iCompaas Support

Description:

HTTP and HTTPS traffic coming from the Internet should be reviewed and restricted so that only required access is allowed. Only the ports and sources needed for the application should be open, and all unnecessary Internet exposure should be blocked.

Rationale:

Allowing HTTP or HTTPS from the Internet without reviewing the need may expose the application to attacks such as scanning, brute-force attempts, or malicious access. Restricting traffic reduces the attack surface and improves the overall security posture.

Impact:

If HTTP or HTTPS access is left open to the Internet, unauthorized users may reach the application or VM. This can lead to data exposure, security breaches, performance issues, or application misuse.

Default Value:

By default, Azure Network Security Groups block inbound traffic unless explicit allow rules are created. When someone manually creates an allow rule for HTTP or HTTPS, it becomes accessible from the Internet.

Pre-requisites:

• You must have permission to view or edit Network Security Groups.

•  You must know whether the application requires HTTP or HTTPS access.

Test Plan:

1. Sign in to the Azure Portal https://portal.azure.com

2. Search for Network Security Groups.

3. Open the NSG associated with the VM or application.

4. Under Settings, select Inbound security rules.

5. Review inbound rules for:

   • Port 80 (HTTP)

   • Port 443 (HTTPS)

6. Check the Source field for these rules.

7. If any HTTP or HTTPS rule allows traffic from Any / 0.0.0.0/0, follow the implementation steps.

Implementation Steps:

1. Sign in to the Azure Portal https://portal.azure.com

2. Search for Network Security Groups.

3. Select the Network Security Group associated with the virtual machine or application.

4. Under Settings, click Inbound security rules.

   1. 
      

5. Review existing inbound rules that allow:

   1. TCP port 80 (HTTP)

   2. TCP port 443 (HTTPS)

6. Identify any rule where the Source is set to Any or 0.0.0.0/0.

7. Delete the rule or edit it to restrict access:

   1. Change Source to specific trusted IP addresses or networks

   2. Keep Protocol as TCP

   3. Keep the Destination port as 80 or 443 only if required

8. Save the changes.

Backout Plan:

1. Sign in to the Azure Portal https://portal.azure.com

2. Search for Network Security Groups.

3. Open the Network Security Group where HTTP or HTTPS rules were modified.

4. Under Settings, select Inbound security rules.

5. Restore the previous HTTP or HTTPS rule if public access is required:

   • Set Source to Any or 0.0.0.0/0

   • Set Protocol to TCP

   • Set Destination port to 80 or 443

   • Set Action to Allow

   • Use the original priority and rule name if known

6. Save the rule.

References:

• https://learn.microsoft.com/azure/virtual-network/network-security-groups-overview

• https://learn.microsoft.com/azure/virtual-network/manage-network-security-group

• https://learn.microsoft.com/azure/security/fundamentals/network-best-practices

• https://learn.microsoft.com/azure/virtual-network/network-interface-effective-security-rules

• https://learn.microsoft.com/azure/virtual-network/virtual-network-service-tags-overview