Guides

Virtual machine administrative OMI/OMS service port (5986) is publicly accessible

Administrative access to instances is an attack vector that should be restricted to prevent common exploits.

Suggest Edits

Risk Level: High
Cloud Entity: Virtual Machine
CloudGuard Rule ID: D9.AZU.NET.VirtualMachine.5986
Covered by Spectral: No
Category: Compute

GSL LOGIC

VirtualMachine where isPublic=true should have nics contain [networkSecurityGroup.inboundSecurityRules isPortPrivate(5986)]

REMEDIATION

From Portal:

  1. Go to 'Virtual machines' and choose the relevant VM.
  2. Select 'Networking' under 'Settings' in the navigation menu.
  3. Under 'Inbound port rules' examine for overly permissive rules.
  4. Modify the rules accordingly to prevent public access to port 5986.

Note: Network security group default rules deny all external traffic (Priority 65500) and allowing all traffic within the virtual network by default (Priority 65000).

From TF:
Please find additional information under references.

From Command Line:
Inspect virtual machine NSG rules:

az network nsg show --name NETWORK SECURITY GROUP --resource-group RESOURCE GROUP

Additional command line methods for rule update or creation can be found under the references.

References:

  1. https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview
  2. https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_security_group
  3. https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_security_rule
  4. https://docs.microsoft.com/en-us/cli/azure/network/nsg/rule?view=azure-cli-latest

Virtual Machine

Azure Virtual Machines (VM) is one of several types of on-demand, scalable computing resources that Azure offers. Typically, you choose a VM when you need more control over the computing environment than the other choices offer. This article gives you information about what you should consider before you create a VM, how you create it, and how you manage it.

Compliance Frameworks

  • Azure CloudGuard Best Practices
  • Azure CloudGuard Network Security Alerts
  • Azure LGPD regulation
  • Azure Security Risk Management

Updated about 1 year ago