Check for Network Security Groups with Port Ranges

01 Sign in to Azure Management Portal.

02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure resources.

03 From the Subscription filter box, select the Azure account subscription that you want to examine.

04 From the Type filter box, select Network security group to list only the security groups available in the selected Azure subscription.

05 Click on the name of the network security group that you want to examine.

06 In the navigation panel, under Settings, select Inbound security rules to access the list with the inbound rules defined for the selected security group.

07 On the Inbound security rules page, verify the value available in the Port column for each inbound/ingress rule defined. If one or more rules have the Port attribute set to range or ports (e.g. 0 – 65535, 80 – 8080, 111 – 32800), the selected Azure network security group (NSG) is using range of ports to allow traffic, therefore the inbound access to the associated Microsoft Azure virtual machine(s) is not secured.

08 Repeat steps no. 5 – 7 for each network security group available in the selected subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

01 Run account list command (Windows/macOS/Linux) using custom query filters to list the IDs of the subscriptions available in your Azure account:

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers:

[
  "abcdabcd-1234-abcd-1234-abcdabcdabcd",
  "abcd1234-abcd-1234-abcd-abcd1234abcd",
]

03 Run network nsg list command (Windows/macOS/Linux) using custom query filters to list the names of all network security groups (and the name of their associated resource groups) available in the selected Azure subscription:

az network nsg list
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd
	--output table
	--query '[*].{name:name, resourceGroup:resourceGroup}'

04 The command output should return a table with requested information:

Name                       ResourceGroup
---------------------   ------------------------------
cc-prod-endpoint-nsg    cloud-shell-storage-westeurope
cc-dev-web-server-nsg   cloud-shell-storage-westeurope

05 Run az network nsg rule list command (Windows/macOS/Linux) using the name of the Azure network security group (NSG) that you want to examine and its associated resource group as identifier parameters, to describe the NSG rules that allow inbound/ingress traffic to the virtual machines associated with the selected network security group:

az network nsg rule list
	--nsg-name cc-prod-endpoint-nsg
	--resource-group cloud-shell-storage-westeurope
	--query "[?direction=='Inbound' && access=='Allow']"

06 The command output should return the requested network security group rule(s) metadata:

[
  {
    "access": "Allow",
    "description": null,
    "destinationAddressPrefix": "*",
    "destinationAddressPrefixes": [],
    "destinationApplicationSecurityGroups": null,
    "destinationPortRange": "0-65535",
    "destinationPortRanges": [],
    "direction": "Inbound",
    "id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/networkSecurityGroups/cc-prod-endpoint-nsg/securityRules/cc-web-inbound-access",
    "name": "cc-web-inbound-access",
    "priority": 100,
    "protocol": "TCP",
    "provisioningState": "Succeeded",
    "resourceGroup": "cloud-shell-storage-westeurope",
    "sourceAddressPrefix": "*",
    "sourceAddressPrefixes": [],
    "sourceApplicationSecurityGroups": null,
    "sourcePortRange": "*",
    "sourcePortRanges": [],
    "type": "Microsoft.Network/networkSecurityGroups/securityRules"
  }
]

07 Repeat step no. 5 and 6 for each Azure network security group created within the selected subscription.

08 Repeat steps no. 3 – 7 for each subscription available in your Microsoft Azure cloud account.

01 Sign in to Azure Management Portal.

02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure resources.

03 From the Subscription filter box, select the Azure account subscription that you want to access.

04 From the Type filter box, select Network security group to list only the security groups available in the selected Azure subscription.

05 Click on the name of the network security group that you want to reconfigure.

06 In the navigation panel, under Settings, select Inbound security rules to access the list with the inbound rules defined for the selected security group.

07 On the Inbound security rules page, click on the non-compliant rule that you want to reconfigure (see Audit section part I to identify the right rule).

08 On the selected security group rule configuration panel, perform the following:

1. For Destination port ranges, provide a single port such as 443 (HTTPS) or a comma-separated list of single ports such as 80 (HTTP) and 443 (HTTPS). This specifies on which port(s) the inbound traffic will be allowed or denied by the selected NSG rule.
2. From Protocol, select the appropriate network protocol (e.g. TCP).
3. Make sure that Action is set to Allow and leave the rest of the NSG configuration settings unchanged.
4. Click Save to apply the changes.

09 Repeat step no. 7 and 8 for each NSG rule that allows inbound traffic using wide range of ports, created for the selected security group.

10 Repeat steps no. 5 – 9 for each non-compliant network security group available in the selected Azure subscription.

11 Repeat steps no. 3 – 10 for each subscription created in your Microsoft Azure cloud account.

01 Run network nsg rule update command (Windows/macOS/Linux) using the name of the network security group (NSG) rule that you want to reconfigure as identifier parameter (see Audit section part II to identify the right rule) to restrict inbound access to specific ports only by setting the --destination-port-ranges parameter to those ports on which inbound traffic will be allowed by the selected NSG rule. You can specify a single value or a space-separated list of multiple values, as shown in the example below:

az network nsg rule update
	--name cc-web-inbound-access
	--nsg-name cc-prod-endpoint-nsg
	--resource-group cloud-shell-storage-westeurope
	--access Allow
	--protocol Tcp
	--destination-port-ranges 80 443
	--description "Allow traffic on specific ports only, i.e. TCP port 80 (HTTP) and TCP port 443 (HTTPS)"

02 The command output should return the metadata for the reconfigured Azure NSG rule:

{
  "access": "Allow",
  "description": "Allow traffic on specific ports only, i.e. TCP port 80 (HTTP) and TCP port 443 (HTTPS)",
  "destinationAddressPrefix": "*",
  "destinationAddressPrefixes": [],
  "destinationApplicationSecurityGroups": null,
  "destinationPortRange": null,
  "destinationPortRanges": [
    "80",
    "443"
  ],
  "direction": "Inbound",
  "id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/networkSecurityGroups/cc-prod-endpoint-nsg/securityRules/cc-web-inbound-access",
  "name": "cc-web-inbound-access",
  "priority": 100,
  "protocol": "Tcp",
  "provisioningState": "Succeeded",
  "resourceGroup": "cloud-shell-storage-westeurope",
  "sourceAddressPrefix": "*",
  "sourceAddressPrefixes": [],
  "sourceApplicationSecurityGroups": null,
  "sourcePortRange": "*",
  "sourcePortRanges": [],
  "type": "Microsoft.Network/networkSecurityGroups/securityRules"
}

03 Repeat step no. 1 and 2 for each NSG rule that allows inbound traffic using wide range of ports, defined for the selected security group.

04 Repeat steps no. 1 – 3 for each non-compliant network security group (NSG) available in the selected Azure subscription.

05 Repeat steps no. 1 – 4 for each subscription created within your Microsoft Azure cloud account.