module/ConfigurationProvider/ControlConfigurations/Services/VirtualNetwork.json
|
{
"FeatureName": "VirtualNetwork", "Reference": "aka.ms/azsktcp/virtualnetwork", "IsMaintenanceMode": false, "Controls": [ { "ControlID": "Azure_ERvNet_NetSec_Dont_Use_PublicIPs", "Description": "There must not be any Public IPs (i.e., NICs with PublicIP) on ExpressRoute-connected VMs", "Id": "ERvNet110", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckERvNetPublicIps", "DisplayName": "Remove public IPs on ER connected VMs", "ControlRequirements": "Restrict network traffic flows", "Category": "Deploy controls to restrict network traffic", "Rationale": "Public IP addresses on an ER-connected virtual network can expose the corporate network to security attacks from the internet.", "Recommendation": "Any Public IP addresses you added to an ER-connected virtual network must be removed. Refer: https://docs.microsoft.com/en-us/powershell/module/az.network/Remove-AzPublicIpAddress", "Tags": [ "SDL", "TCP", "Automated", "NetSec", "ERvNet", "Baseline", "Daily", "CSEOPilotSub" ], "Enabled": true, "CustomTags": [ "CSEOBaseline", "MSD", "Prod", "CSEOPilot", "TenantBaseline", "P0", "Wave4", "ShadowITActiveBaseline", "SN:Pub_IP" ] }, { "ControlID": "Azure_ERvNet_NetSec_Dont_Use_Multi_NIC_VMs", "Description": "There must not be multiple NICs on ExpressRoute-connected VMs", "Id": "ERvNet120", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckMultiNICVMUsed", "DisplayName": "There must not be multiple NICs on ExpressRoute-connected VMs", "ControlRequirements": "Restrict network traffic flows", "Category": "Deploy controls to restrict network traffic", "Rationale": "Using multiple NICs, one can route traffic between the ER-connected virtual network and another non-ER-connected virtual network. This can put the corporate network at risk. (Multi-NIC VMs on an ER-connected virtual network may be required in some advanced scenarios. You should engage the network security team for a review in such cases.)", "Recommendation": "Remove any additional NICs on VMs which are on an ER-connected virtual network. Refer: http://stackoverflow.com/questions/34526032/how-can-i-programmatically-detach-a-nic-from-its-vm-in-azure-arm", "Tags": [ "SDL", "TCP", "Automated", "NetSec", "ERvNet", "Baseline", "Weekly" ], "Enabled": true, "CustomTags": [] }, { "ControlID": "Azure_ERvNet_NetSec_Dont_Enable_IPForwarding_for_NICs", "Description": "Set 'EnableIPForwarding' flag to false for NICs in the ExpressRoute-connected vNet", "Id": "ERvNet130", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckERvNetIPForwardingforNICs", "DisplayName": "Set 'EnableIPForwarding' flag to false for NICs in the ExpressRoute-connected vNet", "Category": "Deploy controls to restrict network traffic", "ControlRequirements": "Restrict network traffic flows", "Rationale": "Using IP Forwarding one can change the routing of packets from an ER-connected virtual network. This can lead to bypass of network protections that are required and applicable for corpnet traffic. (IP Forwarding on an ER-connected virtual network may be required only in advanced scenarios such as Network Virtual Appliances. You should engage the network security team for a review in such cases.)", "Recommendation": "IP Forwarding must be disabled on ExpressRoute-connected NICs. Refer: https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-udr-overview", "Tags": [ "SDL", "TCP", "Automated", "NetSec", "ERvNet", "Baseline", "Daily", "CSEOPilotSub" ], "Enabled": true, "CustomTags": [ "CSEOBaseline", "MSD", "Prod", "CSEOPilot", "TenantBaseline", "P2", "Wave7", "ShadowITActiveBaseline", "SN:ERNetwork_IPForwarding" ] }, { "ControlID": "Azure_ERvNet_NetSec_Dont_Use_NSGs_on_GatewaySubnet", "Description": "There must not be any NSGs on the GatewaySubnet of the ExpressRoute-connected vNet", "Id": "ERvNet140", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckNSGUseonGatewaySubnet", "Rationale": "Using NSGs on the Gateway subnet of an ER-connected virtual network can cause the connection to stop functioning and may impact availability.", "Recommendation": "If you added any NSGs to the Gateway Subnet of the ER-connected virtual network, remove them. Refer: https://docs.microsoft.com/en-us/azure/virtual-network/manage-network-security-group#delete-a-network-security-group", "Tags": [ "SDL", "TCP", "Automated", "NetSec", "ERvNet" ], "Enabled": false, "CustomTags": [] }, { "ControlID": "Azure_ERvNet_NetSec_Dont_Add_UDRs_on_Subnets", "Description": "There must not be a UDR on any subnet in an ExpressRoute-connected vNet", "Id": "ERvNet150", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckERvNetUDRAddedOnSubnet", "DisplayName": "There must not be a UDR on any subnet in an ExpressRoute-connected vNet", "ControlRequirements": "Restrict network traffic flows", "Category": "Deploy controls to restrict network traffic", "Rationale": "Using UDRs on any subnet of an ER-connected virtual network can lead to security exposure for corpnet traffic by allowing it to be routed in a way that evades inspection from network security scanners.", "Recommendation": "Remove association between any UDRs you may have added and respective subnets. Refer https://docs.microsoft.com/en-us/azure/virtual-network/manage-route-table#dissociate-a-route-table-from-a-subnet for instructions to dissociate a route table from a subnet.", "Tags": [ "SDL", "TCP", "Automated", "NetSec", "ERvNet", "Baseline", "Daily", "CSEOPilotSub" ], "Enabled": true, "ControlSettings": { "ExemptedSubscriptions": [ ], "ApprovedRoutes": [ { "ResourceGroup": "ERNetwork-LAB", "AddressPrefix": "0.0.0.0/0", "NextHopType": "VirtualAppliance" }, { "ResourceGroup": "ERNetwork-MVD", "AddressPrefix": "0.0.0.0/0", "NextHopType": "VirtualAppliance" } ] }, "CustomTags": [ "CSEOBaseline", "MSD", "TenantBaseline", "Prod", "CSEOPilot", "Wave7", "ShadowITActiveBaseline", "SN:ERNetwork_UDRs" ] }, { "ControlID": "Azure_ERvNet_NetSec_Dont_Add_VPN_Gateways", "Description": "There must not be another virtual network gateway (GatewayType = Vpn) in an ExpressRoute-connected vNet", "Id": "ERvNet160", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckERvNetGatewayUsed", "DisplayName": "There must not be another virtual network gateway (GatewayType = Vpn) in an ExpressRoute-connected vNet", "ControlRequirements": "Restrict network traffic flows", "Category": "Deploy controls to restrict network traffic", "Rationale": "Using other gateway types on an ER-connected virtual network can lead to pathways for corpnet traffic where the traffic can get exposed to the internet or evade inspection from network security scanners. This creates a direct risk to corpnet security.", "Recommendation": "Remove any VPN Gateways from the ExpressRoute-connected virtual network. To delete a VPN Gateway using Azure Portal, refer https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-delete-vnet-gateway-portal. To delete a VPN Gateway using PowerShell, refer https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-delete-vnet-gateway-powershell", "Tags": [ "SDL", "TCP", "Automated", "NetSec", "ERvNet", "Baseline", "Daily", "CSEOPilotSub" ], "Enabled": true, "CustomTags": [ "CSEOBaseline", "MSD", "TenantBaseline", "Prod", "CSEOPilot", "Wave7", "ShadowITActiveBaseline", "SN:ERNetwork_VPNGateways" ] }, { "ControlID": "Azure_ERvNet_NetSec_Dont_Use_VNet_Peerings", "Description": "There must not be any virtual network peerings on an ExpressRoute-connected vNet", "Id": "ERvNet170", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckERvNetPeering", "DisplayName": "Peering must not be allowed on ExpressRoute connected Virtual Network", "Category": "Deploy controls to restrict network traffic", "ControlRequirements": "Restrict network traffic flows", "Rationale": "A virtual network peering on an ER-connected circuit establishes a link to another virtual network whereby traffic egress and ingress can evade inspection from network security appliances. This creates a direct risk to corpnet security.", "Recommendation": "Remediation of a failure for this Control requires any peerings on the virtual network to be removed. To remove a disallowed peering using Azure Portal, refer: https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-manage-peering. To remove a peering using PowerShell, use the 'Remove-AzVirtualNetworkPeering' command. Run 'Get-Help Remove-AzVirtualNetworkPeering -full' for more help. Refer https://docs.microsoft.com/en-us/powershell/module/az.network/remove-azvirtualnetworkpeering?view=azps-7.2.0 for even further help.", "Tags": [ "SDL", "TCP", "Automated", "NetSec", "ERvNet", "Baseline", "Daily", "CSEOPilotSub" ], "Enabled": true, "ControlSettings": { "ExemptedSubscriptions": [ ], "ApprovedPeerings": [ { "ResourceGroup": "ERNetwork-LAB", "RemoteNetworkIdPrefix": "" }, { "ResourceGroup": "ERNetwork-MVD", "RemoteNetworkIdPrefix": "" }, { "ResourceGroup": "ERNetwork-PvtApp", "RemoteNetworkIdPrefix": "" }, { "ResourceGroup": "ERNetwork-InetApp", "RemoteNetworkIdPrefix": "" }, { "ResourceGroup": "ERNetwork-SVC", "RemoteNetworkIdPrefix": "" }, { "ResourceGroup": "ERNetwork-DB", "RemoteNetworkIdPrefix": "" }, { "ResourceGroup": "ERNetwork-EML", "RemoteNetworkIdPrefix": "" } ] }, "CustomTags": [ "CSEOBaseline", "MSD", "TenantBaseline", "Prod", "CSEOPilot", "Wave7", "ShadowITActiveBaseline", "SN:ERNetwork_VNetPeering" ] }, { "ControlID": "Azure_ERvNet_NetSec_Use_Only_Internal_Load_Balancers", "Description": "Only internal load balancers (ILBs) may be used inside an ExpressRoute-connected vNet", "Id": "ERvNet180", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckERvNetInternalLoadBalancers", "Rationale": "External load balancers on an ER-connected vNet can expose the corporate network to security attacks from the internet.", "Recommendation": "Remove any external load balancers you may have added using the 'Remove-AzLoadBalancer' PS command. Run 'Get-Help Remove-AzLoadBalancer -full' for more help.", "Tags": [ "SDL", "TCP", "Automated", "NetSec", "ERvNet" ], "Enabled": false, "CustomTags": [] }, { "ControlID": "Azure_ERvNet_SI_Add_Only_Network_Resources", "Description": "Add only Microsoft.Network/* resources to the ERNetwork resource group", "Id": "ERvNet190", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckERvNetOnlyNetworkResourceExist", "DisplayName": "Add only Microsoft.Network/* resources to the ERNetwork resource group", "ControlRequirements": "Restrict network traffic flows", "Category": "Deploy controls to restrict network traffic", "Rationale": "The ERNetwork resource group is a critical component that facilitates provisioning of an ER-connection for your subscription. This resource group is deployed and managed by the networking team and should not be used as a general purpose resource group or as a container for non-networking resources as it can impact the ER-connectivity of your subscription.", "Recommendation": "Move all other resources except Microsoft.Network/* to another resource group. To move a resource to another resource group, refer https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/move-resource-group-and-subscription.", "Tags": [ "SDL", "TCP", "Automated", "SI", "ERvNet", "Baseline", "Daily", "CSEOPilotSub" ], "Enabled": true, "ControlSettings": { "ExemptedResourceTypes": "providers/microsoft.eventgrid/" }, "CustomTags": [ "CSEOBaseline", "MSD", "Prod", "CSEOPilot", "TenantBaseline", "P1", "Wave7", "ShadowITActiveBaseline", "SN:ERNetwork_NetResourcesOnly" ] }, { "ControlID": "Azure_ERvNet_SI_Dont_Remove_Resource_Lock", "Description": "Ensure that the ERNetwork resource group is protected with a resource lock", "Id": "ERvNet200", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckERvNetResourceLockConfigured", "DisplayName": "Ensure that the ERNetwork resource group is protected with a resource lock", "Category": "Monitoring must be correctly configured", "ControlRequirements": "Monitoring and auditing must be enabled and correctly configured according to prescribed organizational guidance", "Rationale": "The ERNetwork resource group is a critical component that facilitates provisioning of an ER-connection for your subscription. A resource lock is deployed on the ERNetwork resource group to keep you from deleting it accidentally. Removing this lock increases the chances of accidental write/delete of this resource group and that can impact ER-connectivity of your subscription.", "Recommendation": "Create a Read-only resource lock for every ER Network resource group using command New-AzResourceLock -LockName '{LockName}' -LockLevel 'ReadOnly' -Scope '/subscriptions/{SubscriptionId}/resourceGroups/{ERNetworkResourceGroup}'. Run 'Get-Help New-AzResourceLock -full' for more help. To create a lock via Azure Portal, refer https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources?tabs=json#configure-locks.", "Tags": [ "SDL", "TCP", "Automated", "SI", "ERvNet", "Baseline", "Daily", "CSEOPilotSub" ], "Enabled": true, "ControlSettings": { "LockLevel": "" }, "CustomTags": [ "CSEOBaseline", "MSD", "Prod", "CSEOPilot", "TenantBaseline", "P1", "Wave7", "ShadowITActiveBaseline", "SN:ERNetwork_lock" ] }, { "ControlID": "Azure_ERvNet_SI_Dont_Remove_ARM_Policy", "Description": "Ensure that ARM policies are deployed to protect the ERNetwork setup", "Id": "ERvNet210", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckARMPolicyConfigured", "Recommendation": "Run command 'Set-AzSKARMPolicies -Tags SDO' to set ARM Policies. Run 'Get-Help Set-AzSKARMPolicies -full' for more help.", "Tags": [ "SDL", "TCP", "Automated", "SI", "ERvNet" ], "Enabled": false, "CustomTags": [ "P1", "SN:ERNetwork_ARM" ] }, { "ControlID": "Azure_ERvNet_NetSec_Revoke_PublicIPs_On_Sub", "Description": "There must not be any Public IPs on Subscription with ExpressRoute connection", "Id": "ERvNet111", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckERvNetPublicIpsOnSub", "DisplayName": "There must not be any Public IPs on Subscription with ExpressRoute connection", "Category": "Deploy controls to restrict network traffic", "ControlRequirements": "Restrict network traffic flows", "Rationale": "Public IP addresses on an ER-connected virtual network can expose the corporate network to security attacks from the internet.", "Recommendation": "Any Public IP addresses you added to an ER-connected virtual network must be removed. Refer: https://docs.microsoft.com/en-us/powershell/module/az.network/Remove-AzPublicIpAddress", "Tags": [ "SDL", "TCP", "Automated", "NetSec", "ERvNet", "Baseline", "Weekly" ], "Enabled": true, "CustomTags": [] }, { "ControlID": "Azure_VNet_NetSec_Justify_Peering", "Description": "Use of any virtual network peerings should be justified", "Id": "VirtualNetwork170", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckVnetPeering", "DisplayName": "Assure virtual network peering is not allowed", "Category": "Deploy controls to restrict network traffic", "ControlRequirements": "Restrict network traffic flows", "Rationale": "Resources in the peered virtual networks can communicate with each other directly. If the two peered networks are on different sides of a security boundary (e.g., corpnet v. private vNet), this can lead to exposure of corporate data. Hence any VNet peerings should be closely scrutinized and approved by the network security team", "Recommendation": "You can remove any virtual network peerings using the Remove-AzVirtualNetworkPeering command (unless their presence has been approved by network security team). Run 'Get-Help Remove-AzVirtualNetworkPeering -full' for more help.", "Tags": [ "SDL", "Best Practice", "Automated", "NetSec", "Baseline", "Daily" ], "Enabled": true, "ControlSettings": { "ExemptedSubscriptions": [ ] }, "CustomTags": [ "TenantBaseline", "P0", "Wave4", "ShadowITActiveBaseline", "SN:Network_peering", "MSD", "Prod", "CSEOBaseline", "CSEOPilot" ] }, { "ControlID": "Azure_VNet_NetSec_Configure_NSG", "Description": "NSG should be used for subnets in a virtual network to permit traffic only on required inbound/outbound ports. NSGs should not have a rule to allow any-to-any traffic", "Id": "VirtualNetwork140", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckNSGConfigured", "ControlScanSource": "MDCandReader", "AssessmentProperties": { "AssessmentNames": [ "eade5b56-eefd-444f-95c8-23f29e5d93cb" ] }, "DisplayName": "Associate Subnets with a Network Security Group", "Category": "Deploy controls to restrict network traffic", "ControlRequirements": "Restrict network traffic flows", "Rationale": "Restricting inbound and outbound traffic via NSGs limits the network exposure of the subnets within a virtual network and limits the attack surface", "Recommendation": "Configure NSG rules to be as restrictive as possible via: (a) Azure Portal -> Network security groups -> <Your NSG> -> Inbound security rules -> Edit 'Allow' action rules. (b) Azure Portal -> Network security groups. -> <Your NSG> -> Outbound security rules -> Edit 'Allow' action rules", "Tags": [ "SDL", "TCP", "Automated", "NetSec", "VNet", "Baseline", "Daily" ], "Enabled": true, "ControlSettings": { "AssessmentNotAvailableCausesForFallback": [ "", "Exempt", "OffByPolicy" ], "SubnetsToExcludeFromEvaluation": [ "azurefirewallsubnet", "gatewaysubnet", "routeserversubnet" ] }, "CustomTags": [ "TenantBaseline", "P0", "Wave4", "ShadowITActiveBaseline", "SN:Subnet_NSG", "MSD", "Prod", "CSEOBaseline", "CSEOPilot" ] }, { "ControlID": "Azure_VNet_NetSec_Justify_PublicIPs", "Description": "There must not be any Public IPs (i.e. NICs with PublicIP) on a virtual network", "Id": "VirtualNetwork110", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckPublicIps", "ControlScanSource": "Reader", "DisplayName": "Minimize the number of Public IPs (i.e. NICs with PublicIP) on a virtual network", "Category": "Deploy controls to restrict network traffic", "ControlRequirements": "Restrict network traffic flows", "Rationale": "Public IPs provide direct access over the internet exposing the resource(s) to all type of attacks over the public network.", "Recommendation": "Unutilized Public IP address must be removed from virtual network. For more information visit: https://docs.microsoft.com/en-us/powershell/module/az.network/remove-azpublicipaddress", "Tags": [ "SDL", "TCP", "Automated", "NetSec", "VNet", "Baseline", "Weekly" ], "Enabled": true, "CustomTags": [] }, { "ControlID": "Azure_VNet_NetSec_Justify_Gateways", "Description": "There must not be any VPN gateway in the virtual network.", "Id": "VirtualNetwork160", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckGatewayUsed", "ControlScanSource": "Reader", "DisplayName": "Presence of any virtual network gateways (GatewayType = VPN/ExpressRoute) in the virtual network must be justified", "Category": "Deploy controls to restrict network traffic", "ControlRequirements": "Restrict network traffic flows", "Rationale": "Virtual network gateways enable network traffic between a virtual network and other networks. All such connectivity must be carefully scrutinized to ensure that corporate data is not subject to exposure on untrusted networks.", "Recommendation": "You can remove virtual network gateways using the Remove-AzVirtualNetworkGateway command (unless their presence has been approved by network security team). Run 'Get-Help Remove-AzVirtualNetworkGateway -full' for more help.", "Tags": [ "SDL", "Best Practice", "Automated", "NetSec", "Baseline", "Weekly" ], "Enabled": true, "CustomTags": [] }, { "ControlID": "Azure_VNet_NetSec_Justify_IPForwarding_for_NICs", "Description": "The 'EnableIPForwarding' flag must not be set to true for NICs in the vNet", "Id": "VirtualNetwork120", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckIPForwardingforNICs", "ControlScanSource": "Reader", "DisplayName": "Use of IP Forwarding on any NIC in a virtual network should be scrutinized", "Category": "Deploy controls to restrict network traffic", "ControlRequirements": "Restrict network traffic flows", "Rationale": "Enabling IP Forwarding on a VM NIC allows the VM to receive traffic addressed to other destinations. IP forwarding is required only in rare scenarios (e.g., using the VM as a network virtual appliance) and those should be reviewed with the network security team.", "Recommendation": "Disable IP Forwarding unless it has been reviewed and approved by network security team. Go to Azure Portal --> Navigate to VM NIC (where IP Forwarding is enabled) --> IP Configurations --> IP Forwarding settings --> Click on 'Disabled'.", "Tags": [ "SDL", "Best Practice", "Automated", "NetSec", "Baseline", "Weekly" ], "Enabled": true, "CustomTags": [] } ] } |