Skip to content

Limit lateral traversal within subnets#

Security · Network Security Group · Azure.NSG.LateralTraversal

Deny outbound management connections from non-management hosts.

Description#

Network Security Groups (NSGs) are basic stateful firewalls that provide network isolation and security. NSGs allow or deny traffic between virtual machines (VMs) and other supported services on a virtual network. i.e. Traffic between VMs on the same or different subnet can be restricted. NSGs do this by enforcing ordered access rules for all traffic in/ out services attached to a subnet.

This micro-segmentation approach provides a control to reduce lateral movement between services.

Typically, a subset of trusted hosts such as privileged access workstations (PAWs), bastion hosts, or jump boxes will be used for management. Management protocols originating from application workload hosts should be blocked.

For example:

  • An SQL Server should not be used as a management host to manage other SQL Servers, or File Servers.
  • Configure dedicated management hosts to manage other hosts.

This helps improve security in two ways:

  1. Reduces the attack surface that can be used in lateral traversal attacks.
  2. Limits the likelihood that privileged credentials will be exposed for outbound management.

Recommendation#

Consider configuring NSGs rules to block common outbound management traffic from non-management hosts.

Notes#

Specifically this rule checks if either 3389 (RDP) or 22 (SSH) has been blocked for outbound traffic.

Examples#

Configure with Azure template#

To deploy NSGs that pass this rule:

  • Add an outbound security rule that denies TCP port 3389 and/ or 22.

For example:

{
    "type": "Microsoft.Network/networkSecurityGroups",
    "name": "[parameters('nsgName')]",
    "apiVersion": "2019-04-01",
    "location": "[resourceGroup().location]",
    "properties": {
        "securityRules": [
            {
                "name": "deny-hop-outbound",
                "properties": {
                    "protocol": "*",
                    "sourcePortRange": "*",
                    "destinationPortRanges": [
                        "3389",
                        "22"
                    ],
                    "access": "Deny",
                    "priority": 200,
                    "direction": "Outbound",
                    "sourceAddressPrefix": "VirtualNetwork",
                    "destinationAddressPrefix": "*"
                }
            }
        ]
    }
}

Configure with Bicep#

To deploy NSGs that pass this rule:

  • Add an outbound security rule that denies TCP port 3389 and/ or 22.

For example:

resource nsg 'Microsoft.Network/networkSecurityGroups@2021-02-01' = {
  name: 'nsg-001'
  properties: {
    securityRules: [
      {
        name: 'deny-hop-outbound'
        properties: {
          priority: 200
          access: 'Deny'
          protocol: 'Tcp'
          direction: 'Outbound'
          sourceAddressPrefix: 'VirtualNetwork'
          destinationAddressPrefix: '*'
          destinationPortRanges: [
            '3389'
            '22'
          ]
        }
      }
    ]
  }
}

Last update: 2021-09-24