Network Security Group
The presented resiliency recommendations in this guidance include Network Security Group and associated resources and settings.
Summary of Recommendations
| Recommendation | Category | Impact | State | ARG Query Available |
|---|---|---|---|---|
| NSG-1 - Configure Diagnostic Settings for all network security groups | Monitoring | Medium | Preview | No |
| NSG-2 - Monitor changes in Network Security Groups with Azure Monitor | Monitoring | Low | Preview | Yes |
| NSG-3 - Configure locks for Network Security Groups to avoid accidental changes and/or deletion | Governance | Low | Preview | No |
| NSG-4 - Configure NSG Flow Logs | Monitoring | Medium | Preview | Yes |
| NSG-5 - The NSG only has Default Security Rules, make sure to configure the necessary rules | Access & Security | Medium | Preview | Yes |
Recommendations Details
NSG-1 - Configure Diagnostic Settings for all network security groups
Category: Monitoring
Impact: Medium
Guidance
Resource Logs are not collected and stored until you create a diagnostic setting and route them to one or more locations.
Resources
Resource Graph Query
// under-development
NSG-2 - Monitor changes in Network Security Groups with Azure Monitor
Category: Monitoring
Impact: Low
Guidance
Create Alerts for administrative operations such as Create or Update Network Security Group rules with Azure Monitor to detect unauthorized/undesired changes to production resources, this alert can help identify undesired changes in the default security, such as attempts to by-pass firewalls or from accessing resources externally.
Resources
Resource Graph Query
// Azure Resource Graph Query
// Find all Network Security Groups without alerts for modification configured.
resources
| where type =~ "Microsoft.Network/networkSecurityGroups"
| project name, id, tags, lowerCaseNsgId = tolower(id)
| join kind = leftouter (
resources
| where type =~ "Microsoft.Insights/activityLogAlerts" and properties.enabled == true
| mv-expand scope = properties.scopes
| where scope has "Microsoft.Network/networkSecurityGroups"
| project alertName = name, conditionJson = dynamic_to_json(properties.condition.allOf), scope
| where conditionJson has '"Administrative"' and (
// Create or Update Network Security Group
(conditionJson has '"Microsoft.Network/networkSecurityGroups/write"') or
// All administrative operations
(conditionJson !has '"Microsoft.Network/networkSecurityGroups/write"' and conditionJson !has '"Microsoft.Network/networkSecurityGroups/delete"' and conditionJson !has '"Microsoft.Network/networkSecurityGroups/join/action"')
)
| project lowerCaseNsgIdOfScope = tolower(scope)
)
on $left.lowerCaseNsgId == $right.lowerCaseNsgIdOfScope
| where isempty(lowerCaseNsgIdOfScope)
| project recommendationId = "nsg-2", name, id, tags, param1 = "ModificationAlert: Not configured/Disabled"
NSG-3 - Configure locks for Network Security Groups to avoid accidental changes and/or deletion
Category: Governance
Impact: Low
Guidance
As an administrator, you can lock an Azure subscription, resource group, or resource to protect them from accidental user deletions and modifications. The lock overrides any user permissions. You can set locks that prevent either deletions or modifications. In the portal, these locks are called Delete and Read-only.
Resources
Resource Graph Query
// under-development
NSG-4 - Configure NSG Flow Logs
Category: Monitoring
Impact: Medium
Guidance
It’s vital to monitor, manage, and know your own network so that you can protect and optimize it. You need to know the current state of the network, who’s connecting, and where users are connecting from. You also need to know which ports are open to the internet, what network behavior is expected, what network behavior is irregular, and when sudden rises in traffic happen.
Flow logs are the source of truth for all network activity in your cloud environment. Whether you’re in a startup that’s trying to optimize resources or a large enterprise that’s trying to detect intrusion, flow logs can help. You can use them for optimizing network flows, monitoring throughput, verifying compliance, detecting intrusions, and more.
Resources
Resource Graph Query
// Azure Resource Graph Query
// Find all Network Security Groups without NSG Flow logs configured or disabled.
resources
| where type =~ "Microsoft.Network/networkSecurityGroups"
| project name, id, tags, lowerCaseNsgId = tolower(id)
| join kind = leftouter (
resources
| where type == "microsoft.network/networkwatchers/flowlogs" and properties.enabled == true
| project flowLogName = name, lowerCaseTargetNsgId = tolower(properties.targetResourceId)
)
on $left.lowerCaseNsgId == $right.lowerCaseTargetNsgId
| where isempty(lowerCaseTargetNsgId)
| project recommendationId = "nsg-4", name, id, tags, param1 = "NSGFlowLog: Not configured/Disabled"
NSG-5 - The NSG only has Default Security Rules, make sure to configure the necessary rules
Category: Access & Security
Impact: Medium
Guidance
You can use an Azure network security group to filter network traffic between Azure resources in an Azure virtual network. A network security group contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources. For each rule, you can specify source and destination, port, and protocol.
Resources
Resource Graph Query
// Azure Resource Graph Query
// This query will return all NSGs that have NO security rules
resources
| where type =~ "microsoft.network/networksecuritygroups"
| extend sr = string_size(properties.securityRules)
| where sr <=2 or isnull(properties.securityRules)
| project recommendationId = "nsg-5", name, id