually more open than is necessary. Allowing access to all destinations gives access to all the hosts within your perimeter, including the device itself, (in addition to all Internet hosts). | Review these rules, determine which destinations are necessary, and modify the rules according to the narrowest actual security needs. |
| R10-AZFW | Low | AlgoSec R10-AZFW | "From Any source" rules | Rules of the form From Any to <My Destination> with service <My Service> : PASS may be more open than is necessary. Allowing access from all sources gives access from all the hosts on the Internet in addition to all the hosts within your perimeter. | Review these rules, determine which sources are necessary, and modify the rules according to the narrowest actual security needs. |
| D01-AZFW | High | AlgoSec D01-AZFW | "Any" service between internal networks | Allowing the "Any" service to cross between different network segments is risky since the "Any" service includes many vulnerable services. It means that the different network segments are not properly separated from each other. The risk is highest if the "Any" service is allowed from a DMZ network into other network segments: If a DMZ server becomes infected with a worm or virus, the infection may spread into other parts of your network. | Review all the rules that allow traffic with the "*" service, and limit them to those services you actually require. Pay extra attention to traffic leaving DMZ network segments. |
| D02-AZFW | Medium | AlgoSec D02-AZFW | TCP on all ports between internal networks | Allowing TCP on all ports to cross between different network segments is risky since this includes many vulnerable services. It means that the different network segments are not properly separated from each other. The risk is highest if TCP on all ports is allowed from a DMZ network into other network segments: If a DMZ server becomes infected with a worm or virus, the infection may spread into other parts of your network. | Review all the rules that allow traffic with TCP on all ports, and limit them to those services you actually require. Pay extra attention to traffic leaving DMZ network segments. |
| D03-AZFW | Medium | AlgoSec D03-AZFW | UDP on all ports between internal networks | Allowing UDP on all ports to cross between different network segments is risky since this includes many vulnerable services. It means that the different network segments are not properly separated from each other. The risk is highest if UDP on all ports is allowed from a DMZ network into other network segments: If a DMZ server becomes infected with a worm or virus, the infection may spread into other parts of your network. | Review all the rules that allow traffic with UDP on all ports, and limit them to those services you actually require. Pay extra attention to traffic leaving DMZ network segments. |
| D04-AZFW | Medium | AlgoSec D04-AZFW | Risky Microsoft services between internal networks | Allowing Microsoft's NetBIOS services (UDP/137, UDP/138, TCP/135, TCP/139, TCP/445, TCP/593) to cross between different network segments is risky. These services provide file and printer sharing for Microsoft Windows machines, and are among the most attacked services on the Internet. These Microsoft services are a vector for worms and viruses, and they potentially expose your network and data. | Add the following rule as one of the first rules: From Any to Any with service "NBT" : DROP The "NBT" service should be pre-defined on a Check Point firewall. If it is not, or on a different brand of firewall, define NBT to include all these ports: udp/137, udp/138, tcp/135, tcp/139, tcp/445, tcp/593. |
| D32-AZFW | Medium | AlgoSec D32-AZFW | UPnP between internal networks | Universal Plug and Play (UPnP) is an architecture that supports peer-to-peer Plug and Play functionality for network devices. UPnP discovery, is a service that runs by default on WinXP, and creates an immediately exploitable security vulnerability for any network-connected system. Filtering this port proactively prevents XP systems from being remotely compromised by malicious worms or intruders. | Review all the rules that allow traffic between your internal network segments with the "upnp" service, and modify or remove them. |
| D37-AZFW | Medium | AlgoSec D37-AZFW | DHCP traffic between internal networks | The Bootstrap Protocol (BOOTP) is an computer networking protocol used in Internet Protocol networks to automatically assign an IP address to network devices from a configuration server. Parts of BOOTP are used to provide service to the DHCP protocol, DHCP should not be allowed across the device as it provides a service available to DoS attacks, and hands out IP addresses to devices that go on net. | Review all the rules that allow traffic between your internal network segments with the "bootp" services, and modify or remove them. |
| I01-AZFW | Critical | AlgoSec I01-AZFW | "Any" service can enter your network | Allowing the "Any" service to enter your network is extremely risky since the "Any" service includes many vulnerable services. This is risky even if the traffic is only allowed from business partners or through VPNs (like SecuRemote clients): a remote laptop connecting through a VPN could easily infect your network with a worm or virus. | Review all the rules that allow inbound traffic with the "*" service, and limit them to those services you actually require. Consider quarantining VPN traffic in a DMZ. |
| I02-AZFW | Critical | AlgoSec I02-AZFW | TCP on all ports can enter your network | Allowing TCP on all ports to enter your network is extremely risky since this includes many vulnerable services. This is risky even if the traffic is only allowed from business partners or through VPNs: a remote laptop connecting through a VPN could easily infect your network with a worm or virus. On Cisco firewalls, this risk is often the result of neglecting to specify a port number on an access-list or conduit statement: omitting the port number is interpreted as "all ports". | Review all the rules that allow inbound traffic with TCP on all ports, and limit them to those services you actually require. Consider quarantining VPN traffic in a DMZ. On Cisco firewalls, always specify the port numbers on access-list and conduit statements. |
| I03-AZFW | Critical | AlgoSec I03-AZFW | UDP on all ports can enter your network | Allowing UDP on all ports to enter your network is extremely risky since this includes many vulnerable services. This is risky even if the traffic is only allowed from business partners or through VPNs: a remote laptop connecting through a VPN could easily infect your network with a worm or virus. On Cisco firewalls, this risk is often the result of neglecting to specify a port number on an access-list or conduit statement: omitting the port number is interpreted as "all ports". | Review all the rules that allow inbound traffic with UDP on all ports, and limit them to those services you actually require. Consider quarantining VPN traffic in a DMZ. On Cisco firewalls, always specify the port numbers on access-list and conduit statements. |
| I04-AZFW | High | AlgoSec I04-AZFW | Telnet can enter your network | Telnet is a remote-login service that is not encrypted. It is only authenticated by simple passwords, that are transmitted in the clear. Anyone snooping the traffic can read all the transmitted information, including user names and passwords. Much better remote-login alternatives exist: either use SSH (Secure Shell), that offers the same functionality but is also encrypted, or use a VPN. | Once you switch to either an "ssh" solution, or a VPN, review all the rules that allow inbound traffic with the "telnet" service, and modify or remove them. |
| I05-AZFW | Medium | AlgoSec I05-AZFW | RPC can enter your network | The Sunrpc service is used by the Unix "portmapper" daemon to support services like NFS. Allowing such traffic in could expose your data if you have Unix file servers. | Define a new service called, e.g., BAD_SRV, to include TCP and UDP port 111, and any other service you want to block entirely. Add the following rule as one of the first rules From * to * with service BAD_SRV : DROP . |
| I06-AZFW | Medium | AlgoSec I06-AZFW | SNMP can enter your network | SNMP is the Simple Network Management Protocol, which allows scanning and identifying your network infrastructure. It is only authenticated by a simple password, called the "community string". The community string is often left at its default setting of "public", and transmitted in the clear. Several serious vulnerabilities have been reported in SNMP. You should only allow SNMP on the inside your perimeter, and preferably, only from dedicated network management machines. | Modify your rules so "snmp" is not allowed to enter your network from the "Outside". |
| I07-AZFW | Critical | AlgoSec I07-AZFW | Risky Microsoft services can enter your network | Allowing Microsoft's NetBIOS services (UDP/137, UDP/138, TCP/135, TCP/139, TCP/445, TCP/593) to cross into your network is extremely risky. These services provide file and printer sharing for Microsoft Windows machines, and are among the most attacked services on the Internet . These Microsoft services are a vector for worms and viruses, and they potentially expose your network and data. | Add the following rule as one of the first rules: From Any to Any with service "NBT" : DROP The "NBT" service should be pre-defined on a Check Point firewall. If it is not, or on a different brand of firewall, define NBT to include all these ports: udp/137, udp/138, tcp/135, tcp/139, tcp/445, tcp/593. |
| I25-AZFW | High | AlgoSec I25-AZFW | HTTP/HTTPS can enter your network | Letting the HTTP or HTTPS services reach machines that are not hardened web servers is risky. Many sensitive machines provide a web interface: These include e-mail servers, printers, phone switches, routers, and firewalls. Furthermore, many vulnerabilities have been found in web server software. Therefore, HTTP/HTTPS access, from the outside, should be eliminated. | Review the rules that allow "http" or "https" access from the "Outside" and eliminate them. If you need to transfer information from the internal network segments to servers in the outside, consider using a "push"-based solution (e.g., via "ssh" or "ftp"), which is initiated by the internal machines. |
| I09-AZFW | High | AlgoSec I09-AZFW | Over 256 IP addresses can be reached by SMTP | Letting the SMTP (E-mail) service reach many machines is risky. E-mail is a vector for many viruses and worms. Furthermore, many vulnerabilities have been found in mail server software. Therefore, SMTP access, from the Outside, should be limited to your properly hardened public mail servers. | Review the rules that allow "smtp" access from the "Outside" and limit their destinations to your public mail servers. |
| I10-AZFW | High | AlgoSec I10-AZFW | Over 256 IP addresses can be reached by DNS/UDP | Letting DNS reach many machines is risky. DNS is the Domain Name Service on UDP port 53 or on TCP port 53. DNS is one of the most attacked services in use. Therefore, DNS access from the Outside, should be limited to your hardened public DNS servers. | Review the rules that allow "dns_udp" access from the "Outside" and limit their destinations to your public DNS servers. |
| I26-AZFW | Medium | AlgoSec I26-AZFW | FTP can enter your network | Letting FTP (File Transfer Protocol) reach internal servers is risky. Serious vulnerabilities have been found in many versions of FTP server software. You may have many FTP servers on your internal networks and it is difficult to ensure that they are all properly hardened. A compromised or infected machine could access or damage the data on these servers. | Review the rules that allow "ftp_control" access from the "Outside" into your internal networks and eliminate them. If you need to transfer information from the internal network segments to outside servers, consider using a "push"-based solution which is initiated by the internal machines. |
| I12-AZFW | Medium | AlgoSec I12-AZFW | Over 256 IP addresses can be scanned by ICMP | Letting ICMP reach many internal machines is risky. Full ICMP access allows outsiders to scan your network, it lets worm-generated traffic cross your perimeter, and it can be used to mount denial-of-service attacks. Therefore, inbound ICMP should only be allowed with the specific types of ICMP packets you need (e.g., so outbound ping and traceroute still work). | Review the rules that allow ICMP access from the "Outside" and limit their destinations to your external servers. |
| I13-AZFW | Medium | AlgoSec I13-AZFW | X11 can enter your network | X11 is a popular graphical window system developed at MIT and implemented on UNIX systems to allow UNIX-based applications to be run from multiple types of terminals, PCs, and workstations. X11 is not encrypted and uses weak authentication. Anyone snooping the traffic can see your screen contents and what you type, including user names and passwords. If you need to use X11 from Outside your perimeter, you should tunnel it securely through SSH (Secure Shell), or use a VPN. | Once you switch to either an "ssh" solution, or a VPN, review all the rules that allow inbound traffic with the "x11" service, and modify or remove them. |
| I14-AZFW | High | AlgoSec I14-AZFW | TCP on over 2000 ports can enter your network | Allowing TCP on very many ports to enter your network is risky since, in all likelihood, these ports include many vulnerable services. This is risky even if the traffic is only allowed from business partners or through VPNs: a remote laptop connecting through a VPN could easily infect your network with a worm or virus. On Cisco firewalls, this risk is often the result of neglecting to specify a port number on an access-list or conduit statement: omitting the port number is interpreted as "all ports". | Review all the rules that allow inbound traffic with TCP on all ports, and limit them to those services you actually require. Consider quarantining VPN traffic in a DMZ. On Cisco firewalls, always specify the port numbers on access-list and conduit statements. |
| I15-AZFW | Medium | AlgoSec I15-AZFW | TFTP can enter your network | Your network is accessible from the Outside using the tftp service. tftp is the Trivial File Transfer Protocol. It is not encrypted and not authenticated in any way. Anyone who can use tftp into your network can upload any file onto any device that responds to tftp, such as your routers, firewalls, and other communication equipment. tftp is commonly used by crackers to download and install trojan backdoors. You should drop tftp traffic in all directions on your device. | If tftp is not defined on your system, then define it to include UDP port 69. Add the following rule as one of the first rules From * to * with service tftp : DROP . |
| I16-AZFW | High | AlgoSec I16-AZFW | Over 256 IP addresses can be reached by DNS/TCP | Letting DNS reach many machines is risky. DNS is the Domain Name Service on UDP port 53 or on TCP port 53. DNS is one of the most attacked services in use. Very few organizations actually need this service: normal DNS queries use UDP. You would only need DNS-TCP if you have a split DNS server and you need to do "zone transfers" across the firewall. Therefore, DNS access from the Outside, should be limited to your hardened public DNS servers. | Review the rules that allow "dns_tcp" access from the "Outside" and limit their destinations to your public DNS servers. |
| I17-AZFW | High | AlgoSec I17-AZFW | MSSQL can enter your network | Your network is accessible from the Outside using the MSSQL service. The Microsoft SQL Server (MSSQL) contains several serious vulnerabilities that allow remote attackers to obtain sensitive information, alter database content, compromise SQL servers, and, in some configurations, compromise server hosts. You should drop MSSQL traffic in all directions on your device. | If ms_sql is not defined on your system, then define it to include UDP port 1434. Add the following rule as one of the first rules From * to * with service ms_sql : DROP . |
| I18-AZFW | Medium | AlgoSec I18-AZFW | P2P file-sharing services can enter your network | Allowing P2P services into your network is risky. These services are used to download, and distribute many types of data (e.g. music, video, graphics, text, source code, and proprietary information to name a few). A number of vulnerabilities exist when using P2P software: Technical vulnerabilities, Social vulnerabilities, and legal vulnerabilities. | Review the rules that allow P2P access from the "Outside" and limit them to those services you actually require. A (non-complete) list of ports to block is listed under the "p2p" service group definition. |
| I19-AZFW | Medium | AlgoSec I19-AZFW | Obsolete Instant-Messaging services can enter your network | Allowing Obsolete Instant-Messaging services into your network is risky. Also the basic functionality of these services is to let users use text-based chat. However, the capabilities that these programs bring to the desktop are wide ranging, and let users check remote web based email, do voice chat, perform video communication, and send and share data files. Attack scenarios for Instant-Messaging vulnerabilities are widely varied, and can come in the form of remotely executed buffer overflows (RPC based, packet malformation), URI/malicious link based attacks, file transferring vulnerabilities, and Active X exploits. | Review the rules that allow Obsolete Instant-Messaging access from the "Outside" and limit them to those services you actually require. A (non-complete) list of ports to block is listed under the "instant_messaging" service group definition. |
| I20-AZFW | High | AlgoSec I20-AZFW | Database access services can enter your network | Allowing inbound access using database-access protocols like MySQL (TCP/3306), PostgreSQL (TCP/5432), IBM DB2 (TCP/523) , or Oracle's sqlnet (TCP/1521), may expose your most critical databases to attack. Databases are the elements of Electronic Business, Financial, Banking, and Enterprise Resource Planning (ERP) system, and include critical information from partners, customers and employees. Databases are extremely complex application and are, often times, difficult to correctly configure and secure. As a result serious security vulnerabilities and mis-configurations frequently go unchecked or completely undetected. For this reason, allowing direct inbound access to your corporate databases is risky. | Review the rules that allow database access from the "Outside", and consider blocking the ports listed in the "database_access" service group. If you need to provide external access to your corporate database, consider putting the applications that require database access on a server in a DMZ, and only allow inbound database access from those servers. |
| I21-AZFW | Low | AlgoSec I21-AZFW | Version control services can enter your network | Allowing inbound access to Unix version control systems like CVS (TCP/2401) or Subversion (TCP/3690) may be risky if you use these systems. Version control systems provide tools to manage different versions of documents or source code, and facilitate multiple users to concurrently work on the same set of files. These systems have serious known vulnerabilities. | If you use either the CVS or the Subversion version control systems, you should review the rules that allow access to these systems from the "Outside", and block such external access. |
| I22-AZFW | Medium | AlgoSec I22-AZFW | r_services can enter your network | The Unix r-services (tcp/512, tcp/513, tcp/514) are services that allow remote login and remote execution of code on machines running many versions of Unix or Linux. These are not encrypted and are very poorly authenticated, often not even requiring password. Much better remote-login alternatives exist: either use SSH (Secure Shell), that offers the same functionality but is also encrypted, or use a VPN. | Modify your rules so "r_services" are not allowed to enter your network from the "Outside". |
| I23-AZFW | High | AlgoSec I23-AZFW | NFS can enter your network | NFS is the Network File System, a protocol originally developed by Sun Microsystems in 1984, and later defined in a sequence of RFCs, as a distributed file system. Using the NFS service, a user on a client computer can access files over a network as easily as if the files are on its local disks. NFS was not designed with security in mind, though now it is widely used and quite popular. It has poor authentication mechanisms and no encryption. Scripts to exploit NFS exist on the web, and have been in use. Allowing NFS through your firewall is risky. | Modify your rules so "nfs" is not allowed to enter your network from the "Outside". |
| I24-AZFW | High | AlgoSec I24-AZFW | LDAP can enter your network | The Lightweight Directory Access Protocol, or "ldap", is a networking protocol for querying and modifying directory services running over tcp/389. LDAP directories may contain sensitive data about the organization's users and infratructure. Allowing access to the organization's LDAP directories is risky. | Modify your rules so "ldap" is not allowed to enter your network from the "Outside". |
| I28-AZFW | Medium | AlgoSec I28-AZFW | Finger can enter your network | Finger protocol is used for the exchange of user information. Remote users wishing to obtain information about the user of a specific computer could do so by querying their machine's finger server listening on port 79. This information typically included the user's full name, address, telephone number, title, job name, office location, telephone extension, and so on. Finger information has been frequently used by hackers as a way to initiate a social engineering attack on a company's computer security system. | Review all the rules that allow inbound traffic with the "finger" service, and modify or remove them. |
| I29-AZFW | Medium | AlgoSec I29-AZFW | Ident can enter your network | The Ident Protocol (Identification Protocol) is an Internet protocol that helps identify the user of a particular TCP connection. The user's "ident" server is tasked with looking up and returning the connection's "USER ID" and perhaps additional information, such as an eMail address, full name etc. The ident protocol is considered dangerous because it allows hackers to gain a list of usernames on a computer system which can later be used for attacks. | Review all the rules that allow inbound traffic with the "ident" service, and modify or remove them. |
| I30-AZFW | Medium | AlgoSec I30-AZFW | NNTP can enter your network | The Network News Transfer Protocol (NNTP) is an application protocol used for transporting Usenet news articles. NNTP servers push and pull news articles to and from other NNTP servers over port 119, and news reading (and writing) clients talking to news servers over the same port. | Review all the rules that allow inbound traffic with the "nntp" service, and modify or remove them. |
| I31-AZFW | Medium | AlgoSec I31-AZFW | H.323 can enter your network | Port 1720 is used by the H.323 teleconferencing protocol (most commonly encountered in Microsoft NetMeeting) during call setup negotiation. NAT implementation in some Cisco devices allows remote attackers to cause a denial of service (device reload) by sending crafted H.323 packets to TCP port 1720. | Unless you have a business reason for allowing "h323", review all the rules that allow inbound traffic with this service, and modify or remove them. |
| I32-AZFW | High | AlgoSec I32-AZFW | UPnP can enter your network | Universal Plug and Play (UPnP) is an architecture that supports peer-to-peer Plug and Play functionality for network devices. UPnP discovery, is a service that runs by default on WinXP, and creates an immediately exploitable security vulnerability for any network-connected system. Filtering this port proactively prevents XP systems from being remotely compromised by malicious worms or intruders. | Review all the rules that allow inbound traffic with the "upnp" service, and modify or remove them. |
| I33-AZFW | Medium | AlgoSec I33-AZFW | VMware can enter your network | VMware Server Management User Interface should not be allowed access from the outside. | Review all the rules that allow inbound traffic with the "vmware" service, and modify or remove them. |
| I34-AZFW | High | AlgoSec I34-AZFW | RADIUS can enter your network | Remote Authentication Dial In User Service (RADIUS) is a networking protocol that provides centralized Authentication, Authorization, and Accounting (AAA) management for users that connect and use a network service. User-specific attributes such as tunnel-group IDs or vlan memberships passed over RADIUS in an unprotected manner allowing attackers to take advantage of sensitive information. | Review all the rules that allow inbound traffic with the "radius" service, and modify or remove them. |
| I35-AZFW | Medium | AlgoSec I35-AZFW | TACACS can enter your network | Terminal Access Controller Access-Control System (TACACS) is a remote authentication protocol that is used to communicate with an authentication server commonly used in UNIX networks. TACACS protocol handles information such as the username, authorization, accounting are transmitted in clear text, therefore it is vulnerable to different types of attacks. | Review all the rules that allow inbound traffic with the "tacacs" service, and modify or remove them. |
| I36-AZFW | Medium | AlgoSec I36-AZFW | MSMQ can enter your network | Microsoft Message Queuing (MSMQ) is a message queue implementation developed by Microsoft and deployed in its Windows Server operating systems. According to CVE-2007-3039, stack-based buffer overflow in the MSMQ service in Microsoft Windows 2000 Server SP4, Windows 2000 Professional SP4, and Windows XP SP2 allows attackers to execute arbitrary code via a long string in an opnum 0x06 RPC call to port 2103. | Review all the rules that allow inbound traffic with the "msmq" service, and modify or remove them. |
| I37-AZFW | High | AlgoSec I37-AZFW | DHCP traffic can enter your network | The Bootstrap Protocol (BOOTP) is an computer networking protocol used in Internet Protocol networks to automatically assign an IP address to network devices from a configuration server. Parts of BOOTP are used to provide service to the DHCP protocol, DHCP should not be allowed across the device as it provides a service available to DoS attacks, and hands out IP addresses to devices that go on net. | Review all the rules that allow inbound traffic with the "bootp" services, and modify or remove them. |
| I38-AZFW | High | AlgoSec I38-AZFW | WINS can enter your network | Windows Internet Name Service (WINS) is Microsoft's implementation of NetBIOS Name Service (NBNS), a name server and service for NetBIOS computer names. Effectively, WINS is to NetBIOS names what DNS is to domain names a central mapping of host names to network addresses. According to CVE-2004-1080, the WINS service on Microsoft Windows NT Server 4.0, Windows 2000 Server, and Windows Server 2003 allows remote attackers to write to arbitrary memory locations and possibly execute arbitrary code via a modified memory pointer. | Unless you have a business reason for allowing "WINS", review all the rules that allow inbound traffic with this service, and modify or remove them. |
| I39-AZFW | High | AlgoSec I39-AZFW | ICS protocols can enter your network | Protocols supporting Industrial Control Systems (ICS) are risky in environments that rely on them. These protocols don't provide much security against unauthorized commands or interception of data enabling remote attackers to take over control or cause denial of service attacks. | Review all the rules that allow inbound traffic with the "ics" services, and modify or remove them. |
| O01-AZFW | Medium | AlgoSec O01-AZFW | POP3 can exit your network | The POP3 service is used to download E-mail from mail servers to desktop computers. Since E-mail is a vector for viruses and worms, many organization only allow POP3 to reach their internal E-mail servers, and forbid any access to external E-mail servers. | Review all the rules that allow outbound "pop3" access, and ensure that they comply with your organization's policy. |
| O02-AZFW | Medium | AlgoSec O02-AZFW | Over 256 IP addresses can send SMTP | Allowing outbound SMTP access from many internal machines is risky. Outbound SMTP (E-mail) should only originate from your public mail servers. E-mail is a vector for many viruses and worms. Computers that can send E-mail directly (not through your organization's designated mail servers) can bypass your network's E-mail filters, and spread viruses and worms to other networks. Therefore, outbound SMTP access should be limited to your properly hardened public mail servers. | Review the rules that allow outbound "smtp" access and limit their sources to your external servers. |
| O03-AZFW | High | AlgoSec O03-AZFW | Inside clients can connect to external IRC servers | Allowing outbound Internet Relay Chat (IRC) access from internal machines is very risky. Many worms and Trojans use IRC as a communications vector outbound to allow an attacker access back into your network. IRC is rarely necessary for business operations. Therefore, IRC access should be limited to machines which definitely need to communicate using this protocol. | Unless you have a business reason for allowing "irc", you should block this service in all directions. Check Point firewalls usually have the "irc" service pre-defined, so you can add a rule From Any to Any with service irc : DROP Cisco firewalls have an irc service pre-defined as TCP port 194, but that port is almost never used. Instead, Cisco users should define a new service object-group called BAD-IRC to include TCP on ports 6660-6670, and port 7000. Add the following access-list command to all your access groups (on all interfaces - and especially in the outbound direction): " access-list yourlist deny tcp any any object-group BAD-IRC ". |
| O04-AZFW | High | AlgoSec O04-AZFW | "Any" service can exit your network | Allowing "Any" service to exit your network is extremely risky since the "Any" service includes many vulnerable services. The largest threat is that of Trojan horses contacting their controllers, followed by unintended information leakage, and spreading of malicious code like viruses and worms. | Review all the rules that allow outbound traffic with the "*" service, and limit them to those services you actually require. |
| O05-AZFW | High | AlgoSec O05-AZFW | TCP on all ports can exit your network | Allowing TCP on all ports to exit your network is extremely risky since this includes many vulnerable services. The largest threat is that of Trojan horses contacting their controllers, followed by unintended information leakage, and spreading of malicious code like viruses and worms. On Cisco firewalls, this risk is often the result of neglecting to specify a port number on an access-list or conduit statement: omitting the port number is interpreted as "all ports". | Review all the rules that allow outbound traffic with TCP on all ports, and limit them to those services you actually require. On Cisco firewalls, always specify the port numbers on access-list and conduit statements. |
| O06-AZFW | High | AlgoSec O06-AZFW | UDP on all ports can exit your network | Allowing UDP on all ports to exit your network is extremely risky since this includes many vulnerable services. The largest threat is that of Trojan horses contacting their controllers, followed by unintended information leakage, and spreading of malicious code like viruses and worms. On Cisco firewalls, this risk is often the result of neglecting to specify a port number on an access-list or conduit statement: omitting the port number is interpreted as "all ports". | Review all the rules that allow outbound traffic with UDP on all ports, and limit them to those services you actually require. On Cisco firewalls, always specify the port numbers on access-list and conduit statements. |
| O10-AZFW | Medium | AlgoSec O10-AZFW | Risky Microsoft services can exit your network | Allowing Microsoft's NetBIOS services (UDP/137, UDP/138, TCP/135, TCP/139, TCP/445, TCP/593) to exit your network is risky. These services provide file and printer sharing for Microsoft Windows machines, and are among the most attacked services on the Internet. These Microsoft services are a vector for worms and viruses, and they potentially expose your network and data. | Add the following rule as one of the first rules: From Any to Any with service "NBT" : DROP The "NBT" service should be pre-defined on a Check Point firewall. If it is not, or on a different brand of firewall, define NBT to include all these ports: udp/137, udp/138, tcp/135, tcp/139, tcp/445, tcp/593. |
| O07-AZFW | High | AlgoSec O07-AZFW | TCP on over 2000 ports can exit your network | Allowing TCP on very many ports to exit your network is risky since, in all likelihood, these ports include many vulnerable services. The largest threat is that of Trojan horses contacting their controllers, followed by unintended information leakage, and spreading of malicious code like viruses and worms. On Cisco firewalls, this risk is often the result of neglecting to specify a port number on an access-list or conduit statement: omitting the port number is interpreted as "all ports". | Review all the rules that allow outbound traffic with TCP on all ports, and limit them to those services you actually require. On Cisco firewalls, always specify the port numbers on access-list and conduit statements. |
| O08-AZFW | Medium | AlgoSec O08-AZFW | P2P file-sharing services can exit your network | Allowing P2P services to exit your network is risky. These services are used to download, and distribute many types of data (e.g. music, video, graphics, text, source code, and proprietary information to name a few). A number of vulnerabilities exist when using P2P software: Technical vulnerabilities, Social vulnerabilities, and legal vulnerabilities. | Review the rules that allow outbound P2P access and limit them to those services you actually require. A (non-complete) list of ports to block is listed under the "p2p" service group definition. |
| O09-AZFW | Medium | AlgoSec O09-AZFW | Obsolete Instant-Messaging services can exit your network | Allowing Obsolete Instant-Messaging services into your network is risky. Also The basic functionality of these services is to let users use text-based chat. However, the capabilities that these programs bring to the desktop are wide ranging, and let users check remote web based email, do voice chat, perform video communication, and send and share data files. Attack scenarios for Instant-Messaging vulnerabilities are widely varied, and can come in the form of remotely executed buffer overflows (RPC based, packet malformation), URI/malicious link based attacks, file transferring vulnerabilities, and Active X exploits. | Review the rules that allow outbound Obsolete Instant-Messaging access and limit them to those services you actually require. A (non-complete) list of ports to block is listed under the "instant_messaging" service group definition. |
| O11-AZFW | Medium | AlgoSec O11-AZFW | IMAP can exit your network | The IMAP service is used to download E-mail from mail servers to desktop computers. Since E-mail is a vector for viruses and worms, many organization only allow IMAP to reach their internal E-mail servers, and forbid any access to external E-mail servers. | Review all the rules that allow outbound "imap" access, and ensure that they comply with your organization's policy. |
| O32-AZFW | Medium | AlgoSec O32-AZFW | UPnP can exit your network | Universal Plug and Play (UPnP) is an architecture that supports peer-to-peer Plug and Play functionality for network devices. UPnP discovery, is a service that runs by default on WinXP, and creates an immediately exploitable security vulnerability for any network-connected system. Filtering this port proactively prevents XP systems from being remotely compromised by malicious worms or intruders. | Review all the rules that allow outbound "upnp" access, and modify or remove them. |
| O33-AZFW | Medium | AlgoSec O33-AZFW | VMware can exit your network | VMware Server Management User Interface should not be allowed access from the outside. | Review all the rules that allow outbound "vmware" access, and modify or remove them. |
| O37-AZFW | Medium | AlgoSec O37-AZFW | DHCP traffic can exit your network | The Bootstrap Protocol (BOOTP) is an computer networking protocol used in Internet Protocol networks to automatically assign an IP address to network devices from a configuration server. Parts of BOOTP are used to provide service to the DHCP protocol, DHCP should not be allowed across the device as it provides a service available to DoS attacks, and hands out IP addresses to devices that go on net. | Review all the rules that allow outbound "bootp" access, and modify or remove them. |
The Center for Internet Security (CIS) is a nonprofit that publishes a benchmark — a set of security configuration best practices for Microsoft Azure.
To read more about CIS Microsoft Azure Foundations Benchmark, please visit CIS Microsoft Azure home page .
CIS Azure v1.5.0 requirements (107)
| Requirement | Title | Description | |
|---|---|---|---|
| CIS_AZURE_MANAGEMENT_CUSTOM_SUBSCRIPTION_OWNER_ROLE | CIS 1.23 | 1.23 Ensure That No Custom Subscription Owner Roles Are Created | Subscription ownership should not include permission to create custom owner roles. The principle of least privilege should be followed and only necessary privileges should be assigned instead of allowing full administrative access. |
| CIS_AZURE_MANAGEMENT_NO_CUSTOM_ROLE_RESOURCE_LOCKING | CIS 1.24 | 1.24 Ensure a Custom Role is Assigned Permissions for Administering Resource Locks | Resource locking is a powerful protection mechanism that can prevent inadvertent modification/deletion of resources within Azure subscriptions/Resource Groups and is a recommended NIST configuration. |
| CIS_AZURE_DEFENDER_PLAN_SERVERS | CIS 2.1.1 | 2.1.1 Ensure That Microsoft Defender for Servers Is Set to 'On' | Turning on Microsoft Defender for Servers enables threat detection for Servers, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud. |
| CIS_AZURE_DEFENDER_PLAN_SERVICES | CIS 2.1.2 | 2.1.2 Ensure That Microsoft Defender for App Services Is Set To 'On' | Turning on Microsoft Defender for App Service enables threat detection for App Service, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud. |
| CIS_AZURE_DEFENDER_PLAN_DATABASES | CIS 2.1.3 | 2.1.3 Ensure That Microsoft Defender for Databases Is Set To 'On' | Turning on Microsoft Defender for Databases enables threat detection for the instances running your database software. |
| CIS_AZURE_DEFENDER_PLAN_SQL_DATABASES | CIS 2.1.4 | 2.1.4 Ensure That Microsoft Defender for Azure SQL Databases Is Set To 'On' | Turning on Microsoft Defender for Azure SQL Databases enables threat detection for Azure SQL database servers, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud. |
| CIS_AZURE_DEFENDER_PLAN_SQL_SERVERS_MACHINES | CIS 2.1.5 | 2.1.5 Ensure That Microsoft Defender for SQL Servers on Machines Is Set To 'On' | Turning on Microsoft Defender for SQL servers on machines enables threat detection for SQL servers on machines, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud. |
| CIS_AZURE_DEFENDER_PLAN_OS_RELATIONAL_DATABASES | CIS 2.1.6 | 2.1.6 Ensure That Microsoft Defender for Open-Source Relational Databases Is Set To 'On' | Turning on Microsoft Defender for Open-source relational databases enables threat detection for Open-source relational databases, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud. |
| CIS_AZURE_DEFENDER_PLAN_STORAGE | CIS 2.1.7 | 2.1.7 Ensure That Microsoft Defender for Storage Is Set To 'On' | Turning on Microsoft Defender for Storage enables threat detection for Storage, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud. |
| CIS_AZURE_DEFENDER_PLAN_CONTAINERS | CIS 2.1.8 | 2.1.8 Ensure That Microsoft Defender for Containers Is Set To 'On' | Turning on Microsoft Defender for Containers enables threat detection for Container Registries including Kubernetes, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud. |
| CIS_AZURE_DEFENDER_PLAN_COSMOS_DB | CIS 2.1.9 | Ensure That Microsoft Defender for Cosmos DB Is Set To 'On' | Microsoft Defender for Cosmos DB scans all incoming network requests for changes to your virtual machine. |
| CIS_AZURE_DEFENDER_PLAN_KEY_VAULT | CIS 2.1.10 | 2.1.10 Ensure That Microsoft Defender for Key Vault Is Set To 'On' | Turning on Microsoft Defender for Key Vault enables threat detection for Key Vault, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud. |
| CIS_AZURE_DEFENDER_PLAN_DNS | CIS 2.1.11 | 2.1.11 Ensure That Microsoft Defender for DNS Is Set To 'On' | Microsoft Defender for DNS scans all network traffic exiting from within a subscription. |
| CIS_AZURE_DEFENDER_PLAN_RESOURCE_MANAGER | CIS 2.1.13 | 2.1.13 Ensure That Microsoft Defender for Resource Manager Is Set To 'On' | Microsoft Defender for Resource Manager scans incoming administrative requests to change your infrastructure from both CLI and the Azure portal. |
| CIS_AZURE_SECURITY_AUTO_PROVISIONING | CIS 2.2 | 2.2 Auto provisioning | Microsoft Defender for Cloud ingests data from agents, extensions, and integrations. Automatic provisioning assists with the deployment and maintenance of agents and extensions required on endpoints such as Azure Virtual Machines. |
| CIS_AZURE_SECURITY_AUTO_PROVISIONING_LOG_ANALYTICS_AGENT | CIS 2.2.1 | 2.2.1 Ensure that Auto provisioning of 'Log Analytics agent for Azure VMs' is Set to 'On' | Enable automatic provisioning of the monitoring agent to collect security data. |
| CIS_AZURE_SECURITY_CONTACT_NO_EMAIL | CIS 2.3 | 2.3 Email notifications | Email notifications are used by Microsoft Defender for Cloud to communicate information and alerts. |
| CIS_AZURE_SECURITY_CONTACT_NO_ALERT_ADMINS | CIS 2.3.1 | 2.3.1 Ensure That 'All users with the following roles' is set to 'Owner' | Enable security alert emails to subscription owners. |
| CIS_AZURE_SECURITY_CONTACT_NO_ADDITIONAL_EMAIL | CIS 2.3.2 | 2.3.2 Ensure 'Additional email addresses' is Configured with a Security Contact Email | Microsoft Defender for Cloud emails the subscription owners whenever a high-severity alert is triggered for their subscription. You should provide a security contact email address as an additional email address. |
| CIS_AZURE_SECURITY_CONTACT_HIGH_SEVERITY_ALERTS | CIS 2.3.3 | 2.3.3 Ensure That 'Notify about alerts with the following severity' is Set to 'High' | Enables emailing security alerts to the subscription owner or other designated security contact. |
| CIS_AZURE_SECURITY_INTEGRATION | CIS 2.4 | 2.4 Integrations | Integration allows other Azure products to send and receive data with Microsoft Defender for Cloud. |
| CIS_AZURE_SECURITY_MCAS_INTEGRATION | CIS 2.4.1 | 2.4.1 Ensure that Microsoft Defender for Cloud Apps integration with Microsoft Defender for Cloud is Selected | This integration setting enables Microsoft Defender for Cloud Apps (formerly 'Microsoft Cloud App Security' or 'MCAS' - see additional info) to communicate with Microsoft Defender for Cloud. |
| CIS_AZURE_SECURITY_WDATP_INTEGRATION | CIS 2.4.2 | 2.4.2 Ensure that Microsoft Defender for Endpoint integration with Microsoft Defender for Cloud is selected | This integration setting enables Microsoft Defender for Endpoint (formerly 'Advanced Threat Protection' or 'ATP' or 'WDATP' - see additional info) to communicate with Microsoft Defender for Cloud. |
| CIS_AZURE_DEFENDER_AUTO_UPDATES | CIS 2.5 | 2.5 Ensure that Microsoft Defender Recommendation for 'Apply system updates' status is 'Completed' | Ensure that the latest OS patches for all virtual machines are applied. |
| CIS_AZURE_ASC_POLICY_SETTINGS | CIS 2.6 | 2.6 Ensure Any of the ASC Default Policy Settings are Not Set to 'Disabled' | None of the settings offered by ASC Default policy should be set to effect Disabled. |
| CIS_AZURE_STORAGE_ACCOUNT_ALLOWS_HTTP | CIS 3.1 | 3.1 Ensure that 'Secure transfer required' is set to 'Enabled' | Enable data encryption in transit. |
| CIS_AZURE_INFRASTRUCTURE_ENCRYPTION_IS_DISABLED | CIS 3.2 | 3.2 Ensure that ‘Enable Infrastructure Encryption’ for Each Storage Account in Azure Storage is Set to ‘enabled’ | Enabling double encryption at the hardware level on top of the default software encryption for Storage Accounts accessing Azure storage solutions. |
| CIS_AZURE_STORAGE_ACCOUNT_NO_KEY_ROTATION_REMINDER | CIS 3.3 | 3.3 Ensure that 'Enable key rotation reminders' is enabled for each Storage Account | Access Keys authenticate application access requests to data contained in Storage Accounts. A periodic rotation of these keys is recommended to ensure that potentially compromised keys cannot result in a long-term exploitable credential. The 'Rotation Reminder' is an automatic reminder feature for a manual procedure. |
| CIS_AZURE_STORAGE_ACCOUNT_OLD_ACCESS_KEY | CIS 3.4 | 3.4 Ensure that Storage Account Access Keys are Periodically Regenerated | For increased security, regenerate storage account access keys periodically. |
| CIS_AZURE_STORAGE_QUEUE_LOGGING_REQUESTS | CIS 3.5 | 3.5 Ensure Storage Logging is Enabled for Queue Service for 'Read', 'Write', and 'Delete' requests | The Storage Queue service stores messages that may be read by any client who has access to the storage account. |
| CIS_AZURE_STORAGE_BLOB_CONTAINER_PUBLIC_ACCESS | CIS 3.7 | 3.7 Ensure that 'Public access level' is disabled for storage accounts with blob containers | Disallowing public access for a storage account overrides the public access settings for individual containers in that storage account. |
| CIS_AZURE_STORAGE_ACCOUNT_DEFAULT_ACTION_ALLOW | CIS 3.8 | 3.8 Ensure Default Network Access Rule for Storage Accounts is Set to Deny | Restricting default network access helps to provide a new layer of security, since storage accounts accept connections from clients on any network. To limit access to selected networks, the default action must be changed. |
| CIS_AZURE_STORAGE_ACCOUNT_NOT_ALLOWED_TRUSTED_SERVICES | CIS 3.9 | 3.9 Ensure 'Allow Azure services on the trusted services list to access this storage account' is Enabled for Storage Account Access | Some Azure services that interact with storage accounts operate from networks that can't be granted access through network rules. To help this type of service work as intended, allow the set of trusted Azure services to bypass the network rules. These services will then use strong authentication to access the storage account. If the Allow trusted Azure services exception is enabled, the following services are granted access to the storage account: Azure Backup, Azure Site Recovery, Azure DevTest Labs, Azure Event Grid, Azure Event Hubs, Azure Networking, Azure Monitor, and Azure SQL Data Warehouse (when registered in the subscription). |
| CIS_AZURE_STORAGE_PRIVATE_ENDPOINTS_UNAPPROVED_CONNECTION | CIS 3.10 | 3.10 Ensure Private Endpoints are used to access Storage Accounts | Use private endpoints for your Azure Storage accounts to allow clients and services to securely access data located over a network via an encrypted Private Link. |
| CIS_AZURE_STORAGE_SOFT_DELETE | CIS 3.11 | 3.11 Ensure Soft Delete is Enabled for Azure Containers and Blob Storage | It is recommended that both Azure Containers with attached Blob Storage and standalone containers with Blob Storage be made recoverable by enabling the soft delete configuration. This is to save and recover data when blobs or blob snapshots are deleted. |
| CIS_AZURE_STORAGE_ACCOUNT_NO_BYOK_ENCRYPTION | CIS 3.12 | 3.12 Ensure Storage for Critical Data are Encrypted with Customer Managed Keys | Enable sensitive data encryption at rest using Customer Managed Keys rather than Microsoft Managed keys. |
| CIS_AZURE_STORAGE_ACCOUNT_LOW_TLS_VERSION | CIS 3.15 | 3.15 Ensure the 'Minimum TLS version' for storage accounts is set to 'Version 1.2' | In some cases, Azure Storage sets the minimum TLS version to be version 1.0 by default. TLS 1.0 is a legacy version and has known vulnerabilities. This minimum TLS version can be configured to be later protocols such as TLS 1.2. |
| CIS_AZURE_SQL_SERVER_AUDITING | CIS 4.1 | 4.1 SQL Server - Auditing | Auditing for Azure SQL Servers and SQL Databases tracks database events and writes them to an audit log Azure storage account, Log Analytics workspace or Event Hubs. Auditing helps to maintain regulatory compliance, understand database activity, and gain insight into discrepancies and anomalies that could indicate business concerns or suspected security violations. Auditing enables and facilitates adherence to compliance standards, although it doesn't guarantee compliance. |
| CIS_AZURE_SQL_SERVER_AUDITING_SETTINGS | CIS 4.1.1 | 4.1.1 Ensure that 'Auditing' is set to 'On' | Enable auditing on SQL Servers. |
| CIS_AZURE_SQL_SERVER_PRIVATE | CIS 4.1.2 | 4.1.2 Ensure no Azure SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) | Ensure that no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP). |
| CIS_AZURE_SQL_SERVER_BYOK_TDE | CIS 4.1.3 | 4.1.3 Ensure SQL server's Transparent Data Encryption (TDE) protector is encrypted with Customer-managed key | Transparent Data Encryption (TDE) with Customer-managed key support provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. |
| CIS_AZURE_SQL_SERVER_ADMIN_CONF | CIS 4.1.4 | 4.1.4 Ensure that Azure Active Directory Admin is Configured for SQL Servers | Use Azure Active Directory Authentication for authentication with SQL Database to manage credentials in a single place. |
| CIS_AZURE_SQL_SERVER_TDE | CIS 4.1.5 | 4.1.5 Ensure that 'Data encryption' is set to 'On' on a SQL Database | Enable Transparent Data Encryption on every SQL server. |
| CIS_AZURE_SQL_SERVER_AUDITING_RETENTION | CIS 4.1.6 | 4.1.6 Ensure that 'Auditing' Retention is 'greater than 90 days' | SQL Server Audit Retention should be configured to be greater than 90 days. |
| CIS_AZURE_SQL_SERVER_NO_MICROSOFT_DEFENDER | CIS 4.2 | 4.2 SQL Server - Microsoft Defender for SQL | Microsoft Defender for SQL provides a layer of security which enables customers to detect and respond to potential threats as they occur through security alerts on anomalous activities. Users will receive an alert upon suspicious database activities, potential vulnerabilities, and SQL injection attacks, as well as anomalous database access patterns. SQL Server Threat Detection alerts provide details of suspicious activity and recommend action on how to investigate and mitigate the threat. |
| CIS_AZURE_SQL_SERVER_VULNERABILITY_ASSESSMENT | CIS 4.2.2 | 4.2.2 Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Enable Vulnerability Assessment (VA) service scans for critical SQL servers and corresponding SQL databases. |
| CIS_AZURE_SQL_SERVER_VA_RECURRING_SCANS_DISABLED | CIS 4.2.3 | 4.2.3 Ensure that Vulnerability Assessment (VA) setting 'Periodic recurring scans' is set to 'on' for each SQL server | Enable Vulnerability Assessment (VA) Periodic recurring scans for critical SQL servers and corresponding SQL databases. |
| CIS_AZURE_SQL_SERVER_VA_SCAN_REPORTS_NO_EMAIL_ADDRESSES | CIS 4.2.4 | 4.2.4 Ensure that Vulnerability Assessment (VA) setting 'Send scan reports to' is configured for a SQL server | Configure 'Send scan reports to' with email ids of concerned data owners/stakeholders for critical SQL servers. |
| CIS_AZURE_SQL_SERVER_VA_NO_EMAIL_ACCOUNT_ADMIN | CIS 4.2.5 | 4.2.5 Ensure that Vulnerability Assessment (VA) setting 'Also send email notifications to admins and subscription owners' is set for each SQL Server | Enable Vulnerability Assessment (VA) setting 'Also send email notifications to admins and subscription owners'. |
| CIS_AZURE_DBFORPOSTGRESQL_SERVER_SSL | CIS 4.3.1 | 4.3.1 Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server | Enable SSL connection on PostgreSQL Servers. |
| CIS_AZURE_DBFORPOSTGRESQL_SERVER_PARAM_LOG_CHECKPOINTS | CIS 4.3.2 | 4.3.2 Ensure Server Parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server | Enable log_checkpoints on PostgreSQL Servers. |
| CIS_AZURE_DBFORPOSTGRESQL_SERVER_PARAM_LOG_CONNECTIONS | CIS 4.3.3 | 4.3.3 Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server | Enable log_connections on PostgreSQL Servers. |
| CIS_AZURE_DBFORPOSTGRESQL_SERVER_PARAM_LOG_DISCONNECTIONS | CIS 4.3.4 | 4.3.4 Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server | Enable log_disconnections on PostgreSQL Servers. |
| CIS_AZURE_DBFORPOSTGRESQL_SERVER_PARAM_CONNECTION_THROTTLING | CIS 4.3.5 | 4.3.5 Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server | Enable connection_throttling on PostgreSQL Servers. |
| CIS_AZURE_DBFORPOSTGRESQL_SERVER_PARAM_LOG_RETENTION | CIS 4.3.6 | 4.3.6 Ensure Server Parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server | Enable log_retention_days on PostgreSQL Servers. |
| CIS_AZURE_DBFORPOSTGRESQL_SERVER_NO_INFRA_ENCRYPTION | CIS 4.3.8 | 4.3.8 Ensure 'Infrastructure double encryption' for PostgreSQL Database Server is 'Enabled' | Enable encryption at rest for PostgreSQL Databases. |
| CIS_AZURE_MYSQL_SERVER_SSL | CIS 4.4.1 | 4.4.1 Ensure 'Enforce SSL connection' is set to 'Enabled' for Standard MySQL Database Server | Enable SSL connection on MYSQL Servers. |
| CIS_AZURE_MYSQL_SERVER_TLS_VERSION | CIS 4.4.2 | 4.4.2 Ensure 'TLS Version' is set to 'TLSV1.2' for MySQL flexible Database Server | Ensure TLS version on MySQL flexible servers is set to the default value. |
| CIS_AZURE_MYSQL_SERVER_AUDIT_LOG_ENABLED_PARAM | CIS 4.4.3 | 4.4.3 Ensure server parameter 'audit_log_enabled' is set to 'ON' for MySQL Database Server | Enable audit_log_enabled on MySQL Servers |
| CIS_AZURE_MYSQL_SERVER_CONNECTION_PARAM | CIS 4.4.4 | 4.4.4 Ensure server parameter 'audit_log_events' has 'CONNECTION' set for MySQL Database Server | Set audit_log_enabled to include CONNECTION on MySQL Servers |
| CIS_AZURE_DOCUMENTDB_ACCOUNT_PUBLIC_ACCESS | CIS 4.5.1 | 4.5.1 Ensure That 'Firewalls & Networks' Is Limited to Use Selected Networks Instead of All Networks | Limiting your Cosmos DB to only communicate on whitelisted networks lowers its attack footprint. |
| CIS_AZURE_SQL_SERVER_PRIVATE_ENDPOINTS | CIS 4.5.2 | 4.5.2 Ensure That Private Endpoints Are Used Where Possible | Private endpoints limit network traffic to approved sources. |
| CIS_AZURE_RESOURCE_MONITOR_DIAGNOSTIC_LOGS_DISABLED | CIS 5.1.1 | 5.1.1 Ensure that a 'Diagnostic Setting' exists | Enable Diagnostic settings for exporting activity logs. Diagnostic settings are available for each individual resource within a subscription. Settings should be configured for all appropriate resources for your environment. |
| CIS_AZURE_SUBSCRIPTION_DIAGNOSTIC_SETTINGS | CIS 5.1.2 | 5.1.2 Ensure Diagnostic Setting captures appropriate categories | The diagnostic setting should be configured to log the appropriate activities from the control/management plane. |
| CIS_AZURE_STORAGE_ACTIVITY_LOG_CONTAINER_PUBLIC_ACCESS | CIS 5.1.3 | 5.1.3 Ensure the Storage Container Storing the Activity Logs is not Publicly Accessible | The storage account container containing the activity log export should not be publicly accessible. |
| CIS_AZURE_STORAGE_ACTIVITY_LOGS_NO_BYOK_ENCRYPTION | CIS 5.1.4 | 5.1.4 Ensure the storage account containing the container with activity logs is encrypted with Customer Managed Key | Storage accounts with the activity log exports can be configured to use Customer Managed Keys (CMK). |
| CIS_AZURE_SECURITY_KEYVAULT_DIAGNOSTIC_LOGS | CIS 5.1.5 | 5.1.5 Ensure that logging for Azure Key Vault is 'Enabled' | Enable AuditEvent logging for key vault instances to ensure interactions with key vaults are logged and available. |
| CIS_AZURE_NETWORK_SG_NO_FLOWLOGS | CIS 5.1.6 | 5.1.6 Ensure that Network Security Group Flow logs are captured and sent to Log Analytics | Ensure that network flow logs are captured and fed into a central log analytics workspace. |
| CIS_AZURE_WEB_APP_SERVICE_HTTP_LOGS_DIAGNOSTIC_LOG_DISABLED | CIS 5.1.7 | 5.1.7 Ensure that logging for Azure AppService 'AppServiceHTTPLogs' is enabled. | Enable AppServiceHTTPLogs diagnostic log category for Azure App Service instances to ensure all http requests are captured and centrally logged. |
| CIS_AZURE_MONITORING_ACT_LOG_ALERTS_CREATE_POLICY_ASSIGNMENT | CIS 5.2.1 | 5.2.1 Ensure that Activity Log Alert exists for Create Policy Assignment | Create an activity log alert for the Create Policy Assignment event. |
| CIS_AZURE_MONITORING_ACT_LOG_ALERTS_DELETE_POLICY_ASSIGNMENT | CIS 5.2.2 | 5.2.2 Ensure that Activity Log Alert exists for Delete Policy Assignment | Create an activity log alert for the Delete Policy Assignment event. |
| CIS_AZURE_MONITORING_ACT_LOG_ALERTS_CREATE_UPDATE_NSG | CIS 5.2.3 | 5.2.3 Ensure that Activity Log Alert exists for Create or Update Network Security Group | Create an Activity Log Alert for the Create or Update Network Security Group event. |
| CIS_AZURE_MONITORING_ACT_LOG_ALERTS_DELETE_NSG | CIS 5.2.4 | 5.2.4 Ensure that Activity Log Alert exists for Delete Network Security Group | Create an activity log alert for the Delete Network Security Group event. |
| CIS_AZURE_MONITORING_ACT_LOG_ALERTS_CREATE_UPDATE_SECURITY | CIS 5.2.5 | 5.2.5 Ensure that Activity Log Alert exists for Create or Update Security Solution | Create an activity log alert for the Create or Update Security Solution event. |
| CIS_AZURE_MONITORING_ACT_LOG_ALERTS_DELETE_SECURITY | CIS 5.2.6 | 5.2.6 Ensure that Activity Log Alert exists for Delete Security Solution | Create an activity log alert for the Delete Security Solution event. |
| CIS_AZURE_MONITORING_ACT_LOG_ALERTS_CREATE_UPDATE_SQL_SERVER | CIS 5.2.7 | 5.2.7 Ensure that Activity Log Alert exists for Create or Update SQL Server Firewall Rule | Create an activity log alert for the Create or Update SQL Server Firewall Rule event. |
| CIS_AZURE_MONITORING_ACT_LOG_ALERTS_DELETE_SQL_SERVER | CIS 5.2.8 | 5.2.8 Ensure that Activity Log Alert exists for Delete SQL Server Firewall Rule | Create an activity log alert for the 'Delete SQL Server Firewall Rule.' |
| CIS_AZURE_MONITORING_ACT_LOG_ALERTS_CREATE_UPDATE_PUBLIC_IP_ADDRESS | CIS 5.2.9 | 5.2.9 Ensure that Activity Log Alert exists for Create or Update Public IP Address rule | Create an activity log alert for the Create or Update Public IP Addresses rule. |
| CIS_AZURE_MONITORING_ACT_LOG_ALERTS_DELETE_PUBLIC_IP_ADDRESS | CIS 5.2.10 | 5.2.10 Ensure that Activity Log Alert exists for Delete Public IP Address rule | Create an activity log alert for the Delete Public IP Address rule. |
| CIS_AZURE_RESOURCE_HAS_NO_DIAGNOSTIC_LOGS | CIS 5.3 | 5.3 Ensure that Azure Monitor Resource Logging is Enabled for All Services that Support it | Resource Logs capture activity to the data access plane while the Activity log is a subscription-level log for the control plane. Resource-level diagnostic logs provide insight into operations that were performed within that resource itself; for example, reading or updating a secret from a Key Vault. Currently, 95 Azure resources support Azure Monitoring (See the more information section for a complete list), including Network Security Groups, Load Balancers, Key Vault, AD, Logic Apps, and CosmosDB. The content of these logs varies by resource type. |
| CIS_AZURE_NETWORK_SG_OPEN_PORT_RDP_SERVER | CIS 6.1 | 6.1 Ensure that RDP access from the Internet is evaluated and restricted | Network security groups should be periodically evaluated for port misconfigurations. Where certain ports and protocols may be exposed to the Internet, they should be evaluated for necessity and restricted wherever they are not explicitly required. |
| CIS_AZURE_NETWORK_SG_OPEN_PORT_SSH_SERVER | CIS 6.2 | 6.2 Ensure that SSH access from the Internet is evaluated and restricted | Network security groups should be periodically evaluated for port misconfigurations. Where certain ports and protocols may be exposed to the Internet, they should be evaluated for necessity and restricted wherever they are not explicitly required. |
| CIS_AZURE_NETWORK_SG_OPEN_PORT_UDP | CIS 6.3 | 6.3 Ensure that UDP access from the Internet is evaluated and restricted | Network security groups should be periodically evaluated for port misconfigurations. Where certain ports and protocols may be exposed to the Internet, they should be evaluated for necessity and restricted wherever they are not explicitly required. |
| CIS_AZURE_NETWORK_SG_OPEN_PORT_HTTP | CIS 6.4 | 6.4 Ensure that HTTP(S) access from the Internet is evaluated and restricted | Network security groups should be periodically evaluated for port misconfigurations. Where certain ports and protocols may be exposed to the Internet, they should be evaluated for necessity and restricted wherever they are not explicitly required. |
| CIS_AZURE_NETWORK_LOG_RETENTION | CIS 6.5 | 6.5 Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | Network Security Group Flow Logs should be enabled and the retention period set to greater than or equal to 90 days. |
| CIS_AZURE_NETWORK_WATCHER | CIS 6.6 | 6.6 Ensure that Network Watcher is 'Enabled' | Enable Network Watcher for Azure subscriptions. |
| CIS_AZURE_VM_DISK_NON_MANAGED | CIS 7.1 | 7.1 Ensure Virtual Machines are utilizing Managed Disks | Migrate blob-based VHDs to Managed Disks on Virtual Machines to exploit the default features of this configuration. The features include: Default Disk Encryption, Resilience, as Microsoft will managed the disk storage and move around if underlying hardware goes faulty, Reduction of costs over storage accounts. |
| CIS_AZURE_OS_DATA_DISK_NOT_ENCRYPTED_WITH_CMK | CIS 7.2 | 7.2 Ensure that 'OS and Data' disks are encrypted with Customer Managed Key (CMK) | Ensure that OS disks (boot volumes) and data disks (non-boot volumes) are encrypted with CMK (Customer Managed Keys). Customer Managed keys can be either ADE or Server Side Encryption (SSE). |
| CIS_AZURE_UNATTACHED_DISK_NOT_ENCRYPTED_WITH_CMK | CIS 7.3 | 7.3 Ensure that 'Unattached disks' are encrypted with 'Customer Managed Key' (CMK) | Ensure that unattached disks in a subscription are encrypted with a Customer Managed Key (CMK). |
| CIS_AZURE_MANAGEMENT_ASSIGNMENT_ENDPOINT_PROTECTION_DISABLED_POLICY | CIS 7.5 | 7.5 Ensure that Endpoint Protection for all Virtual Machines is installed | Install endpoint protection for all virtual machines. |
| CIS_AZURE_SECURITY_RBAC_KEY_NO_EXPR_DATE | CIS 8.1 | 8.1 Ensure that the Expiration Date is set for all Keys in RBAC Key Vaults | Ensure that all Keys in Role Based Access Control (RBAC) Azure Key Vaults have an expiration time set. |
| CIS_AZURE_SECURITY_NON_RBAC_KEY_NO_EXPR_DATE | CIS 8.2 | 8.2 Ensure that the Expiration Date is set for all Keys in Non-RBAC Key Vaults. | Ensure that all Keys in Non Role Based Access Control (RBAC) Azure Key Vaults have an expiration time set. |
| CIS_AZURE_SECURITY_RBAC_SECRET_NO_EXPR_DATE | CIS 8.3 | 8.3 Ensure that the Expiration Date is set for all Secrets in RBAC Key Vaults | Ensure that all Secrets in Role Based Access Control (RBAC) Azure Key Vaults have an expiration time set. |
| CIS_AZURE_SECURITY_NO_RBAC_SECRET_NO_EXPR_DATE | CIS 8.4 | 8.4 Ensure that the Expiration Date is set for all Secrets in Non-RBAC Key Vaults | Ensure that all Secrets in Non Role Based Access Control (RBAC) Azure Key Vaults have an expiration time set. |
| CIS_AZURE_SECURITY_KEYVAULT_PURGE_PROTECTION | CIS 8.5 | 8.5 Ensure the Key Vault is Recoverable | The Key Vault contains object keys, secrets, and certificates. Accidental unavailability of a Key Vault can cause immediate data loss or loss of security functions (authentication, validation, verification, non-repudiation, etc.) supported by the Key Vault objects. It is recommended the Key Vault be made recoverable by enabling the 'Do Not Purge' and 'Soft Delete' functions. |
| CIS_AZURE_WEB_APP_SERVICE_AUTH | CIS 9.1 | 9.1 Ensure App Service Authentication is set up for apps in Azure App Service | Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the API app, or authenticate those that have tokens before they reach the API app. If an anonymous request is received from a browser, App Service will redirect to a logon page. To handle the logon process, a choice from a set of identity providers can be made, or a custom authentication mechanism can be implemented. |
| CIS_AZURE_WEB_APP_SERVICE_HTTPS_ONLY | CIS 9.2 | 9.2 Ensure Web App Redirects All HTTP traffic to HTTPS in Azure App Service | Azure Web Apps allows sites to run under both HTTP and HTTPS by default. Web apps can be accessed by anyone using non-secure HTTP links by default. Non-secure HTTP requests can be restricted and all HTTP requests redirected to the secure HTTPS port. It is recommended to enforce HTTPS-only traffic. |
| CIS_AZURE_WEB_APP_SERVICE_TLS_VERSION | CIS 9.3 | 9.3 Ensure Web App is using the latest version of TLS encryption | The TLS (Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. App service allows TLS 1.2 by default, which is the recommended TLS level by industry standards such as PCI DSS. |
| CIS_AZURE_WEB_APP_SERVICE_CLIENT_CERT | CIS 9.4 | 9.4 Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On' | Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. |
| CIS_AZURE_WEB_APP_SERVICE_NO_IDENTITY | CIS 9.5 | 9.5 Ensure that Register with Azure Active Directory is enabled on App Service | Managed service identity in App Service provides more security by eliminating secrets from the app, such as credentials in the connection strings. When registering with Azure Active Directory in App Service, the app will connect to other Azure services securely without the need for usernames and passwords. |
| CIS_AZURE_WEB_APP_SERVICE_PHP_VERSION | CIS 9.6 | 9.6 Ensure That 'PHP version' is the Latest, If Used to Run the Web App | Periodically newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version. |
| CIS_AZURE_WEB_APP_SERVICE_PYTHON_VERSION | CIS 9.7 | 9.7 Ensure that 'Python version' is the Latest Stable Version, if Used to Run the Web App | Using the latest full Python version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version. |
| CIS_AZURE_WEB_APP_SERVICE_JAVA_VERSION | CIS 9.8 | 9.8 Ensure that 'Java version' is the latest, if used to run the Web App | Using the latest Java version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the newer version. |
| CIS_AZURE_WEB_APP_SERVICE_NO_HTTP_2 | CIS 9.9 | 9.9 Ensure that 'HTTP Version' is the Latest, if Used to Run the Web App | Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. |
| CIS_AZURE_WEB_APP_SERVICE_FTP_NOT_DISABLED | CIS 9.10 | 9.10 Ensure FTP deployments are Disabled | By default, Azure Functions, Web, and API Services can be deployed over FTP. If FTP is required for an essential deployment workflow, FTPS should be required for FTP login for all App Service Apps and Functions. |
| CIS_AZURE_SECRETS_NOT_STORED_BY_KEY_VAULT | CIS 9.11 | 9.11 Ensure Azure Key Vaults are Used to Store Secrets | Azure Key Vault will store multiple types of sensitive information such as encryption keys, certificate thumbprints, and Managed Identity Credentials. Access to these 'Secrets' can be controlled through granular permissions. |
| CIS_AZURE_NO_LOCK | CIS 10.1 | 10.1 Ensure that Resource Locks are set for Mission-Critical Azure Resources | Resource Manager Locks provide a way for administrators to lock down Azure resources to prevent deletion of, or modifications to, a resource. These locks sit outside of the Role Based Access Controls (RBAC) hierarchy and, when applied, will place restrictions on the resource for all users. These locks are very useful when there is an important resource in a subscription that users should not be able to delete or change. Locks can help prevent accidental and malicious changes or deletion. |
The Payment Card Industry Data Security Standard (PCI DSS) is a global standard that provides a baseline of technical and operational requirements designed to protect account data.
To read more about PCI DSS Requirements, please visit PCI home page .
PCI DSS v4.0 requirements (12)
| Requirement | Title | Description | |
|---|---|---|---|
| PCI_ENCR_AT_REST | PCI DSS 3.5 | 3.5 Primary account number (PAN) is secured wherever it is stored. | If an intruder circumvents other security controls and gains access to encrypted account data, the data is unreadable without the proper cryptographic keys and is unusable to that intruder. This requirement applies to PANs stored in primary storage (databases, or flat files such as text files spreadsheets) as well as non-primary storage (backup, audit logs, exception, or troubleshooting logs) must all be protected. |
| PCI_PASS_ROTATE | PCI DSS 3.7.4 | 3.7.4 Key management policies and procedures are implemented for cryptographic key changes for keys that have reached the end of their cryptoperiod. | Changing encryption keys when they reach the end of their cryptoperiod is imperative to minimize the risk of someone obtaining the encryption keys and using them to decrypt data. |
| PCI_ENCR_IN_TRANSIT | PCI DSS 4.2 | 4.2 Primary account number (PAN) is protected with strong cryptography during transmission. | Sensitive information must be encrypted during transmission over public networks because it is easy and common for a malicious individual to intercept and/or divert data while in transit. It is considered a good practice for entities to also encrypt PAN over their internal networks, and for entities to establish any new network implementations with encrypted communications. |
| PCI_CERT_EXPIRY | PCI DSS 4.2.1 | 4.2.1 Certificates used to safeguard primary account number (PAN) during transmission over open, public networks are confirmed as valid and are not expired or revoked. | Confirming that certificates used to safeguard PAN during transmission over open, public networks are valid and are not expired or revoked is a best practice until 31 March 2025, after which it will be required as part of Requirement 4.2.1 and must be fully considered during a PCI DSS assessment. |
| PCI_INACTIVE_ACCOUNT | PCI DSS 8.2.6 | 8.2.6 Inactive user accounts are removed or disabled within 90 days of inactivity. | Examine user accounts and last logon information, and interview personnel to verify that any inactive user accounts are removed or disabled within 90 days of inactivity. |
| PCI_PASS_COMPLEX | PCI DSS 8.3.6 | 8.3.6 Passwords/passphrases used as authentication factors must meet the following minimum level of complexity: a minimum length of 12 characters (if the system does not support 12 characters, a minimum length of eight characters), and contain both numeric and alphabetic characters. | Examine system configuration settings to verify that user password/passphrase complexity parameters are set in accordance with all elements specified in this requirement. |
| PCI_PASS_CHANGE | PCI DSS 8.3.9 | 8.3.9 If passwords/passphrases are used as the only authentication factor for user access, then passwords/passphrases are changed at least once every 90 days. | If passwords/passphrases are used as the only authentication factor for user access, inspect system configuration settings to verify that passwords/passphrases are managed in accordance with the specified requirement. |
| PCI_PASS_NOREUSE | PCI DSS 8.3.7 | 8.3.7 Individuals are not allowed to submit a new password/passphrase that is the same as any of the last four passwords/passphrases used. | Examine system configuration settings to verify that password parameters are set to require that new passwords/passphrases cannot be the same as the four previously used passwords/passphrases. |
| PCI_MFA | PCI DSS 8.4 | 8.4 Multi-factor authentication (MFA) is implemented to secure access into the cardholder data environment (CDE). | Examine network and/or system configurations to verify MFA is implemented for all access into the CDE. |
| PCI_AUDIT_LOGS | PCI DSS 10.2 | 10.2 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. | Audit logs must exist for all system components. Audit logs send alerts the system administrator, provides data to other monitoring mechanisms, such as intrusion-detection systems (IDS) and security information and event monitoring systems (SIEM) tools, and provide a history trail for post-incident investigation. Logging and analyzing security-relevant events enable an organization to identify and trace potentially malicious activities. |
| PCI_NET_SEGMENT | PCI DSS (Networking) | Guidance for PCI DSS Scoping and Network Segmentation. | Segmentation (or isolation) of the cardholder data environment (CDE) from the remainder of an entity's network is strongly recommended as a method that may reduce the risk to an organization relative to payment card account data. |
| PCI_NO_TLS1 | PCI DSS (Old Protocols) | Guidance on PCI DSS Requirement 4.2: SSL and TLS 1.0 are not permitted. | Some protocol implementations (such as SSL, SSH v1.0, and TLS 1.0) have known vulnerabilities that an attacker can use to gain access to the cleartext data. It is critical that entities maintain awareness of industry-defined deprecation dates for the cipher suites they are using and are prepared to migrate to newer versions or protocols when older ones are no longer deemed secure. |
The HIPAA Security Rule ensures patients and their Protected Health Information (ePHI) are protected, as well as healthcare facilities and health insurance providers.
To read more about HIPAA security rule, please visit HIPAA home page .
HIPAA requirements (4)
| Requirement | Title | Description | |
|---|---|---|---|
| HIPAA_ENCRYPT | HIPAA (Encryption) | Access Control (§ 164.312(a)(1)(iv)) — Encryption of Data In Transit or At Rest | HIPAA Security Rule requires encryption of electronic Protected Health Information (ePHI) of patients when the data is in transit or at rest. 'At rest' includes the cloud storage service where ePHI has been saved (storage bucket, database, file system) and in transit relates to any electronic communication of that information. The security of ePHI in transit or at rest should be established by the use of data encryption. ePHI should be rendered 'unreadable, undecipherable or unusable' so any 'acquired' healthcare or payment information is of no use to an unauthorized third party. |
| HIPAA_NETWORK | HIPAA (Networking) | Access Control (§ 164.312(a)(1)) — Network Segmentation | Firewalls, network segmentation, and network access control solutions can be effective means of limiting access to electronic information systems containing electronic Protected Health Information (ePHI). Properly implemented, network-based solutions can limit the ability of a hacker to gain access to an organization's network or impede the ability of a hacker already in the network from accessing other information systems — especially systems containing sensitive data. By building and implementing a network segmentation strategy, networks can be broken down into multiple segments and made safer against potential breaches by dangerous cybercriminals and hackers. |
| HIPAA_AUDIT | HIPAA (Audit) | Audit Controls (§ 164.312(b)) | Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic Protected Health Information (ePHI). Audit logs and trails assist companies with reducing risk associated with reviewing inappropriate access, tracking unauthorized disclosures of ePHI, detecting performance problems and flaws in applications, detecting potential intrusions and other malicious activity, and providing forensic evidence during investigation of security incidents and breaches. |
| HIPAA_BACKUP | HIPAA (Backup) | Contingency Plan 164.308(a)(7) — Data Backup Plan | A contingency plan is the only way to protect the availability, integrity, and security of data during unexpected negative events. Establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information. The data backup plan should define exactly what information is needed to be retrievable to allow the entity to continue business 'as usual' in the face of damage or destruction of data, hardware, or software. |