Tag Archives: Azure Security Center

Step-by-Step guide to Azure Policy (Preview)

Every business has different regulations, compliances that they need to comply with. These regulations and compliances are different from one industry to another. As an example, if its financial institute they will need to comply with PCI (Payment Card Industry Data Security Standard), if it’s a healthcare service they will need to comply with HIPPA (Health Insurance Portability and Accountability Act). Some of these compliances are must to comply and some will just add extra value to business. ISO certifications are good example for that. Some of these regulations and compliances are directly apply to computer infrastructures as well. Especially related to data protection and data governance. 

Apart from that most business has their own “Policies” to protect data and workloads in their infrastructures. Most of the time end goal of these policies is to make sure if “IT department” done their part to support business compliance requirements.  There are two great tools available from Microsoft to make it easier for enterprises to reach their corporate compliance requirements with in Azure environments. 

1. Compliance Manager – This service can scan your azure environment and provide report of your compliance level against most common industry standard such as GDPR, ISO 27000 etc. I already wrote detail article about it http://www.rebeladmin.com/2017/11/microsoft-compliance-manager-makes-easy-deal-compliance-challenges/ 

2. Azure Policy – This is more to review continues compliance in corporate infrastructure policies. As an example, a corporate need to make sure all their Azure resources are deployed under west us region. With help of Azure policy, we can continuously monitor resources and make sure it does stay compliance with that policy. in event of breach it will flag it up as well. 

In this post we are going to look in to Azure Policies and how it can help. 

Azure Policy does have 34 inbuilt policy definitions (at the time this article written). These are covering most infrastructure Management, Audit, and security requirements. Users can use these inbuilt policies or build their own. 

Azure Policy definition are JSON based. Each policy has following elements. 

mode

parameters

display name

description

policy rule

               – logical evaluation

               – effect

Mode 

This is to define the resource type considered in the policy. There are two modes can use in a policy.

All – All resource types. This is the recommended mode for policies

Indexed –  Resource types that support tags and locations 

Parameters 

If you work with programming language or PowerShell I am sure you already know what parameter is. In here also it’s the same meaning. Parameter is special kind of variable which refer to piece of data. It simply the policy by reducing code. Following is extracted from a policy to show the parameter usage. 

"parameters": {

            "publisher": {

                "type": "String",

                "metadata": {

                    "description": "The publisher of the extension",

                    "strongType": "type",

                    "displayName": "Extension Publisher"

                }

Display name & Description

It is just to identify the policy. description also can use to add more meaning. 

{

    "type": "Microsoft.Authorization/policyDefinitions",

    "name": "allowed-custom-images", 

    "properties": {

        "displayName": "Approved VM images",

        "description": "This policy governs the approved VM images",

        "parameters": {

            "imageIds": {

                "type": "array",

                "metadata": {

                    "description": "The list of approved VM images",

                    "displayName": "Approved VM images"

                }

In above example, Approved VM images is policy display name and This policy governs the approved VM images is policy description

Policy Rule

It’s the heart of the policy. it is where it describes the policy using logical operators, conditions and effect

Under the policy rule following logical operators are supported. 

"not"

"allOf"

"anyOf"

It also accepts following conditions types

"equals"

"notEquals"

"like"

"notLike"

"match"

"notMatch"

"contains"

"notContains"

"in"

"notIn"

"containsKey"

"notContainsKey"

"exists"

Under a policy rule, following effects can use,

Deny – Generate event in audit log and fail the request

Audit – Only for auditing purpose and no request decision made

Append – Add additional fields to the request

AuditIfNotExists – Enable auditing if the resource not existing

DeployIfNotExists – Deploy if resource is not existing (at the moment this only supported in built-in policies)  

  "policyRule": {

            "if": {

                "allOf": [

                    {

                        "field": "type",

                        "equals": "Microsoft.Compute/virtualMachines"

                    },

                    {

                        "not": {

                            "field": "Microsoft.Compute/imageId",

                            "in": "[parameters('imageIds')]"

                        }

                    }

                ]

            },

            "then": {

                "effect": "deny"

            }

In above example, it uses if, not and then policy blocks been used. It checks images id of virtual machines and if it’s not matching it will deny request based on effect. 

More info about policy templates can be found under

https://docs.microsoft.com/en-us/azure/azure-policy/policy-definition

https://docs.microsoft.com/en-us/azure/azure-policy/json-samples

Policy Initiatives 

Azure Policy also allows to group policies together and apply it one scope. This is called Policy Initiative. This reduce the complexity of policy assignment. As an example, we can create policy initiative called “Infrastructure Security” and include all infrastructure security related policies to it.  

Using Azure Policy

Let’s see how we can use Azure Policy feature. 

1. Log in to Azure Portal as Global Administrator

2. Go to All Services and type Policy then click on policy tile. 

policy

3. Then it will open up the feature tile.

policy2

4. In my demo I am going to assign pre-built policy to restrict resource region. In order to assign policy, click on Assignment 

policy3

5. Then click on Assign Policy

policy4

6. Then in it will open up Assign Policy Wizard. Click on Policy to list and select the relevant policy. in my demo I am using policy called “Allowed Locations”. Select the policy from list and then click on select to complete the action. 

policy5

7. Under Name and Description fields define policy name and description which explain its characteristics. 

8. Under the Pricing Tier select the pricing tier for evaluation. 

9. Scope field defines the scope of the policy. it will be subscription in use. 

10. Using exclusion, we can exclude resource groups which not going to exclude from the policy. in this demo I am not going to exclude any.

policy6

11. Then under the Parameters I select the region I like to use for my resources (In my demo I am using Canada Central as the region). 

policy7

12. At the end click on Assign to complete the policy assignment process. 

policy8

13. Not it is time for testing. In my demo I am trying to create a storage account under west us region. When I do that it gives me error saying “There were validation errors. Click here to view details

policy9

When I click on it, it says it didn’t deploy as policy violation. (hope I will see more details when its GA)

policy10

Cool ha? It’s doing the job it supposed to do. Since policy effect is “deny” it should deny my request to create resource under other regions. 

Initiative Assignment

Assigning Initiative is same process as Policy assignment. But before do that you need initiative in place. There is only one in-built initiative in place currently. 

In order to create initiative,

1. Log in to Azure Portal as Global Administrator

2. Go to All Services and type Policy then click on policy tile. 

3. Then in policy feature window, click on Definition

policy11

4. After that click on Initiative definition option. 

policy12

5. in new window to start with, select Definition location. This is basically the targeted subscription. 

6. Under Name, define name for policy initiative. 

7. Under the category, you can either create new category or select existing one. 

policy13

8. After that click on available policy in left hand panel and click on Add it to initiative. 

policy14

9. Once it’s all done, click on Save to complete to process. 

policy15

10. Once it’s done, we can assign initiative, using Assignment | Assign Initiative Option

policy16

Create New Policy

Creating new policy is similar to creating initiative process. I can be done using Definition | Policy Definition option. 

policy17

policy18

Apart from that, using compliance option we can see the overall policy and initiative compliant status. It also allows to assign policies and initiative. 

policy19

This marks the end of this blog post. Hope it was useful for you. If you have any questions feel free to contact me on rebeladm@live.com also follow me on twitter @rebeladm to get updates about new blog posts.

Step-by-Step Guide to setup Just-in-Time VM Access in Azure

In most common scenarios hackers targets open ports in servers to gain access. It can be web server port, RDP ports, SQL ports etc. If genuine users also use same ports to access the system it’s hard to keep these ports closed. There are other methods such as firewalls that we can use to secure the access but it will still keep the ports open. when it comes to public clouds, its increase your infrastructure’s public facing part. Its clients, administrators may access services over the internet mostly. In that case it will give more time and room for attackers to target open ports. 

Azure Just-in-Time VM Access is a great option to control this. As an example, if engineers need to do work in their VM’s mostly they RDP in to the system. Let’s assume they work 1 hour per day on servers. so, keeping port open for 24 hours not giving any benefits rather than risk. Using Just-in-Time VM Access we can limit the time it keeps RDP ports open. 

When Just-in-Time VM Access enabled, we can define what VM and what ports will be controlled. In most scenarios you do not need to control access to ports used by your applications or services. It will be more in to ports related to management tasks. This all done by using azure network security group rules. You can find more about NSG using https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-nsg

When this feature used with VM, upon access request to a protected port, it will first check if the user have access permission to it using Azure Role based access control (RBAC). If it all good, then NSG automatically configure to allow access with the time you specified. Once it reached the allowed time limit, NSG will automatically revert configuration in to original state. 

This feature is still on preview but it is not too early to check its capabilities. Also, this feature is only can use with VMs created using Azure Resource Manager (ARM). 

Configuration

1. Log in to Azure Portal using Global Administrator account. 

2. Go to Security Center > Just-In-Time VM Access 

jvm1

3. Then it will load the default page.

jvm2

4. Click on Recommended Tab. It will list down the VMs you have. 

jvm3

5. In order to enable JIT access, put a tick on the VM you like to protect and then click on Enable JIT on button. if need you can do it for multiple VMs in same time. 

jvm4

6. Then it lists down the default ports protected with JIT access. 

jvm5

7. We still can adjust settings for these services. As an example, I need to limit port 3389 (RDP) port Max request time to 1 hour. By default, it is 3 hours. In order to do that click on rule for 3389 and change Max request time value to 1 hour. To apply changes, click on OK at the end.

jvm6

8. In next window we can see the new value, click on Save to save the config. 

jvm7

9. If need we also can add our own ports to protection. Let’s assume we need to protect port 8080 access. To do that click on Add button in access configuration page. 

jvm8

10. Then type port details in the window. Under Protocol we can select TCP, UDP or Any based-on requirement. Under Allowed source IPs access can controlled based on request or specific IP range. Max request time option is to limit the hours. Minimum time we can select is 1 hour. Once changes are done click on OK to apply changes

jvm9

11. Then click on Save to save the config. 

12. After that, once we go to feature home page we can see the protected VM under Configured tab.

jvm10

13. If need to edit the current configuration it can do using Edit option as below. 

jvm11

14. Now configuration is done. Let’s test it out. According to my configuration I have RDP port protected. To request access, select the VM with tick box and then click on request access option. 

jvm12

15. In next window, I am only going to request access to RDP port. To do that select the correct rule and click on On tab under toggle. Then click on Open Ports button. 

jvm13

16. Then in the feature home page we can see it got 1 approved requests.

jvm14

17. After configuration yes, I can access the server via RDP for 1 hour.

jvm15

18. After one hour, I can’t initiate another new RDP connection. Using Activity log we can view logs related to past activities. 

jvm16

jvm17

This marks the end of this blog post. Hope now you have better understanding what is JIT VM access and how to use it. If you have any questions feel free to contact me on rebeladm@live.com also follow me on twitter @rebeladm to get updates about new blog posts.

Get Started with Azure Security Center

Whenever we talk about cloud, one of the main questions still comes from customers is “what about security?“. Azure cloud built by using SDL (Security Development Lifecycle) from initial planning to product launch. It’s continues uses different measurements, safeguards to protect the infrastructures and customer data. You can find details about azure security on https://www.microsoft.com/en-us/TrustCenter/Security/AzureSecurity

Microsoft releases Azure Security Center to allow you to prevent, detect and respond to the threats against you azure resources with more visibility. Based on your requirements, can use different policies with resources groups.

Azure security center capabilities focused on 3 areas (https://azure.microsoft.com/en-us/documentation/articles/security-center-intro/),

Capabilities

Details

Prevent

·         Monitors the security state of your Azure resources

·         Defines policies for your Azure subscriptions and resource groups based on your company’s security requirements, the types of applications that you use, and the sensitivity of your data

·         Uses policy-driven security recommendations to guide service owners through the process of implementing needed controls

·         Rapidly deploys security services and appliances from Microsoft and partners

 

Detect

·         Automatically collects and analyzes security data from your Azure resources, the network, and partner solutions like antimalware programs and firewalls

·         Leverages global threat intelligence from Microsoft products and services, the Microsoft Digital Crimes Unit (DCU), the Microsoft Security Response Center (MSRC), and external feeds

·         Applies advanced analytics, including machine learning and behavioral analysis

 

Respond

·         Provides prioritized security incidents/alerts

·         Offers insights into the source of the attack and impacted resources

·         Suggests ways to stop the current attack and help prevent future attacks

Azure Security Center currently in Preview but it’s still worth to try and see its capabilities.
Let’s see how we can enable and start using it.

1)    You need to have valid azure subscription and you need to log in as global administrator.
2)    Then go to browse and type security. There you can see security center. Click on there to start.

sec1

3)    Then we can see the main window.

sec2

4)    If it’s red something not right :) to start with lets click on virtual machines.

sec3

5)    As we can see the data collection off. We need data collect from VM to detect the problems. Let’s go ahead and enable data collection.
6)    Click on Policy tile, and then it will load up the policy page. As can see data collection is off.  Click on the policy.

sec4

sec5

7)    Click on “On” and then click on Save

sec6

sec7

8)    After that we can see the recommendations based on collected data and security policy.  We can follow each recommendation and fix the security threats.

sec8

sec15


How to apply custom policy for the different resources?

1)    By default the default prevention policy will be inherited to all the resources. But we can apply custom policy based on the requirement. To start with click on policy tile again, and click on the arrow next to policy to list the resources. As we can see security policy inherited.

sec9

2)    To change, click on the resource to select, and in next tile, for the inherit policy click “unique” and click on “Save

sec10

3)    After save, click on prevention policy

sec11

4)    There you can change the policy settings and click ok to apply the policy settings.

sec12

5)    This new settings are unique for the resource now.

sec13

Enable Email Notifications

You can enable notifications in azure security center so if any issues detected you will get notifications. It’s currently runs with limited features.
Currently it can only enable on default prevention policy.

sec14

Hope this article helps and if you got any question feel free to contact me on rebeladm@live.com