GCP Introduction
GCP Pricing
GCP Threats
GCP Misconfigurations
- Getting Started with GCP Audit
- CloudSql Audit
- Cloud Tasks Monitoring
- Dataflow Monitoring
- Function Monitoring
- Monitoring Compliance
- PubSubLite Monitoring
- Spanner Monitoring
- NoSQL Monitoring
- Compute Audit
- IAM Audit
- BigQuery Monitoring
- CDN Monitoring
- DNS Monitoring
- KMS Monitoring
- Kubernetes Audit
- Load Balancer Monitoring
- Log Monitoring
- Storage Audit
- Pub/Sub Monitoring
- VPC Audit
- IAM Deep Dive
GCP Threats
NetBIOS Port Should Not Be Open
More Info:
Determines if UDP port 137 or 138 for NetBIOS is open to the public
Risk Level
Medium
Address
Security
Compliance Standards
SOC2, GDPR, ISO27001, HIPAA, HITRUST, NISTCSF, PCIDSS, FedRAMP
Triage and Remediation
Remediation
To remediate the NetBIOS port being open misconfiguration in GCP using GCP console, follow these steps:
- Login to your GCP console.
- Select the project where the misconfiguration exists.
- Navigate to the Compute Engine section.
- Select the VM instance where the misconfiguration exists.
- Click on the “Edit” button at the top of the VM instance details page.
- Scroll down to the “Firewall” section.
- Click on “Add firewall rule”.
- Enter a name for the firewall rule.
- Set the “Action on match” to “Deny”.
- Set the “Targets” to “All instances in the network”.
- In the “Source filter” section, select “IP ranges”.
- Enter the IP range that you want to block.
- In the “Protocols and ports” section, select “Specified protocols and ports”.
- In the “Protocols and ports” field, enter “udp:137; udp:138; tcp:139; tcp:445” to block NetBIOS traffic.
- Click on the “Create” button to save the firewall rule.
After completing these steps, the NetBIOS port will be blocked for the specified IP range on the selected VM instance.
To remediate the NetBIOS Port Should Not Be Open misconfiguration in GCP using GCP CLI, follow these steps:
-
Open the Cloud Shell in the GCP console.
-
Run the following command to list all the firewall rules in your project:
gcloud compute firewall-rules list -
Look for the firewall rule that allows traffic on port 139 or 445, which are the ports used by NetBIOS. Note the name of the firewall rule.
-
Run the following command to delete the firewall rule:
gcloud compute firewall-rules delete [FIREWALL_RULE_NAME]Replace
[FIREWALL_RULE_NAME]with the name of the firewall rule that you noted in step 3. -
Confirm that the firewall rule has been deleted by running the command in step 2 again.
-
Verify that the NetBIOS port is no longer open by running a port scan on your GCP instance from an external network.
By following these steps, you have successfully remediated the NetBIOS Port Should Not Be Open misconfiguration in GCP using GCP CLI.
To remediate the NetBIOS Port Should Not Be Open misconfiguration in GCP using Python, you can follow these steps:
- Use the
google-cloud-securitycenterlibrary to retrieve the list of assets that have open NetBIOS ports. You can use the following code snippet to achieve this:
from google.cloud import securitycenter
client = securitycenter.SecurityCenterClient()
# The organization ID to retrieve findings for
org_id = 'YOUR_ORGANIZATION_ID'
# The filter expression to find assets with open NetBIOS ports
filter_exp = (
"security_marks.marks.netbios_open : true AND "
f"resource_properties.project_id = {org_id}"
)
# Call the API to retrieve the findings
findings = client.list_findings(
request={
"parent": f"organizations/{org_id}",
"filter": filter_exp,
}
)
- For each asset with an open NetBIOS port, use the
google-cloud-computelibrary to update the firewall rule and close the port. You can use the following code snippet to achieve this:
from google.cloud import compute_v1
client = compute_v1.FirewallsClient()
# The name of the firewall rule to update
firewall_name = 'YOUR_FIREWALL_RULE_NAME'
# The name of the network to update the firewall rule for
network_name = 'YOUR_NETWORK_NAME'
# The name of the project that contains the network and firewall rule
project_name = 'YOUR_PROJECT_NAME'
# The IP range to close the NetBIOS port for
ip_range = '0.0.0.0/0'
# Call the API to update the firewall rule
firewall = client.get(f'projects/{project_name}/global/firewalls/{firewall_name}')
updated_firewall = compute_v1.Firewall(
allowed=[rule for rule in firewall.allowed if rule.IPProtocol != 'udp' or rule.ports != ['137']],
target_tags=firewall.target_tags,
source_ranges=[range for range in firewall.source_ranges if range != ip_range],
network=f'projects/{project_name}/global/networks/{network_name}'
)
operation = client.update(request={
"firewall": updated_firewall,
"updateMask": "allowed,targetTags,sourceRanges,network",
"firewall": f"projects/{project_name}/global/firewalls/{firewall_name}"
})
Note that you may need to adjust the code snippets to fit your specific use case, such as changing the filter expression or updating the firewall rule with different parameters.