Framework/Configurations/SVT/Services/VirtualNetwork.json
{
"FeatureName": "VirtualNetwork", "Reference": "aka.ms/azsktcp/virtualnetwork", "IsMaintenanceMode": false, "Controls": [ { "ControlID": "Azure_VNet_NetSec_Justify_PublicIPs", "Description": "Minimize the number of Public IPs (i.e. NICs with PublicIP) on a virtual network", "Id": "VirtualNetwork110", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckPublicIps", "Rationale": "Public IPs provide direct access over the internet exposing the resource(s) to all type of attacks over the public network.", "Recommendation": "Unutilized Public IP address must be removed from virtual network. For more information visit: https://docs.microsoft.com/en-us/powershell/module/az.network/remove-azpublicipaddress", "Tags": [ "SDL", "TCP", "Automated", "NetSec" ], "Enabled": true, "DataObjectProperties": [ "NICName", "VMName", "PrimaryStatus", "NetworkSecurityGroupName", "PublicIpAddress", "PrivateIpAddress" ] }, { "ControlID": "Azure_VNet_NetSec_Justify_IPForwarding_for_NICs", "Description": "Use of IP Forwarding on any NIC in a virtual network should be scrutinized", "Id": "VirtualNetwork120", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckIPForwardingforNICs", "Rationale": "Enabling IP Forwarding on a VM NIC allows the VM to receive traffic addressed to other destinations. IP forwarding is required only in rare scenarios (e.g., using the VM as a network virtual appliance) and those should be reviewed with the network security team.", "Recommendation": "Disable IP Forwarding unless it has been reviewed and approved by network security team. Go to Azure Portal --> Navigate to VM NIC (where IP Forwarding is enabled) --> IP Configurations --> IP Forwarding settings --> Click on 'Disabled'.", "Tags": [ "SDL", "Best Practice", "Automated", "NetSec" ], "Enabled": true, "DataObjectProperties": [ "NICName", "EnableIPForwarding" ] }, { "ControlID": "Azure_VNet_NetSec_Dont_Use_NSGs_on_GatewaySubnet", "Description": "There must not be any NSGs on the gateway subnet of a virtual network", "Id": "VirtualNetwork130", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckNSGUseonGatewaySubnet", "Rationale": "Applying NSG to the gateway subnet is not recommended since it may disrupt broader network connectivity for the vNet.", "Recommendation": "If there is an NSG on the gateway subnet, remove it. Refer: https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-manage-nsg-arm-ps#delete-an-nsg", "Tags": [ "SDL", "TCP", "Automated", "NetSec" ], "Enabled": false, "DataObjectProperties": [ "Name", "NetworkSecurityGroup" ] }, { "ControlID": "Azure_VNet_NetSec_Configure_NSG", "Description": "NSG should be used for subnets in a virtual network to permit traffic only on required inbound/outbound ports. NSGs should not have a rule to allow any-to-any traffic", "Id": "VirtualNetwork140", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckNSGConfigured", "Rationale": "Restricting inbound and outbound traffic via NSGs limits the network exposure of the subnets within a virtual network and limits the attack surface.", "Recommendation": "Configure NSG rules to be as restrictive as possible via: (a) Azure Portal -> Network security groups -> <Your NSG> -> Inbound security rules -> Edit 'Allow' action rules. (b) Azure Portal -> Network security groups. -> <Your NSG> -> Outbound security rules -> Edit 'Allow' action rules.", "Tags": [ "SDL", "Best Practice", "Automated", "NetSec" ], "Enabled": true, "DataObjectProperties": [ "Name", "Properties" ] }, { "ControlID": "Azure_VNet_AuthZ_Grant_Min_RBAC_Access", "Description": "All users/identities must be granted minimum required permissions using Role Based Access Control (RBAC)", "Id": "VirtualNetwork150", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckRBACAccess", "Rationale": "Granting minimum access by leveraging RBAC feature ensures that users are granted just enough permissions to perform their tasks. This minimizes exposure of the resources in case of user/service account compromise.", "Recommendation": "Remove any excessive privileges granted on the Virtual Network. Run command: Remove-AzRoleAssignment -SignInName '<SignInName>' -Scope '<Scope>' RoleDefinitionName '<RoleDefinitionName>'. Run 'Get-Help Remove-AzRoleAssignment -full' for more help.", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "RBAC" ], "Enabled": true }, { "ControlID": "Azure_VNet_NetSec_Justify_Gateways", "Description": "Presence of any virtual network gateways (GatewayType = VPN/ExpressRoute) in the virtual network must be justified", "Id": "VirtualNetwork160", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckGatewayUsed", "Rationale": "Virtual network gateways enable network traffic between a virtual network and other networks. All such connectivity must be carefully scrutinized to ensure that corporate data is not subject to exposure on untrusted networks.", "Recommendation": "You can remove virtual network gateways using the Remove-AzVirtualNetworkGateway command (unless their presence has been approved by network security team). Run 'Get-Help Remove-AzVirtualNetworkGateway -full' for more help.", "Tags": [ "SDL", "Best Practice", "Automated", "NetSec" ], "Enabled": true }, { "ControlID": "Azure_VNet_NetSec_Justify_Peering", "Description": "Use of any virtual network peerings should be justified", "Id": "VirtualNetwork170", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckVnetPeering", "Rationale": "Resources in the peered virtual networks can communicate with each other directly. If the two peered networks are on different sides of a security boundary (e.g., corpnet v. private vNet), this can lead to exposure of corporate data. Hence any VNet peerings should be closely scrutinized and approved by the network security team", "Recommendation": "You can remove any virtual network peerings using the Remove-AzVirtualNetworkPeering command (unless their presence has been approved by network security team). Run 'Get-Help Remove-AzVirtualNetworkPeering -full' for more help.", "Tags": [ "SDL", "Best Practice", "Automated", "NetSec" ], "Enabled": true } ] } |