Limit access to services over network
Info
ID: MS-M9008
MITRE mitigation: M1035
Avoid exposing sensitive interfaces insecurely to the Internet or limit access to it. Sensitive interfaces includes management tools and applications that allow creation of new containers in the cluster. Some of those services does not use authentication by default and are not intended to be exposed. Examples of services that were exploited: Weave Scope, Apache NiFi and more.
If services need to be exposed to the internet and are exposed using LoadBalancer
service, use IP restriction (loadBalancerSourceRanges
) when possible. This reduces the attack surface of the application and can prevent attackers from being able to reach the sensitive interfaces.
Techniques Addressed by Mitigation
ID | Name | Use |
---|---|---|
MS-TA9005 | Exposed sensitive interfaces | Limit access to sensitive interface over the Internet |