Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix: Updated Deny-MgmtPorts-From-Internet.json to recognize 0.0.0.0/0 as being equivalent to * to represent all remote IP addresses #1768

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
+87 −39
Open

Fix: Updated Deny-MgmtPorts-From-Internet.json to recognize 0.0.0.0/0 as being equivalent to * to represent all remote IP addresses #1768

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
2b69406
fix: add 0.0.0.0/0 to Deny-MgmtPorts-From-Internet
Sep 12, 2024
ea5c274
fix: updated test to include 0.0.0.0
Sep 16, 2024
c1e3a42
updated whats new + version
Sep 16, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions docs/wiki/Whats-new.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -61,6 +61,8 @@ Here's what's changed in Enterprise Scale/Azure Landing Zones:
- [Guidance](https://azure.github.io/azure-monitor-baseline-alerts/patterns/alz/UpdateToNewReleases/Update_from_release_2024-06-05/) for updating and implementing these changes in existing environments is available on the AMBA website.
- Updated the Azure Monitoring Baseline Alerts (AMBA) integration section in the portal accelerator to include new features exposed by the AMBA solution. To read more on the changes https://azure.github.io/azure-monitor-baseline-alerts/patterns/alz/Whats-New/

#### Policy
- Updated Deny-MgmtPorts-From-Internet.json to recognize 0.0.0.0/0 as being equivalent to * to represent all remote IP addresses.

### August 2024

Expand Down
22 changes: 21 additions & 1 deletion src/resources/Microsoft.Authorization/policyDefinitions/Deny-MgmtPorts-From-Internet.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@
"displayName": "Management port access from the Internet should be blocked",
"description": "This policy denies any network security rule that allows management port access from the Internet, by default blocking SSH/RDP ports.",
"metadata": {
"version": "2.1.1",
"version": "3.0.0",
"category": "Network",
"source": "https://github.com/Azure/Enterprise-Scale/",
"replacesPolicy": "Deny-RDP-From-Internet",
Expand Down Expand Up @@ -125,6 +125,10 @@
"field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix",
"equals": "Internet"
},
{
"field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix",
"equals": "0.0.0.0/0"
},
{
"not": {
"field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]",
Expand All @@ -136,6 +140,12 @@
"field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]",
"notEquals": "Internet"
}
},
{
"not": {
"field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]",
"notEquals": "0.0.0.0/0"
}
}
]
}
Expand Down Expand Up @@ -224,6 +234,10 @@
"field": "Microsoft.Network/networkSecurityGroups/securityRules[*].sourceAddressPrefix",
"equals": "Internet"
},
{
"field": "Microsoft.Network/networkSecurityGroups/securityRules[*].sourceAddressPrefix",
"equals": "0.0.0.0/0"
},
{
"not": {
"field": "Microsoft.Network/networkSecurityGroups/securityRules[*].sourceAddressPrefixes[*]",
Expand All @@ -235,6 +249,12 @@
"field": "Microsoft.Network/networkSecurityGroups/securityRules[*].sourceAddressPrefixes[*]",
"notEquals": "Internet"
}
},
{
"not": {
"field": "Microsoft.Network/networkSecurityGroups/securityRules[*].sourceAddressPrefixes[*]",
"notEquals": "0.0.0.0/0"
}
}
]
}
Expand Down
102 changes: 64 additions & 38 deletions tests/policy/Deny-MgmtPorts-From-Internet.Tests.ps1
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,33 @@ Describe "Testing policy 'Deny-MgmtPorts-From-Internet'" -Tag "deny-mgmtports-fr

# Create or update NSG is actually the same PUT request, hence testing create covers update as well.
Context "Test open ports NSG is created or updated" -Tag "deny-mgmtports-from-internet-nsg-port" {

It "Should deny non-compliant port '3389' with 0.0.0.0/0 as the source ip" -Tag "deny-noncompliant-nsg-port" {
AzTest -ResourceGroup {
param($ResourceGroup)

$networkSecurityGroup = New-AzNetworkSecurityGroup `
-Name "nsg-test" `
-ResourceGroupName $$res.ResourceGroupName `
-Location $ResourceGroup.Location

# Should be disallowed by policy, so exception should be thrown.
{
$networkSecurityGroup | Add-AzNetworkSecurityRuleConfig `
-Name RDP-rule `
-Description "Allow RDP" `
-Access Allow `
-Protocol Tcp `
-Direction Inbound `
-Priority 200 `
-SourceAddressPrefix '0.0.0.0/0' ` # Incompliant.
-SourcePortRange `
-DestinationAddressPrefix `
-DestinationPortRange 3389 # Incompliant.
| Set-AzNetworkSecurityGroup
} | Should -Throw "disallowed by policy"
}
}

It "Should deny non-compliant port '3389'" -Tag "deny-noncompliant-nsg-port" {
AzTest -ResourceGroup {
param($ResourceGroup)
Expand All @@ -55,12 +81,12 @@ Describe "Testing policy 'Deny-MgmtPorts-From-Internet'" -Tag "deny-mgmtports-fr
-Protocol Tcp `
-Direction Inbound `
-Priority 200 `
-SourceAddressPrefix * `
-SourcePortRange * `
-DestinationAddressPrefix * `
-SourceAddressPrefix `
-SourcePortRange `
-DestinationAddressPrefix `
-DestinationPortRange 3389 # Incompliant.
| Set-AzNetworkSecurityGroup
} | Should -Throw "*disallowed by policy*"
} | Should -Throw "disallowed by policy"
}
}

Expand All @@ -80,12 +106,12 @@ Describe "Testing policy 'Deny-MgmtPorts-From-Internet'" -Tag "deny-mgmtports-fr
-Protocol Tcp `
-Direction Inbound `
-Priority 200 `
-SourceAddressPrefix * `
-SourcePortRange * `
-DestinationAddressPrefix * `
-SourceAddressPrefix `
-SourcePortRange `
-DestinationAddressPrefix `
-DestinationPortRange 3389 # Incompliant.
| Set-AzNetworkSecurityGroup
} | Should -Throw "*disallowed by policy*"
} | Should -Throw "disallowed by policy"
}
}

Expand All @@ -107,12 +133,12 @@ Describe "Testing policy 'Deny-MgmtPorts-From-Internet'" -Tag "deny-mgmtports-fr
-Protocol Tcp `
-Direction Inbound `
-Priority 200 `
-SourceAddressPrefix * `
-SourcePortRange * `
-DestinationAddressPrefix * `
-SourceAddressPrefix `
-SourcePortRange `
-DestinationAddressPrefix `
-DestinationPortRange "21-23" # Incompliant.
| Set-AzNetworkSecurityGroup
} | Should -Throw "*disallowed by policy*"
} | Should -Throw "disallowed by policy"
}
}

Expand All @@ -134,9 +160,9 @@ Describe "Testing policy 'Deny-MgmtPorts-From-Internet'" -Tag "deny-mgmtports-fr
-Protocol Tcp `
-Direction Inbound `
-Priority 200 `
-SourceAddressPrefix * `
-SourcePortRange * `
-DestinationAddressPrefix * `
-SourceAddressPrefix `
-SourcePortRange `
-DestinationAddressPrefix `
-DestinationPortRange 443 # Compliant.
| Set-AzNetworkSecurityGroup
} | Should -Not -Throw
Expand All @@ -161,9 +187,9 @@ Describe "Testing policy 'Deny-MgmtPorts-From-Internet'" -Tag "deny-mgmtports-fr
-Protocol Tcp `
-Direction Inbound `
-Priority 300 `
-SourceAddressPrefix * `
-SourcePortRange * `
-DestinationAddressPrefix * `
-SourceAddressPrefix `
-SourcePortRange `
-DestinationAddressPrefix `
-DestinationPortRange 443
| Add-AzNetworkSecurityRuleConfig `
-Name SSH-rule `
Expand All @@ -172,16 +198,16 @@ Describe "Testing policy 'Deny-MgmtPorts-From-Internet'" -Tag "deny-mgmtports-fr
-Protocol Tcp `
-Direction Inbound `
-Priority 310 `
-SourceAddressPrefix * `
-SourcePortRange * `
-DestinationAddressPrefix * `
-SourceAddressPrefix `
-SourcePortRange `
-DestinationAddressPrefix `
-DestinationPortRange "21-23" # Incompliant.
| Set-AzNetworkSecurityGroup
} | Should -Throw "*disallowed by policy*"
} | Should -Throw "disallowed by policy"
}
}

It "Should deny non-compliant port ranges* - API" -Tag "deny-noncompliant-nsg-port" {
It "Should deny non-compliant port ranges - API" -Tag "deny-noncompliant-nsg-port" {
AzTest -ResourceGroup {
param($ResourceGroup)

Expand All @@ -194,10 +220,10 @@ Describe "Testing policy 'Deny-MgmtPorts-From-Internet'" -Tag "deny-mgmtports-fr
properties = @{
description = "Allow Web"
protocol = "Tcp"
sourcePortRange = "*"
sourcePortRange = ""
destinationPortRange = "443"
sourceAddressPrefix = "*"
destinationAddressPrefix = "*"
sourceAddressPrefix = ""
destinationAddressPrefix = ""
access = "Allow"
priority = 300
direction = "Inbound"
Expand All @@ -208,10 +234,10 @@ Describe "Testing policy 'Deny-MgmtPorts-From-Internet'" -Tag "deny-mgmtports-fr
properties = @{
description = "Allow Mgmt"
protocol = "Tcp"
sourcePortRange = "*"
sourcePortRange = ""
destinationPortRanges = $portRanges
sourceAddressPrefix = "*"
destinationAddressPrefix = "*"
sourceAddressPrefix = ""
destinationAddressPrefix = ""
access = "Allow"
priority = 310
direction = "Inbound"
Expand Down Expand Up @@ -246,11 +272,11 @@ Describe "Testing policy 'Deny-MgmtPorts-From-Internet'" -Tag "deny-mgmtports-fr
else {
throw "Operation failed with message: '$($httpResponse.Content)'"
}
} | Should -Throw "*disallowed by policy*"
} | Should -Throw "disallowed by policy"
}
}

It "Should allow compliant port ranges* - API" -Tag "allow-compliant-nsg-port" {
It "Should allow compliant port ranges - API" -Tag "allow-compliant-nsg-port" {
AzTest -ResourceGroup {
param($ResourceGroup)

Expand All @@ -264,10 +290,10 @@ Describe "Testing policy 'Deny-MgmtPorts-From-Internet'" -Tag "deny-mgmtports-fr
properties = @{
description = "Allow Web2"
protocol = "Tcp"
sourcePortRange = "*"
sourcePortRange = ""
destinationPortRange = "443"
sourceAddressPrefix = "*"
destinationAddressPrefix = "*"
sourceAddressPrefix = ""
destinationAddressPrefix = ""
access = "Allow"
priority = 300
direction = "Inbound"
Expand All @@ -278,10 +304,10 @@ Describe "Testing policy 'Deny-MgmtPorts-From-Internet'" -Tag "deny-mgmtports-fr
properties = @{
description = "Allow Mgmt3"
protocol = "Tcp"
sourcePortRange = "*"
sourcePortRange = ""
destinationPortRanges = $portRanges
sourceAddressPrefix = "*"
destinationAddressPrefix = "*"
sourceAddressPrefix = ""
destinationAddressPrefix = ""
access = "Allow"
priority = 310
direction = "Inbound"
Expand Down