AzTS

1.0.2

module/ConfigurationProvider/ControlConfigurations/Services/NSG.json

                                {

  "FeatureName": "NSG",

  "Reference": "aka.ms/azsktcp/nsg",

  "IsMaintenanceMode": false,

  "Controls": [

    {

      "ControlID": "Azure_NSG_NetSec_Dont_Open_Restricted_Ports",

      "Description": "Do not leave restricted ports open on NSG",

      "Id": "NSG100",

      "DisplayName": "Do not use risky ports on firewall and NSGs",

      "Category": "Deploy controls to restrict network traffic",

      "ControlRequirements": "Restrict network traffic flows",

      "ControlSeverity": "Critical",

      "Automated": "No",

      "MethodName": "CheckRestrictedPortsOnNSGExtScanned",

      "Rationale": "Open restricted ports expose a NSG to a high level of risk from internet-based attacks that attempt to brute force credentials to gain admin access to the machine.",

      "Recommendation": "NA",

      "Tags": [

        "NetSec",

        "Baseline",

        "Daily"

      ],

      "Enabled": false,

      "CustomTags": [

        "Windows",

        "Linux",

        "Wave9",

        "P0",

        "SN:Risky_ports",

        "ShadowITActiveBaseline",

        "TenantBaseline",

        "Prod"

      ]

    },

    {

      "ControlID": "Azure_NSG_NetSec_Dont_Open_InBound_Any_Any",

      "Description": "Do not leave restricted ports on NSG open for inbound traffic",

      "Id": "NSG200",

      "DisplayName": "Firewall/NSG rules must not allow unrestricted traffic (any-any rule)",

      "Category": "Deploy controls to restrict network traffic",

      "ControlRequirements": "Restrict network traffic flows",

      "ControlSeverity": "Critical",

      "Automated": "Yes",

      "MethodName": "CheckAnyAnyRuleOnNSG",

      "Rationale": "Open restricted ports expose a NSG to a high level of risk from internet-based attacks that attempt to brute force credentials to gain admin access to the machine.",

      "Recommendation": "Go to Azure Portal --> NSG Settings --> Inbound security rules --> Select security rule which allows Any-Any inbound port --> Click 'Deny' under Action --> Click Save.",

      "Tags": [

        "NetSec",

        "VirtualMachine",

        "Baseline",

        "Weekly"

      ],

      "Enabled": true,

      "ControlSettings": {

        "ExclusionTags": [

          {

            "Description": "VM is part of ADB cluster.",

            "TagName": "databricks-environment",

            "TagValue": "true"

          },

          {

            "Description": "VM is part of ADB cluster.",

            "TagName": "application",

            "TagValue": "databricks"

          }

        ],

        "UniversalPortRange": [

          "*",

          "0-65535"

        ],

        "ValidRules": [

          {

            "Protocol": "ICMP",

            "NonCompliantSourceAddressPrefixes": [ "*", "Internet" ]

          }

        ]

      },

      "CustomTags": [

        "Windows",

        "Linux"

      ]

    }

  ]

}