Azure Network
About
Monitor your AZURE VPC and Network configuration.
Security
Network Watchers Not Enabled
Ensure that Network Watcher service is enabled within your Azure account subscriptions to help you monitor and diagnose various conditions at the network level. Microsoft Azure Network Watcher provides tools to monitor, diagnose, view metrics, and enable or disable logs for resources within a virtual network.
Network Watchers Not Provisioned
Ensure that Network Watcher service is enabled & Network Watchers are provisioned within your Azure account subscriptions to help you monitor and diagnose various conditions at the network level. Microsoft Azure Network Watcher provides tools to monitor, diagnose, view metrics, and enable or disable logs for resources within a virtual network.
Unrestricted FTP Access
Ensure that Microsoft Azure network security groups (NSGs) do not allow unrestricted access on TCP ports 20 and 21 in order to protect against attackers that use brute force methods to gain access to Azure virtual machines associated with these NSGs. TCP ports 20 and 21 are used for data transfer and communication by the File Transfer Protocol (FTP) client-server applications.
Unrestricted MSSQL Server Access
Ensure that all your Microsoft Azure network security groups (NSGs) restrict inbound/ingress access on TCP port 1433 to trusted IP addresses only in order to implement the principle of least privilege and significantly reduce the attack surface. TCP port 1433 is used by Microsoft Azure SQL Server, the relational database management system developed by Microsoft.
Unrestricted MySQL Database Access
Ensure that Microsoft Azure network security groups (NSGs) do not allow unrestricted access (i.e. 0.0.0.0/0) on TCP port 3306 in order to protect against malicious actors and significantly reduce the attack surface. TCP port 3306 is used by the MySQL Database Server, a popular open-source Relational Database Management System (RDBMS) server.
Unrestricted Oracle Database Access
Ensure that your Microsoft Azure network security groups (NSGs) restrict inbound/ingress access on TCP port 1521 to trusted entities only (i.e. IP addresses) in order to implement the principle of least privilege and vastly reduce the attack surface. TCP port 1521 is used by Oracle Database Server, which is an object-relational database management system (RDBMS) server developed by Oracle Corporation.
Unrestricted PostgreSQL Database Access
Ensure that your Microsoft Azure network security groups (NSGs) allow inbound/ingress access on TCP port 5432 to trusted IP addresses only, in order to implement the principle of least privilege and greatly reduce the attack surface. TCP port 5432 is used by the PostgreSQL Database Server, an object-relational database management system (RDBMS) server developed by PostgreSQL Global Development Group.
Unrestricted RDP Access
Ensure that Microsoft Azure network security groups (NSGs) do not allow unrestricted access (i.e. 0.0.0.0/0) on TCP port 3389 in order to protect against attackers that use brute force techniques to gain access to the Azure virtual machines associated with the NSGs. TCP port 3389 is used for secure remote GUI login to Microsoft VMs by connecting a Remote Desktop Protocol (RDP) client application with an RDP server.
Unrestricted RPC Access
Ensure that Microsoft Azure network security groups (NSGs) do not allow unrestricted access (i.e. 0.0.0.0/0) on TCP port 135 in order to implement the principle of least privilege and effectively reduce the attack surface. Remote Procedure Call (RPC) TCP port 135 is used for client-server communications by Microsoft Message Queuing (MSMQ) as well as other Microsoft Windows/Windows Server software.
Unrestricted SSH Access
Check your Microsoft Azure network security groups (NSGs) for inbound rules that allow unrestricted access (i.e. 0.0.0.0/0) on TCP port 22 and restrain access to only those IP addresses that require it in order to implement the principle of least privilege and reduce the possibility of a breach. TCP port 22 is used for secure remote login by connecting an SSH client application with an SSH server.
Reliability
Security Group Flow Logs should be retained for Longer duration
Ensure that your Microsoft Azure Network Security Groups (NSGs) have a sufficient flow log retention period, i.e. greater than or equal to 90 days, configured for reliability and compliance purposes. The retention period represents the number of days to retain flow log data recorded for your network security groups. Azure Network Security Group (NSG) flow log is a feature of the Network Watcher service, that allows you to view information about inbound and outbound IP traffic through an NSG.
Sources
https://www.cloudanix.com/recipelist/azure/azurenetworkaudit
Help Us Improve!
If you have any suggestions to improve this checklist, please let us know by filling out
this form.