Security Control: Secure Management Ports (2023)

As part of our recent Microsoft Defender for Cloud Blog Series, we are diving into the different controls within Defender for Cloud’s Secure Score. In this post we will be discussing the control of “Secure management ports”. This control is worth 8 points and is made up of 3 recommendations. More information on secure score can be found here.From an Azure network security standpoint, this a great starting point to improve your overall security posture. The full list of Defender for Cloud’s Network recommendations are here.

The Control - Secure management ports 

Management ports are a requirement for system admins to access and control their machines. The common ports used are 3389(RDP) and 22(SSH). While extremely useful for management, these ports are also common targets for attackers. Your goal should be to reduce exposure and limit the availability of open ports. Bottom line: management ports don’t always need to be open and accessible. They only need to be open when you need them, for example to perform management or maintenance tasks.

Security Control: Secure Management Ports (1)

(Video) Azure Security Center: Secure Management Ports

The “Secure management ports” control consists of 3 different network related recommendations:

  • Internet-facing virtual machines should be protected with Network Security Groups
  • Management ports should be closed on your virtual machines
  • Management ports of virtual machines should be protected with just-in-time network access control

Like the rest of the Secure Score controls, all three recommendations must be considered in order to get the full points and drive up your Secure Score (you can review all of the recommendations here). For example, if no management ports are open then you will be compliant with this control and would not need to enable JIT. If you have management ports opened, then you should ensure management ports are protected by JIT and those VM's are attached to NSGs. Also, you will notice above that one of the recommendations has a “Quick Fix!” No excuses not to remediate that one,just click the button and you are done.

Recommendation #1 - Virtual machines should be protected with Network Security Groups

This one comes up a lot, I am a strong believer in not having any VM face the internet directly (with the exception of NVAs). I prefer to use Azure Policy to deny a deployment of a VM with a NIC containing a public IP address. Needless to say, there are still legitimate reasons to have public facing VMs, and that’s where this recommendation comes into play. Whether is a Dev environment, or someone used a GitHub template; it happens. Those VM’s are now prime targets for RDP and SSH brute force attacks because management ports are typically left in an open state. More information on this in Recommendation #2.

Protect your VM from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain access-control lists (ACL) and can be assigned to the VM's NIC or subnet. The ACL rules allow or deny network traffic to the assigned resource. To learn more about controlling traffic with NSGs, NSG Overview.

If you are looking for more of a programmatic way to manage NSGs, you can used PowerShell, REST or Azure CLI, more information on managing NSGs here. You can always use Microsoft Defender for Cloud's Just-in-time (JIT) VM access to lock down inbound traffic to your Azure VMs by demand, we will cover that in Recommendation #3.

(Video) Port Security - SY0-601 CompTIA Security+ : 3.3


Recommendation #2 - Management ports should be closed on your virtual machines

This recommendation takes into consideration one of the biggest default risks of the cloud. Most templates or marketplace VMs will have management ports open… Management ports usually consist of the ports that you used to connect to your Azure virtual machines i.e. Remote Desktop Protocol (RDP) and the Secure Shell (SSH) protocol. These protocols enable admins to manage VMs from remote locations and are common management ports. The potential security problem with using these protocols over the internet, is that attackers can use brute force techniques to gain access to Azure virtual machines. After the attackers gain access, they can use your VM as a launch point for compromising other machines on your virtual network or even attack networked devices outside of Azure.

This is such an important part of your security, that we added it to the wizard. As you see below, a Basic NSG only allowing RDP (this is a Windows VM, it would be SSH for a Linux VM) is selected by default.

Security Control: Secure Management Ports (2)

We recommend that you disable direct RDP and SSH access to your Azure virtual machines from the internet or even better do not allow VMs to have NICs with Public IP addresses.

For customers desiring a more comprehensive solution to internet exposed services, a rethinking of network design may be appropriate. It is often more secure to allocate only private IP addresses for VMs rather than allowing each to have its own Public IP Address. While NSGs can be used in combination with JIT to control access to public resources, the management of inbound VM access can be centralized using other strategies such as:

(Video) Cybersecurity+ Port Numbers and Protocols Review

  • DNAT Rules on Azure Firewall – Allows centralized management of inbound access to any resource on an internal VNET. For example, RDP, SSH, and other custom management ports can be forwarded into resources on your private networks, and all activity is logged centrally via Azure Diagnostic Logs. Azure Firewall also integrates with JIT so ports do not have to be permanently open.
  • Azure Bastion – Centralized management of RDP and SSH to private networks via a virtual bastion host. All activity is logged centrally via Azure Diagnostic Logs.

To read more about network designs, please visit the Azure Architecture Center.

This recommendation requires a moderate level of effort and has a moderate impact on users. If users or administrators have always accessed their VMs over the internet, this will require a change in how they connect. Use the following steps to manually remediate and restrict access to your virtual machines:

  1. Select a VM to restrict access to.
  2. In the 'Networking' blade, click on each of the rules that allow management ports (e.g. RDP-3389, WINRM-5985, WIMRM -5968, SSH-22).
  3. Either change the 'Action' property to 'Deny’ or improve the rule by applying a less permissive range of source IP ranges.
  4. Click 'Save'.

Recommendation #3 - Management ports of virtual machines should be protected with just-in-time network access control

This is one of my favorite recommendations and it requires the Standard tier to be enabled. Just-in-time (JIT) allows you to lock down and designate a specific amount of time, that inbound traffic to your Azure VMs would be allowed. This reduces exposure to attacks while providing easy access to connect to VMs when needed.

The description of this recommendation is: “Defender for Cloud has identified some overly-permissive inbound rules for management ports in your Network Security Group. Enable just-in-time access control to protect your VM from internet-based brute-force attacks”. It is a low impact to users and requires a low level of effort to implement as it comes with a “Quick fix” option. You will notice that resources are flagged as “Unhealthy”, “Healthy” or “Not Applicable”.

Security Control: Secure Management Ports (3)

(Video) you NEED to learn Port Security…….RIGHT NOW!! // FREE CCNA // EP 14

For more information on Just in Time (JIT) VM access, and how to enable it for your virtual machines, please see the Microsoft Defender for Cloud documentationhere.

Next Steps 

Wrapping up this blogpost,I’d like you to keep in mind this is asmall fraction of whatDefender for Cloud andthe EnhancedSecure Score can offer to you,tostrengthen your security posture and increase your secure score.This blog post details somerobust steps you can leverage to increaseyour own comfortlevel inprotecting your environments / assets.

I hope you enjoyed this articleand learned somethingthat will assist you on your continued journeyof cybersecurity.Pleasecontinue toenjoyour Defender for Cloud Secure Score blog seriesand I look forwardvirtually seeing you in the next one. If you would like more information on how to protect network resources in Microsoft Defender for Cloud, visit our docs or our full list of network recommendations.

Continue to remediate based on Defender for Cloud’s recommendations and don’t hesitate to use Workflow automation to do so. If you need assistance in integration Workflow automation with ITSM, take a look at this blog on how to integrate ServiceNow with Defender for Cloud.

Reviewer and Acknowledgements

(Video) Security Risks of Port Forwarding

Yuri Diogenes, Principal Program Manager – CxE Defender for Cloud Team

Thank you to @Anthony Roman, for assisting in the Azure Network security options.

FAQs

What are management ports in Azure? ›

Management ports usually consist of the ports that you used to connect to your Azure virtual machines i.e. Remote Desktop Protocol (RDP) and the Secure Shell (SSH) protocol. These protocols enable admins to manage VMs from remote locations and are common management ports.

How do I enable JIT access? ›

From the Azure portal, search for and select Virtual machines. Select the virtual machine you want to protect with JIT. In the menu, select Configuration. Under Just-in-time access, select Enable just-in-time.

What is the benefit to using just-in-time access control for network ports? ›

With JIT, you can lock down the inbound traffic to your VMs, reducing exposure to attacks while providing easy access to connect to VMs when needed.

What are the default ports recommended for the JIT VM access policy by Azure Security Center? ›

The JIT VM access page opens listing the ports that Defender for Cloud recommends protecting: 22 - SSH. 3389 - RDP. 5985 - WinRM.

How do I secure my VM in Azure? ›

Best practices
  1. Use Azure Secure Score in Azure Security Center as your guide. ...
  2. Isolate management ports on virtual machines from the Internet and open them only when required. ...
  3. Use complexity for passwords and user account names. ...
  4. Keep the operating system patched. ...
  5. Keep third-party applications current and patched.
7 Oct 2020

How do you check which ports are open in Azure? ›

To find specified open port, use find switch. For example, to find if the port 560 is open or not, do netstat -an |find /i "560" command. The service should listen on 0.0.

What is JIT security? ›

Just-in-Time (JIT) access is a fundamental security practice where the privilege granted to access applications or systems is limited to predetermined periods of time, on an as-needed basis. This helps to minimize the risk of standing privileges that attackers or malicious insiders can readily exploit.

What is time bound access? ›

Therefore, in EHR systems, time-bound access means that each user will be granted a valid period based on his or her role, and the user is only allowed to read EHR data of authorized nodes during the given period. Once the valid period has expired, the user should no longer be able to access the data.

What is JIT virtual machine? ›

One of those instrument is Just-in-Time (JIT) access to virtual machines. JIT access feature enables you to lock down your virtual machines at the network level by blocking inbound traffic to management ports such as 22 (SSH) and 3389 (RDP).

Do not leave management ports open on virtual machines? ›

Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine.

What is JIT elevation? ›

These are one-time-use accounts, which are created on the fly and immediately deprovisioned or deleted after use. Temporary elevation. This approach allows the temporary elevation of privileges, enabling users to access privileged accounts or run privileged commands on a by-request, timed basis.

What is privileged identity management in Azure? ›

Privileged Identity Management (PIM) is a service in Azure Active Directory (Azure AD) that enables you to manage, control, and monitor access to important resources in your organization. These resources include resources in Azure AD, Azure, and other Microsoft Online Services such as Microsoft 365 or Microsoft Intune.

What is Azure firewall? ›

Azure Firewall is a cloud-native and intelligent network firewall security service that provides the best of breed threat protection for your cloud workloads running in Azure. It's a fully stateful, firewall as a service with built-in high availability and unrestricted cloud scalability.

How do I enable Azure security Center? ›

To enable enhanced security on multiple subscriptions or workspaces:
  1. Sign in to the Azure portal.
  2. Search for and select Microsoft Defender for Cloud.
  3. From Defender for Cloud's menu, select Getting started. ...
  4. Select the desired subscriptions and workspace from the list.
  5. Select Upgrade.
2 Aug 2022

Which Azure service can you use as a security information? ›

Azure Firewall is a cloud-native and intelligent network firewall security service that provides threat protection for your cloud workloads running in Azure.

How do I make a VM secure? ›

  1. General Virtual Machine Protection.
  2. Use Templates to Deploy Virtual Machines.
  3. Minimize Use of the Virtual Machine Console.
  4. Prevent Virtual Machines from Taking Over Resources.
  5. Disable Unnecessary Functions Inside Virtual Machines. Remove Unnecessary Hardware Devices. Remove Unnecessary Hardware Devices.
13 Jan 2021

How do you secure your data in VM? ›

Security
  1. Azure Bastion. Private and fully managed RDP and SSH access to your virtual machines.
  2. Web Application Firewall. A cloud-native web application firewall (WAF) service that provides powerful protection for web apps.
  3. Azure Firewall. ...
  4. Azure Firewall Manager.

How do I access Azure VM without public IP? ›

With a VPN gateway from the Azure network to the on premises network Azure VMs can be RDP'ed using a private IP address – protected from the prying eyes of the public internet. The public IP address can be removed all together if you don't need it.

How can I check to see if a port is open online? ›

Enter "telnet + IP address or hostname + port number" (e.g., telnet www.example.com 1723 or telnet 10.17. xxx. xxx 5000) to run the telnet command in Command Prompt and test the TCP port status. If the port is open, only a cursor will show.

How do I know if a port is open on Azure VM? ›

How to Open Port of a Virtual Machine in Azure - YouTube

How do I know if a port is open on my virtual machine? ›

To check the listening ports and applications with Netstat:
  1. Open a shell prompt. For more information, see Opening a command or shell prompt (1003892).
  2. In the shell prompt window, run this command: netstat -pan. You see output similar to: [root@server]# netstat -pan. Active Internet connections (servers and established)
11 Oct 2021

What is inbound and outbound Azure? ›

Inbound is data moving to your VM/service also known as ingress and is free on Azure. Outbound is data moving away from your machine and is priced in tiers with the 5GB being free of charge.

What are inbound and outbound rules in Azure? ›

A network security group contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources. For each rule, you can specify source and destination, port, and protocol.

How do I know if a port is open on Azure VM? ›

How to Open Port of a Virtual Machine in Azure - YouTube

Which Azure service can you use as a security information and event management solution? ›

Azure Sentinel is a powerful Security Information and Event Management solution (SIEM) from Microsoft – one that's cloud-powered and cost-effective.

What is the difference between inbound and outbound ports? ›

Inbound traffic originates from outside the network, while outbound traffic originates inside the network. Sometimes, a dedicated firewall appliance or an off-site cloud service, such as a secure web gateway, is used for outbound traffic because of the specialized filtering technologies necessary.

What is inbound port and outbound port? ›

Inbound refers to connections coming-in to a specific device (host/server) from a remote location. e.g. A Web Browser connecting to your Web Server is an inbound connection (to your Web Server) Outbound refers to connections going-out to a specific device from a device/host.

What outbound ports should I block? ›

For example, the SANS Institute recommends blocking outbound traffic that uses the following ports: MS RPC - TCP & UDP port 135. NetBIOS/IP - TCP & UDP ports 137-139. SMB/IP - TCP port 445.

What are default NSG rules? ›

The default rules allow and disallow traffic as follows: Virtual network: Traffic originating and ending in a virtual network is allowed both in inbound and outbound directions. Internet: Outbound traffic is allowed, but inbound traffic is blocked.

Can I attach NSG to VNET? ›

You can associate zero, or one, network security group to each virtual network subnet and network interface in a virtual machine. The same network security group can be associated to as many subnets and network interfaces as you choose.

What are security groups called in Azure? ›

A network security group (NSG) in Azure is the way to activate a rule or access control list (ACL), which will allow or deny network traffic to your virtual machine instances in a virtual network. NSGs can be associated with subnets or individual virtual machine instances within that subnet.

How do I block an Azure port? ›

In this article
  1. Prerequisites.
  2. Create a SecurityAdmin configuration.
  3. Add a rule collection.
  4. Add a security rule.
  5. Deploy the security admin configuration.
  6. Update existing security admin configuration.
  7. Verify security admin rules.
  8. Next steps.
5 Jul 2022

How can I check to see if a port is open online? ›

Enter "telnet + IP address or hostname + port number" (e.g., telnet www.example.com 1723 or telnet 10.17. xxx. xxx 5000) to run the telnet command in Command Prompt and test the TCP port status. If the port is open, only a cursor will show.

How do I know if a port is open on my virtual machine? ›

To check the listening ports and applications with Netstat:
  1. Open a shell prompt. For more information, see Opening a command or shell prompt (1003892).
  2. In the shell prompt window, run this command: netstat -pan. You see output similar to: [root@server]# netstat -pan. Active Internet connections (servers and established)
11 Oct 2021

How do I allow TCP 8080 on a new created virtual machine? ›

After you create a virtual machine, you need to modify the [network security group (NSG)] to allow connections to TCP port 8080 on the virtual machine. Instructions: Review the underlined text. If it makes the statement correct, select “No change is needed”.

What is the difference between Azure Security Center and Azure Sentinel? ›

Azure Security Center plays a vital role in “Collect” and “Detect” roles. While Azure Sentinel in addition to the first two roles also designed to perform “Investigate” and “Respond” roles.

Which two types of resources can be protected by using Azure Firewall? ›

Azure Firewall provides inbound protection for non-HTTP/S protocols (for example, RDP, SSH, FTP), outbound network-level protection for all ports and protocols, and application-level protection for outbound HTTP/S.

Videos

1. Secure Networking - SY0-601 CompTIA Security+ : 3.3
(Professor Messer)
2. Cyber Risk Management for Ports
(ENISAvideos)
3. Port Security vs Port Based Authentication (802.1x) Whats the Difference?
(Intelligence Quest)
4. What is ISO 27001? | A Brief Summary of the Standard
(IT Governance Ltd)
5. Advanced Home WiFi
(Spectrum)
6. Azure Security best practices | Azure Tips and Tricks
(Microsoft Azure)
Top Articles
Latest Posts
Article information

Author: Rob Wisoky

Last Updated: 01/10/2023

Views: 6358

Rating: 4.8 / 5 (68 voted)

Reviews: 91% of readers found this page helpful

Author information

Name: Rob Wisoky

Birthday: 1994-09-30

Address: 5789 Michel Vista, West Domenic, OR 80464-9452

Phone: +97313824072371

Job: Education Orchestrator

Hobby: Lockpicking, Crocheting, Baton twirling, Video gaming, Jogging, Whittling, Model building

Introduction: My name is Rob Wisoky, I am a smiling, helpful, encouraging, zealous, energetic, faithful, fantastic person who loves writing and wants to share my knowledge and understanding with you.