Cloudflare Zero Trust Network In a Cloudflare Zero Trust Network account there are some settings and services that can be configured. In this page we are going to analyze the security related settings of each section:
Analytics
Useful to get to know the environment
Gateway
In Policies restrict by DNS , network or HTTP request who can access applications.
If used, policies could be created to restrict the access to malicious sites.
This is only relevant if a gateway is being used , if not, there is no reason to create defensive policies.
Access
Applications
On each application:
Check who can access to the application in the Policies and check that only the users that need access to the application can access.
To allow access Access Groups additional rules can be set also)
Check the available identity providers and make sure they aren't too open
In Settings
Check CORS isn't enabled (if it's enabled, check it's secure and it isn't allowing everything)
Cookies should have Strict Same-Site attribute, HTTP Only and binding cookie should be enabled if the application is HTTP.
Access Groups
Check that the access groups generated are correctly restricted to the users they should allow.
It's specially important to check that the default access group isn't very open (it's not allowing too many people ) as by default anyone in that group is going to be able to access applications .
Note that it's possible to give access to EVERYONE and other very open policies that aren't recommended unless 100% necessary.
Service Auth
Check that all service tokens expires in 1 year or less
Tunnels
TODO
My Team
TODO
Logs
You could search for unexpected actions from users
Settings
It's possible to see the credits card owner name , last 4 digits , expiration date and address
It's recommended to add a User Seat Expiration to remove users that doesn't really use this service
