Framework/Configurations/SVT/Services/VirtualNetwork.json
|
{
"FeatureName": "VirtualNetwork", "Reference": "aka.ms/azsdktcp/virtualnetwork", "IsManintenanceMode": false, "Controls": [ { "ControlID": "Azure_VNet_NetSec_Justify_PublicIPs", "Description": "Minimize the number of Public IPs (i.e. NICs with PublicIP) on a Virtual Network", "Id": "VirtualNetwork110", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckPublicIps", "Rationale": "Public IPs provide direct access over the internet exposing the VM to all type of attacks over the public network.", "Recommendation": "Unutilized Public IP address must be removed from Virtual Network. For more information visit: https://docs.microsoft.com/en-us/powershell/module/azurerm.network/remove-azurermpublicipaddress", "Tags": [ "SDL", "TCP", "Automated", "NetSec" ], "Enabled": true, "DataObjectProperties": [ "NICName", "VMName", "PrimaryStatus", "NetworkSecurityGroupName", "PublicIpAddress", "PrivateIpAddress" ] }, { "ControlID": "Azure_VNet_NetSec_Justify_IPForwarding_for_NICs", "Description": "Use of IP Forwarding on any NIC in a Virtual Network should be scrutinized", "Id": "VirtualNetwork120", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckIPForwardingforNICs", "Rationale": "Enabling IP Forwarding on VM NIC allows VM to receive traffic addressed to other destinations. This is only required when VM is used as virtual appliance otherwise it may result into security breach if VM is compromised.", "Recommendation": "Disable IP Forwarding unless it has been reviewed and approved by network security team. Go to Azure Portal --> Navigate to VM NIC (where IP Forwarding is enabled) --> IP Configurations --> IP Forwarding settings --> Click on 'Disabled'.", "Tags": [ "SDL", "Best Practice", "Automated", "NetSec" ], "Enabled": true, "DataObjectProperties": [ "NICName", "EnableIPForwarding" ] }, { "ControlID": "Azure_VNet_NetSec_Dont_Use_NSGs_on_GatewaySubnet", "Description": "There must not be any NSGs on the GatewaySubnet of a Virtual Network", "Id": "VirtualNetwork130", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckNSGUseonGatewaySubnet", "Rationale": "Applying NSG to the pre-defined �GatewaySubnet� is not recommended since it may break Azure VNet connectivity.", "Recommendation": "If there is an NSG on the Gateway Subnet, remove it. Refer: https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-manage-nsg-arm-ps#delete-an-nsg", "Tags": [ "SDL", "TCP", "Automated", "NetSec" ], "Enabled": true, "DataObjectProperties": [ "Name", "NetworkSecurityGroup" ] }, { "ControlID": "Azure_VNet_NetSec_Configure_NSG", "Description": "NSG should be used for subnets in a Virtual Network to permit traffic only on required inbound/outbound ports. NSGs should not have security rule to allow any-to-any traffic", "Id": "VirtualNetwork140", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckNSGConfigured", "Rationale": "It is necessary to filter�inbound and outbound network traffic to secure VNet.�A network security group (NSG) provide security rules to tightly control the network traffic in VNet.", "Recommendation": "NSG should have security rules defined to allow only required inbound/outbound ports. To remove existing rules from an NSG: (a) Azure Portal -> Network security groups -> <Your NSG> -> Inbound security rules -> Remove unutilized 'Allow' action rules. (b) Azure Portal -> Network security groups. -> <Your NSG> -> Outbound security rules -> Remove unutilized 'Allow' action rules.", "Tags": [ "SDL", "Best Practice", "Automated", "NetSec" ], "Enabled": true, "DataObjectProperties": [ "Name", "Properties" ] }, { "ControlID": "Azure_VNet_AuthZ_Grant_Min_RBAC_Access", "Description": "All users/identities must be granted minimum required permissions using Role Based Access Control (RBAC)", "Id": "VirtualNetwork150", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckRBACAccess", "Rationale": "Granting minimum access by leveraging RBAC feature ensures that users are granted just enough permissions to perform their tasks. This minimizes exposure of the resources in case of user/service account compromise.", "Recommendation": "Remove any excessive privileges granted on the App Service. Run command: Remove-AzureRmRoleAssignment -SignInName '<SignInName>' -Scope '<Scope>' RoleDefinitionName '<RoleDefinitionName>'. Run 'Get-Help Remove-AzureRmRoleAssignment -full' for more help.", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "RBAC" ], "Enabled": true }, { "ControlID": "Azure_VNet_NetSec_Justify_Gateways", "Description": "Presence of any virtual network gateways (GatewayType = VPN/ExpressRoute) in the Virtual Network must be justified", "Id": "VirtualNetwork160", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckGatewayUsed", "Rationale": "Virtual network gateways�allow encrypted traffic between�VNet and on-premises site. Any external connectivity with on-premises resources may result into security breach, hence it should be justfied and approved.", "Recommendation": "Remove virtual network gateways using Remove-AzureRmVirtualNetworkGateway command (unless their presence has been approved by network security team). Run 'Get-Help Remove-AzureRmVirtualNetworkGateway -full' for more help.", "Tags": [ "SDL", "Best Practice", "Automated", "NetSec" ], "Enabled": true }, { "ControlID": "Azure_VNet_NetSec_Justify_Peering", "Description": "Use of any Virtual Network peerings should be justified", "Id": "VirtualNetwork170", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckVnetPeering", "Rationale": "Resources�in the peered virtual networks can communicate with each other directly, hence to prevent security breach peerings should be justified.", "Recommendation": "Remove Virtual Network peering using Remove-AzureRmVirtualNetworkPeering command (unless their presence has been approved by network security team). Run 'Get-Help Remove-AzureRmVirtualNetworkPeering -full' for more help.", "Tags": [ "SDL", "Best Practice", "Automated", "NetSec" ], "Enabled": true } ] } |