Risk Level: High
Cloud Entity: Virtual Machine
CloudGuard Rule ID: D9.AZU.NET.VirtualMachine.5986
Covered by Spectral: No
Category: Compute

GSL LOGIC

VirtualMachine where isPublic=true should have nics contain [networkSecurityGroup.inboundSecurityRules isPortPrivate(5986)]

REMEDIATION

From Portal:

Go to 'Virtual machines' and choose the relevant VM.
Select 'Networking' under 'Settings' in the navigation menu.
Under 'Inbound port rules' examine for overly permissive rules.
Modify the rules accordingly to prevent public access to port 5986.

Note: Network security group default rules deny all external traffic (Priority 65500) and allowing all traffic within the virtual network by default (Priority 65000).

From TF:
Please find additional information under references.

From Command Line:
Inspect virtual machine NSG rules:

az network nsg show --name NETWORK SECURITY GROUP --resource-group RESOURCE GROUP

Additional command line methods for rule update or creation can be found under the references.

References:

Virtual Machine

Azure Virtual Machines (VM) is one of several types of on-demand, scalable computing resources that Azure offers. Typically, you choose a VM when you need more control over the computing environment than the other choices offer. This article gives you information about what you should consider before you create a VM, how you create it, and how you manage it.

Compliance Frameworks

Azure CloudGuard Best Practices
Azure CloudGuard Network Security Alerts
Azure LGPD regulation
Azure Security Risk Management