4.3 Given a scenario, apply network security features, defense techniques, and solutions

Device Hardening

📘CompTIA Network+ (N10-009)

---

1. What Are Ports and Services in an IT Environment?

Ports

• A port is a communication endpoint used by applications and services.
• In Azure, ports are often controlled through:
  • Network Security Groups (NSGs)
  • Azure Firewall
  • Operating system (Windows/Linux) firewall

Common examples:

• Port 22 – SSH (Linux remote management)
• Port 3389 – RDP (Windows remote management)
• Port 80 – HTTP web traffic
• Port 443 – HTTPS secure web traffic

If a port is open and unused, attackers may attempt to scan it, exploit vulnerabilities, or gain unauthorized access.

---

Services

A service is a background process that performs a task, such as:

• Remote desktop service
• Database service
• Web service
• File sharing service

If a service is running even though the system does not need it, it becomes a possible entry point for attacks.

---

2. Why is Disabling Unused Ports and Services Important?

a. Reduces Attack Surface

Every open port or running service is a potential vulnerability. The fewer there are, the harder it is for attackers to find a weakness.

b. Prevents Unauthorized Access

Unused remote-access services like RDP or SSH are common targets. If they are disabled, attackers cannot attempt login attacks.

c. Improves System Stability

Disabling unnecessary processes reduces resource usage, such as:

• CPU
• Memory
• Network traffic

d. Required for Compliance

Security policies often require that systems expose only what is necessary.

---

3. How to Disable Unused Ports and Services in Azure

This is especially important for the AZ-104 exam. Azure provides multiple layers where you can restrict or disable ports and services.

---

Layer 1: Network Layer (Azure Networking)

A. Network Security Groups (NSGs)

You can control inbound/outbound traffic by allowing only required ports.

Examples:

• Allow only SSH (22) for Linux VMs when needed.
• Allow only RDP (3389) for Windows VMs through restricted IP ranges.
• Block all unnecessary ports by default.

Best practice:
Use a deny-all inbound rule at the bottom and allow only specific required ports.

---

B. Azure Firewall / Web Application Firewall (WAF)

These services help:

• Filter unwanted traffic
• Block malicious requests
• Reduce exposure to unused ports

If a workload does not require certain ports, Azure Firewall should block them.

---

Layer 2: Operating System Layer

Windows Server

Disable unnecessary services using:

• Services.msc
• PowerShell (Stop-Service, Set-Service)
• Windows Firewall

Examples:

• Disable unused file sharing services
• Disable telnet service if enabled
• Disable print spooler if not required

Linux Server

Disable services using:

• systemctl stop <service>
• systemctl disable <service>
• Firewall tools like ufw or firewalld

Examples:

• Disable FTP service if not used
• Disable old/legacy protocols like rsh or rlogin

---

Layer 3: Application Layer

If an application is deployed on a VM or Azure service, ensure it does not expose unnecessary ports.

Examples:

• A web server that uses only port 443 should not keep port 80 open unless needed.
• A database server should not expose port 1433 (SQL Server) to the internet.

---

4. What the AZ-104 Exam Expects You to Know

For the exam, focus on:

✔ Understanding what an attack surface is

Unused ports and services increase the attack surface.

✔ Knowing why you should disable them

To reduce vulnerabilities, prevent unauthorized access, and improve security.

✔ Knowing where to do this in Azure

• NSGs
• Azure Firewall
• VM OS settings
• Application configurations

✔ Understanding secure remote management practices

• Use Just-in-Time VM access (JIT) to open RDP/SSH only when needed.
• Avoid exposing management ports directly to the internet.

✔ Knowing common security best practices

• Keep only necessary services running.
• Use “deny by default” rules.
• Limit ports to trusted IPs or private networks.

---

5. Best Practices for Disabling Unused Ports/Services in Azure

1. Follow the Principle of Least Privilege

Only allow what is absolutely necessary.

2. Deny All by Default

Start with everything blocked, then allow specific required ports/services.

3. Use Just-in-Time Access

Opens management ports temporarily and automatically closes them.

4. Regularly Review Active Ports

Use:

• NSG flow logs
• Azure Monitor
• VM OS tools

5. Remove Legacy Services

Disable outdated or insecure services such as:

• Telnet
• FTP
• SMBv1

6. Restrict Access with Private Endpoints

Avoid exposing resources publicly.

---

6. Impact of Not Disabling Unused Ports/Services

If unused ports/services remain active:

• Attackers can scan them and attempt exploits.
• Vulnerabilities in old services can lead to data breaches.
• Remote-access services may be used for unauthorized entry.
• Systems remain exposed even if no one is using those features.

Azure administrators are expected to proactively eliminate unnecessary entry points.

---

Final Summary (Exam-Ready)

Disabling unused ports and services is a core part of device hardening. In Azure:

• Ports are controlled through NSGs, Azure Firewall, VM Firewalls.
• Services are managed inside the VM OS.
• Only keep required ports/services active.
• Use best practices like least privilege, JIT access, and deny by default.
• This reduces the attack surface, prevents unauthorized access, and ensures compliance.

Mastering this topic ensures you understand how to secure Azure VMs, networks, and applications—an important skill tested in AZ-104.