HTTPS Traffic Only

More Info:

By default, Azure Web App allows both HTTP and HTTPS. That means the web apps can be accessed over non-secure HTTP too.

Risk Level

Medium

Address

Security

Compliance Standards

SOC2, GDPR, ISO27001, HIPAA, CISAZURE, CBP, HITRUST, NISTCSF, PCIDSS

Triage and Remediation

Remediation

Using Console

Using CLI

To remediate the misconfiguration of allowing only HTTPS traffic in Azure using Azure CLI, follow these steps:

Open the Azure CLI in your terminal or command prompt.
Run the following command to get the name of the network security group (NSG) associated with the virtual machine (VM) that needs to be configured:
```
az vm show -d -g <resource-group-name> -n <vm-name> --query "networkProfile.networkInterfaces[].id" -o tsv | awk -F'/' '{print $9}'
```
Note: Replace <resource-group-name> and <vm-name> with the actual names of your resource group and VM respectively.
Run the following command to get the name of the NSG rule that allows HTTP traffic:
```
az network nsg rule list -g <resource-group-name> --nsg-name <nsg-name> --query "[?contains(properties.destinationPortRange, '80')].name" -o tsv
```
Note: Replace <resource-group-name> and <nsg-name> with the actual names of your resource group and NSG respectively.
Run the following command to delete the NSG rule that allows HTTP traffic:
```
az network nsg rule delete -g <resource-group-name> --nsg-name <nsg-name> -n <nsg-rule-name>
```
Note: Replace <resource-group-name>, <nsg-name> and <nsg-rule-name> with the actual names of your resource group, NSG and NSG rule respectively.

Run the following command to add a new NSG rule that allows only HTTPS traffic:

az network nsg rule create -g <resource-group-name> --nsg-name <nsg-name> -n Allow-HTTPS --priority 100 --source-address-prefixes '*' --source-port-ranges '*' --destination-address-prefixes '*' --destination-port-ranges 443 --access Allow --protocol Tcp --description "Allow HTTPS traffic only"

Note: Replace <resource-group-name> and <nsg-name> with the actual names of your resource group and NSG respectively.

Verify that the NSG rule has been added successfully by running the following command:
```
az network nsg rule list -g <resource-group-name> --nsg-name <nsg-name> --query "[?name=='Allow-HTTPS']"
```
Note: Replace <resource-group-name> and <nsg-name> with the actual names of your resource group and NSG respectively.
Verify that the VM is now accessible only over HTTPS by trying to access it over HTTP. If the remediation was successful, the connection should be refused.

Using Python

To remediate the HTTPS traffic only misconfiguration in Azure using Python, you can follow these steps:

Import the necessary libraries:

from azure.mgmt.network import NetworkManagementClient
from azure.mgmt.network.v2019_11_01.models import SecurityRule, SecurityRuleAccess, SecurityRuleDirection, SecurityRuleProtocol, SecurityRuleDestinationAddressPrefix, SecurityRuleSourceAddressPrefix
from azure.common.credentials import ServicePrincipalCredentials

Set up the credentials to authenticate with Azure:

subscription_id = '<subscription_id>'
credentials = ServicePrincipalCredentials(
    client_id='<client_id>',
    secret='<client_secret>',
    tenant='<tenant_id>'
)

Instantiate the NetworkManagementClient:

network_client = NetworkManagementClient(
    credentials=credentials,
    subscription_id=subscription_id
)

Get the network security group (NSG) that needs to be modified:

nsg_name = '<nsg_name>'
nsg_resource_group = '<nsg_resource_group>'

nsg = network_client.network_security_groups.get(
    resource_group_name=nsg_resource_group,
    network_security_group_name=nsg_name
)

Create a new security rule to allow HTTPS traffic only:

https_rule = SecurityRule(
    access=SecurityRuleAccess.allow,
    description='Allow HTTPS traffic only',
    destination_address_prefix=SecurityRuleDestinationAddressPrefix('*'),
    destination_port_range='443',
    direction=SecurityRuleDirection.inbound,
    priority=100,
    protocol=SecurityRuleProtocol.tcp,
    source_address_prefix=SecurityRuleSourceAddressPrefix('*'),
    source_port_range='*'
)

nsg.security_rules.append(https_rule)

Update the NSG with the new security rule:

network_client.network_security_groups.create_or_update(
    resource_group_name=nsg_resource_group,
    network_security_group_name=nsg_name,
    parameters=nsg
)

Verify that the NSG has been updated with the new security rule:

updated_nsg = network_client.network_security_groups.get(
    resource_group_name=nsg_resource_group,
    network_security_group_name=nsg_name
)

https_rule = next((rule for rule in updated_nsg.security_rules if rule.destination_port_range == '443'), None)

if https_rule:
    print('HTTPS traffic only rule added successfully')
else:
    print('Failed to add HTTPS traffic only rule')

Note: Make sure to replace the placeholders (<subscription_id>, <client_id>, <client_secret>, <tenant_id>, <nsg_name>, and <nsg_resource_group>) with the actual values for your Azure environment.

Additional Reading:

https://docs.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-custom-ssl#enforce-https

Azure Introduction

Azure Pricing

Azure Threats

Azure Misconfigurations

HTTPS Traffic Only

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading:

Azure Introduction

Azure Pricing

Azure Threats

Azure Misconfigurations

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

​Additional Reading:

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading: