L2 BIO 13.01 ISO A.8.20 CIS 7.3

VM No Public IP Adressen

πŸ“… 2025-10-29
β€’
⏱️ 5 minuten lezen
β€’
🟒 Should-Have

πŸ’Ό Management Samenvatting

Deze security regelen waarborgt de correcte configuratie en beschermt tegen beveiligingsrisico's.

Aanbeveling
IMPLEMENTEER NO PUBLIC IPS
Risico zonder
High
Risk Score
8/10
Implementatie
5u (tech: 3u)
Van toepassing op:
βœ“ Azure VMs

Deze instelling is essentieel voor het handhaven van een veilige omgeving en voorkomt bekende aanvalsvectoren door het afdwingen van security best practices.

PowerShell Modules Vereist
Primary API: Azure API
Connection: Connect-AzAccount
Required Modules: Az.Accounts, Az.Compute

Implementatie

Access VMs via Bastion, VPN of Jump Box instead of public IPs.

Vereisten

Bastion of VPN geconfigureerd

Monitoring

Gebruik PowerShell-script vm-no-public-ip-addresses.ps1 (functie Invoke-Monitoring) – Controleren.

List VMs met public IPs.

Compliance en Auditing

  1. CIS 7.3
  2. BIO 13.01
  3. ISO 27001:2022 A.8.20

Remediatie

Gebruik PowerShell-script vm-no-public-ip-addresses.ps1 (functie Invoke-Remediation) – Herstellen.

Compliance & Frameworks

Automation

Gebruik het onderstaande PowerShell script om deze security control te monitoren en te implementeren. Het script bevat functies voor zowel monitoring (-Monitoring) als remediation (-Remediation).

PowerShell
<# ================================================================================ AZURE POWERSHELL SCRIPT - Nederlandse Baseline voor Veilige Cloud ================================================================================ .SYNOPSIS VM No Public IP Addresses .DESCRIPTION CIS Azure Foundations Benchmark - Control 7.11 Controleert of VMs geen publieke IP adressen hebben. .NOTES Filename: vm-no-public-ip-addresses.ps1 Author: Nederlandse Baseline voor Veilige Cloud Version: 1.0 CIS Control: 7.11 #> #Requires -Version 5.1 #Requires -Modules Az.Accounts, Az.Compute, Az.Network [CmdletBinding()] param([Parameter()][switch]$Monitoring) $ErrorActionPreference = 'Stop' $PolicyName = "VM No Public IP Addresses" function Connect-RequiredServices { if (-not (Get-AzContext)) { Connect-AzAccount | Out-Null } } function Test-Compliance { $vms = Get-AzVM -ErrorAction SilentlyContinue $result = @{ TotalVMs = $vms.Count; WithPublicIP = 0 } foreach ($vm in $vms) { foreach ($nic in $vm.NetworkProfile.NetworkInterfaces) { $nicResource = Get-AzNetworkInterface -ResourceId $nic.Id -ErrorAction SilentlyContinue if ($nicResource.IpConfigurations.PublicIpAddress) { $result.WithPublicIP++ break } } } return $result } try { Connect-RequiredServices if ($Monitoring) { $r = Test-Compliance Write-Host "`n========================================" -ForegroundColor Cyan Write-Host "$PolicyName" -ForegroundColor Cyan Write-Host "========================================" -ForegroundColor Cyan Write-Host "Total VMs: $($r.TotalVMs)" -ForegroundColor White Write-Host "With Public IP: $($r.WithPublicIP)" -ForegroundColor $(if ($r.WithPublicIP -eq 0) { 'Green' } else { 'Yellow' }) if ($r.WithPublicIP -gt 0) { Write-Host "`n⚠️ VMs met publieke IPs gevonden - overweeg Azure Bastion" -ForegroundColor Yellow } } else { $r = Test-Compliance Write-Host "`nPublic IPs: $($r.WithPublicIP)/$($r.TotalVMs) VMs" } } catch { Write-Error $_; exit 1 } # ================================================================================ # Standaard Invoke-* Functions (Auto-generated) # ================================================================================ function Invoke-Implementation { <# .SYNOPSIS Implementeert de configuratie #> [CmdletBinding()] param() Invoke-Remediation } function Invoke-Monitoring { <# .SYNOPSIS Controleert de huidige configuratie status #> [CmdletBinding()] param() $Monitoring = $true try { Connect-RequiredServices if ($Monitoring) { $r = Test-Compliance Write-Host "`n========================================" -ForegroundColor Cyan Write-Host "$PolicyName" -ForegroundColor Cyan Write-Host "========================================" -ForegroundColor Cyan Write-Host "Total VMs: $($r.TotalVMs)" -ForegroundColor White Write-Host "With Public IP: $($r.WithPublicIP)" -ForegroundColor $(if ($r.WithPublicIP -eq 0) { 'Green' } else { 'Yellow' }) if ($r.WithPublicIP -gt 0) { Write-Host "`n⚠️ VMs met publieke IPs gevonden - overweeg Azure Bastion" -ForegroundColor Yellow } } else { $r = Test-Compliance Write-Host "`nPublic IPs: $($r.WithPublicIP)/$($r.TotalVMs) VMs" } } catch { Write-Error $_; exit 1 } } function Invoke-Remediation { <# .SYNOPSIS Herstelt de configuratie naar de gewenste staat .DESCRIPTION Dit is een monitoring-only control, remediation delegeert naar monitoring #> [CmdletBinding()] param() Write-Host "[INFO] Dit is een monitoring-only control" -ForegroundColor Yellow Write-Host "[INFO] Running monitoring check..." -ForegroundColor Cyan Invoke-Monitoring }

Risico zonder implementatie

Risico zonder implementatie
High: VMs met public IPs = direct internet exposure. RDP/SSH brute force (#1 ransomware entry), port scanning, DDoS targets. Compliance: CIS 7.3, Zero Trust, BIO 13.01. Het risico is KRITIEK - internet attack surface.

Management Samenvatting

VM No Public IP Addresses: ALL VMs private IPs only (10.x.x.x). Admin access via Azure Bastion (€140/maand) of VPN. Block public IP assignment via Azure Policy. Activatie: Remove existing public IPs β†’ Deploy Bastion β†’ Policy deny. Gratis (Bastion charged). Verplicht CIS 7.3, Zero Trust, BIO 13.01. Implementatie: 3-5 uur. Eliminates direct internet exposure.