More Info:

By default, Azure Web App allows both HTTP and HTTPS. That means the web apps can be accessed over non-secure HTTP too.

Risk Level

Medium

Address

Security

Compliance Standards

SOC2, GDPR, ISO27001, HIPAA, CISAZURE, CBP, HITRUST, NISTCSF, PCIDSS

Triage and Remediation

Remediation

Using Console

To remediate the HTTPS Traffic Only misconfiguration in Azure using the Azure console, follow these steps:
  1. Log in to your Azure portal and navigate to the virtual machine that you want to remediate.
  2. Click on the “Networking” tab, and then click on the “Add inbound port rule” button.
  3. In the “Add inbound security rule” window, specify the following details:
  • Name: A descriptive name for the rule
  • Priority: A unique number to prioritize the rule
  • Protocol: Select “TCP”
  • Port range: Specify “443”
  • Action: Select “Allow”
  • Source: Select “Any” or specify the specific IP addresses or ranges that you want to allow
  1. Click on the “Add” button to create the rule.
  2. Repeat steps 2-4 for all the virtual machines in your Azure environment that require HTTPS traffic.
  3. Verify that HTTPS traffic is now allowed by accessing the virtual machine using HTTPS.
By following these steps, you can remediate the HTTPS Traffic Only misconfiguration in Azure and ensure that HTTPS traffic is allowed to your virtual machines.

To remediate the misconfiguration of allowing only HTTPS traffic in Azure using Azure CLI, follow these steps:
  1. Open the Azure CLI in your terminal or command prompt.
  2. Run the following command to get the name of the network security group (NSG) associated with the virtual machine (VM) that needs to be configured: 
    az vm show -d -g <resource-group-name> -n <vm-name> --query "networkProfile.networkInterfaces[].id" -o tsv | awk -F'/' '{print $9}'
    Note: Replace <resource-group-name> and <vm-name> with the actual names of your resource group and VM respectively.
  3. Run the following command to get the name of the NSG rule that allows HTTP traffic: 
    az network nsg rule list -g <resource-group-name> --nsg-name <nsg-name> --query "[?contains(properties.destinationPortRange, '80')].name" -o tsv
    Note: Replace <resource-group-name> and <nsg-name> with the actual names of your resource group and NSG respectively.
  4. Run the following command to delete the NSG rule that allows HTTP traffic: 
    az network nsg rule delete -g <resource-group-name> --nsg-name <nsg-name> -n <nsg-rule-name>
    Note: Replace <resource-group-name>, <nsg-name> and <nsg-rule-name> with the actual names of your resource group, NSG and NSG rule respectively.
  5. Run the following command to add a new NSG rule that allows only HTTPS traffic: 
    az network nsg rule create -g <resource-group-name> --nsg-name <nsg-name> -n Allow-HTTPS --priority 100 --source-address-prefixes '*' --source-port-ranges '*' --destination-address-prefixes '*' --destination-port-ranges 443 --access Allow --protocol Tcp --description "Allow HTTPS traffic only"
    Note: Replace <resource-group-name> and <nsg-name> with the actual names of your resource group and NSG respectively.
  6. Verify that the NSG rule has been added successfully by running the following command: 
    az network nsg rule list -g <resource-group-name> --nsg-name <nsg-name> --query "[?name=='Allow-HTTPS']"
    Note: Replace <resource-group-name> and <nsg-name> with the actual names of your resource group and NSG respectively.
  7. Verify that the VM is now accessible only over HTTPS by trying to access it over HTTP. If the remediation was successful, the connection should be refused.
To remediate the HTTPS traffic only misconfiguration in Azure using Python, you can follow these steps:
  1. Import the necessary libraries:
from azure.mgmt.network import NetworkManagementClient
from azure.mgmt.network.v2019_11_01.models import SecurityRule, SecurityRuleAccess, SecurityRuleDirection, SecurityRuleProtocol, SecurityRuleDestinationAddressPrefix, SecurityRuleSourceAddressPrefix
from azure.common.credentials import ServicePrincipalCredentials
  1. Set up the credentials to authenticate with Azure:
subscription_id = '<subscription_id>'
credentials = ServicePrincipalCredentials(
    client_id='<client_id>',
    secret='<client_secret>',
    tenant='<tenant_id>'
)
  1. Instantiate the NetworkManagementClient:
network_client = NetworkManagementClient(
    credentials=credentials,
    subscription_id=subscription_id
)
  1. Get the network security group (NSG) that needs to be modified:
nsg_name = '<nsg_name>'
nsg_resource_group = '<nsg_resource_group>'

nsg = network_client.network_security_groups.get(
    resource_group_name=nsg_resource_group,
    network_security_group_name=nsg_name
)
  1. Create a new security rule to allow HTTPS traffic only:
https_rule = SecurityRule(
    access=SecurityRuleAccess.allow,
    description='Allow HTTPS traffic only',
    destination_address_prefix=SecurityRuleDestinationAddressPrefix('*'),
    destination_port_range='443',
    direction=SecurityRuleDirection.inbound,
    priority=100,
    protocol=SecurityRuleProtocol.tcp,
    source_address_prefix=SecurityRuleSourceAddressPrefix('*'),
    source_port_range='*'
)

nsg.security_rules.append(https_rule)
  1. Update the NSG with the new security rule:
network_client.network_security_groups.create_or_update(
    resource_group_name=nsg_resource_group,
    network_security_group_name=nsg_name,
    parameters=nsg
)
  1. Verify that the NSG has been updated with the new security rule:
updated_nsg = network_client.network_security_groups.get(
    resource_group_name=nsg_resource_group,
    network_security_group_name=nsg_name
)

https_rule = next((rule for rule in updated_nsg.security_rules if rule.destination_port_range == '443'), None)

if https_rule:
    print('HTTPS traffic only rule added successfully')
else:
    print('Failed to add HTTPS traffic only rule')
Note: Make sure to replace the placeholders (<subscription_id>, <client_id>, <client_secret>, <tenant_id>, <nsg_name>, and <nsg_resource_group>) with the actual values for your Azure environment.

Additional Reading: