Azure-NetworkSecurityGroups-Default-Security-Group

Severity : Critical

Description: This control ensures that default network security group have access rule for Storage accounts is set to deny. The default security group is often used for resources launched without a defined security group.

Remediation Steps:

Perform following to Remove all non-required guest users :

  1. Login to Azure Portal using https://portal.azure.com.

  2. Navigate to Network Security groups service

  3. For each account/resource group, select security group.

  4. Add a default rule in the group to deny all access .

Important:

  • Since the deny rule will drop all the unmatched traffic, Make sure to add specific network rules to allow traffic from all required resources. Otherwise, adding a deny rule may disrupt the service.

Reference:

 

Blue Hexagon Proprietary