The potential security problem with using SSH over the Internet is that attackers can use various brute force techniques to gain access to Azure Virtual Machines. Once the attackers gain access, they can use a virtual machine as a launch point for compromising other machines on the Azure Virtual Network or even attack networked devices outside of Azure.

Note: Only available for Azure.

This test is part of the Access to Remote Server Administration Ports Restricted control (DCF-73) that network security controls are in place to restrict public access to remote server administration ports (e.g., SSH, RDP) to authorized IP addresses or address ranges only.

If Drata finds that one or more of your Azure network security groups allow public SSH access, the test will fail.

Where SSH is not explicitly required and narrowly configured for resources attached to the Network Security Group, internet-level access to your Azure resources should be restricted or eliminated.
​
For internal access to relevant resources, configure an encrypted network tunnel such as: ExpressRoute, Site-to-site VPN, or Point-to-site VPN.
​
​Note: SSH access from the internet is not enabled by default.

This is a test that aligns with the Center for Internet Security’s (CIS) benchmarks for Microsoft Azure, providing prescriptive guidance to establish a secure baseline configuration for Azure environments. These benchmarks are developed through a global, consensus-driven process involving cybersecurity experts to help organizations strengthen their defenses against potential threats in the cloud.