L1 BIO 13.01 ISO A.8.20 CIS 7.2

VM NSG Attached

πŸ“… 2025-10-29
β€’
⏱️ 4 minuten lezen
β€’
πŸ”΄ Must-Have

πŸ’Ό Management Samenvatting

Deze security regelen waarborgt de correcte configuratie en beschermt tegen beveiligingsrisico's.

Aanbeveling
IMPLEMENTEER NSG OP ALLE VMS
Risico zonder
High
Risk Score
8/10
Implementatie
3u (tech: 2u)
Van toepassing op:
βœ“ Azure VMs

Deze instelling is essentieel voor het handhaven van een veilige omgeving en voorkomt bekende aanvalsvectoren door het afdwingen van security best practices.

PowerShell Modules Vereist
Primary API: Azure API
Connection: Connect-AzAccount
Required Modules: Az.Accounts, Az.Network

Implementatie

valideer alle VMs hebben NSG bescherming (NIC of subnet level).

Vereisten

NSGs geconfigureerd

monitoring

Gebruik PowerShell-script vm-nsg-attached.ps1 (functie Invoke-Monitoring) – Controleren.

Check NIC en subnet NSG associations.

Compliance en Auditing

  1. CIS 7.2
  2. BIO 13.01
  3. ISO 27001:2022 A.8.20

Remediatie

Gebruik PowerShell-script vm-nsg-attached.ps1 (functie Invoke-Remediation) – Herstellen.

Compliance & Frameworks

Automation

Gebruik het onderstaande PowerShell script om deze security control te monitoren en te implementeren. Het script bevat functies voor zowel monitoring (-Monitoring) als remediation (-Remediation).

PowerShell
<# ================================================================================ AZURE POWERSHELL SCRIPT - Nederlandse Baseline voor Veilige Cloud ================================================================================ .SYNOPSIS VM NSG Attached .DESCRIPTION CIS Azure Foundations Benchmark - Control 7.12 Controleert of Network Security Groups zijn gekoppeld aan VMs. .NOTES Filename: vm-nsg-attached.ps1 Author: Nederlandse Baseline voor Veilige Cloud Version: 1.0 CIS Control: 7.12 #> #Requires -Version 5.1 #Requires -Modules Az.Accounts, Az.Compute, Az.Network [CmdletBinding()] param([Parameter()][switch]$Monitoring) $ErrorActionPreference = 'Stop' $PolicyName = "VM NSG Attached" function Connect-RequiredServices { if (-not (Get-AzContext)) { Connect-AzAccount | Out-Null } } function Test-Compliance { $vms = Get-AzVM -ErrorAction SilentlyContinue $result = @{ TotalVMs = $vms.Count; WithNSG = 0 } foreach ($vm in $vms) { foreach ($nic in $vm.NetworkProfile.NetworkInterfaces) { $nicResource = Get-AzNetworkInterface -ResourceId $nic.Id -ErrorAction SilentlyContinue if ($nicResource.NetworkSecurityGroup -or $nicResource.IpConfigurations[0].Subnet.NetworkSecurityGroup) { $result.WithNSG++ break } } } return $result } try { Connect-RequiredServices if ($Monitoring) { $r = Test-Compliance Write-Host "`n========================================" -ForegroundColor Cyan Write-Host "$PolicyName" -ForegroundColor Cyan Write-Host "========================================" -ForegroundColor Cyan Write-Host "Total VMs: $($r.TotalVMs)" -ForegroundColor White Write-Host "With NSG: $($r.WithNSG)" -ForegroundColor $(if ($r.WithNSG -eq $r.TotalVMs) { 'Green' } else { 'Yellow' }) } else { $r = Test-Compliance Write-Host "`nNSG Attached: $($r.WithNSG)/$($r.TotalVMs) VMs" } } catch { Write-Error $_; exit 1 } # ================================================================================ # Standaard Invoke-* Functions (Auto-generated) # ================================================================================ function Invoke-Implementation { <# .SYNOPSIS Implementeert de configuratie #> [CmdletBinding()] param() Invoke-Remediation } function Invoke-Monitoring { <# .SYNOPSIS Controleert de huidige configuratie status #> [CmdletBinding()] param() $Monitoring = $true try { Connect-RequiredServices if ($Monitoring) { $r = Test-Compliance Write-Host "`n========================================" -ForegroundColor Cyan Write-Host "$PolicyName" -ForegroundColor Cyan Write-Host "========================================" -ForegroundColor Cyan Write-Host "Total VMs: $($r.TotalVMs)" -ForegroundColor White Write-Host "With NSG: $($r.WithNSG)" -ForegroundColor $(if ($r.WithNSG -eq $r.TotalVMs) { 'Green' } else { 'Yellow' }) } else { $r = Test-Compliance Write-Host "`nNSG Attached: $($r.WithNSG)/$($r.TotalVMs) VMs" } } catch { Write-Error $_; exit 1 } } function Invoke-Remediation { <# .SYNOPSIS Herstelt de configuratie naar de gewenste staat .DESCRIPTION Dit is een monitoring-only control, remediation delegeert naar monitoring #> [CmdletBinding()] param() Write-Host "[INFO] Dit is een monitoring-only control" -ForegroundColor Yellow Write-Host "[INFO] Running monitoring check..." -ForegroundColor Cyan Invoke-Monitoring }

Risico zonder implementatie

Risico zonder implementatie
High: VMs zonder NSG = unfiltered network traffic. No firewall protection. Lateral movement easy. Compliance: CIS 7.2, BIO 13.01. Het risico is HOOG - network exposure.

Management Samenvatting

VM NSG Attached: ELKE VM moet Network Security Group hebben (subnet-level of NIC-level). Filters inbound/outbound traffic. Deny-by-default rules. Activatie: Create NSGs β†’ Attach to VM subnets/NICs. Gratis. Verplicht CIS 7.2, BIO 13.01. Implementatie: 2-3 uur. Fundamental VM network security.