Audit Azure Firewall Rules with Powershell
If your organisation has multiple Azure administrators that have the ability to add subscriptions, network security groups (NSG) or firewall rules and ACLs, then it would be very prudent to audit these rules periodically. Imagine if an admin had opened 3389/tcp for a VM to everyone on the internet – that’s not going to end well, especially if the VM has weak login passwords. The Azure web app is not terrible by any means but rules auditing is not its strongest point. The easiest solution is to use Powershell from the comfort of your own workstation.
This script will return a list of Azure subscriptions, network security groups and of course, the firewall rules too. To make life easier, I’ve included some hashing functions at the end of the script as a sort of checksum so you can compare the hashes from two different times you might have run the script – this means that if the hashes are different then that means that something has changed in the network and you can investigate further.
Please note that you will need to install the Azure Powershell Module – this can be done easily via nuget: Install-Module -Name AzureRM
Hope this helps 🙂
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 |
function get-hash([string]$textToHash) { $hasher = new-object System.Security.Cryptography.MD5CryptoServiceProvider $toHash = [System.Text.Encoding]::UTF8.GetBytes($textToHash) $hashByteArray = $hasher.ComputeHash($toHash) foreach($byte in $hashByteArray) { $result += "{0:X2}" -f $byte } return $result; } Import-Module AzureRM Connect-AzureRmAccount $subs = Get-AzureRmSubscription $subscriptionStringToHash = "" $nsgStringToHash = "" $nsgRulesStringToHash = "" write-host " " write-host " " foreach($sub in $subs) { write-host " " write-host "----------------------------------------" -foregroundcolor red write-host "SUBSCRIPTION" $sub.Name -foregroundcolor red write-host "----------------------------------------" -foregroundcolor red write-host " " Select-AzureRmSubscription -SubscriptionName $sub.Name $subscriptionStringToHash += $sub.Name # -erroraction 'silentlycontinue' so if the sub is AzureAD, it won't have any NSGs and it won't throw an error $nsg = Get-AzureRmNetworkSecurityGroup -erroraction 'silentlycontinue' foreach($i in $nsg) { write-host $i.Name -foregroundcolor cyan write-host "-------------------------" -foregroundcolor cyan write-host " " $nsgStringToHash += $i.Name foreach($secRule in $i.SecurityRules) { Write-Host $secRule.Name -foregroundcolor green Write-Host "Src"$secRule.SourceAddressPrefix":"$secRule.SourcePortRange " --> Dst"$secRule.DestinationAddressPrefix":"$secRule.DestinationPortRange " (Proto:" $secRule.Protocol") (Access:" $secRule.Access") (Direction:" $secRule.Direction") (Priority:" $secRule.Priority")" write-host " " $nsgRulesStringToHash += "tt" + $secRule.SourceAddressPrefix + $secRule.SourcePortRange + $secRule.DestinationAddressPrefix + $secRule.DestinationPortRange + $secRule.Protocol + $secRule.Access + $secRule.Direction } write-host " " write-host " " } } write-host " " write-host "----------------------------------------" -foregroundcolor red write-host "HASHES" -foregroundcolor red write-host "----------------------------------------" -foregroundcolor red write-host " " $subscriptionHash = get-hash($subscriptionStringToHash) Write-Host "Azure Subscriptions" Write-Host $subscriptionHash Write-Host "" $nsgHash = get-hash($nsgStringToHash) Write-Host "Network Security Groups" Write-Host $nsgHash Write-Host "" $nsgRulesHash = get-hash($nsgRulesStringToHash) Write-Host "NSG Rules" Write-Host $nsgRulesHash Write-Host "" |
1 Response
Leave a Reply
You must be logged in to post a comment.
I was searching all over the internet for a script like this. Thanks for your diligence in creating it and then making it available for public consumption!