Azure-NetworkSecurityGroups-Default-Security-Group

Owned by naveen

Last updated: Mar 01, 2022

1 min read

Severity : Critical

Description: This control ensures that default network security group have access rule for Storage accounts is set to deny. The default security group is often used for resources launched without a defined security group.

Remediation Steps:

Perform following to Remove all non-required guest users :

Login to Azure Portal using https://portal.azure.com.
Navigate to Network Security groups service
For each account/resource group, select security group.
Add a default rule in the group to deny all access .

Important:

Since the deny rule will drop all the unmatched traffic, Make sure to add specific network rules to allow traffic from all required resources. Otherwise, adding a deny rule may disrupt the service.

Reference:

Azure Foundations Benchmark v1.3.0 - 02-01-2021 : Recommendation #3.6
Configure Azure Storage firewalls and virtual networks

Blue Hexagon Proprietary