How Securely Configured Is Your Azure Cloud Environment
How Securely Configured Is Your Azure Cloud Environment?
Microsoft Azure has been growing rapidly in adoption and usage by companies looking to move production workloads to the cloud. With so many companies jumping onboard with Azure, that means there’s an increased need for clear guidance to securely configure these Azure resources.
In this article we’re going to talk about some of the more important best practices to keep in mind when setting up, configuring, and maintaining an Azure cloud environment. We’ll stick to the basics for this one, intended mostly for Azure newcomers.
Six Critical Best Practices For Secure Azure Configuration
1 – Turn on system monitors and data collection with automatic provisioning.
With ‘data collection’ set to On, the Microsoft Monitoring Agent will watch over all your Azure virtual machines. You’ll get alerts for suspicious activity, the need for system updates, and plenty of data to analyze when you’re looking for problems in your configuration.
While you’re at it, also turn on ‘system updates’ and ‘OS vulnerabilities.’ This will provide even more information about available updates, as well as giving you warnings about mis-configurations in your VMs that could be opening up security holes.
‘Endpoint protection’ will help monitor security on your Windows VMs, while the ‘web application firewall’ helps protect against obvious malicious attacks. In particular, you should have the firewall enabled if you’re allowing network access to port 80/443. Also, don’t forget to turn on the ‘next generation firewall,’ which extends firewall protections beyond network security groups, into assets such as virtual appliances.
3 – Turn on data encryption
Make sure you fully understand encryption in Azure. The settings you’re looking for here are ‘disk encryption,’ ‘storage encryption,’ and ‘SQL encryption.’ There’s very little reason to ever not have encryption enabled. Disk encryption protects virtual machines while they’re at rest,while storage encryption protects stored files such as those in Azure Blobs. SQL encryption doesn’t only protect the main database, it also covers backups and also logs – giving you a lot of protection in case of data breaches.
4 – Enable multi-factor authentication for everyone, and don’t allow it to be bypassed
As we discussed in a previous article about the Gentoo Linux hack, multi-factor authentication is a must-have for any mission-critical systems. Consider two forms of authentication to be the minimum necessary, and you might even think about making it three-factor for the highest-level admin access. This should also extend to requiring two-factor authentication for password changes, for obvious reasons.
Accordingly, be careful when enabling ‘allow users to remember multi-factor authentication on devices they trust’, since that basically defeats the entire purpose of multi-factor systems and greatly increases the risk that a stolen device could breach your security. You want to balance security with usability by applying risk-based authentication decisions dependent on the trust of the location, the device and the person.
Finally, on the subject, double-check that ‘number of days before users are asked to reconfirm their authentication information’ is set to a number greater than zero. If it’s zero, they’ll never be asked for re-confirmation.
5 – Disable the following user permissions
There’s a laundry list of permissions you could theoretically grant to regular users and/or guests, which should be restricted to higher-level admins. These include:
‘Users can consent to apps accessing company data on their behalf’
‘Users can add gallery apps to their Access Panel’
‘Users can register applications’
‘Members can invite’
‘Guests can invite’ (Seriously, why is this even an option?)
‘Self service group management’
‘Users can create security groups’
‘Users can create Office 365 groups’
‘Users can manage Office 365 groups’
‘Users who can manage security groups’
All of those should be set to ‘no’ or ‘zero’ as appropriate
6 – Network functions you should disable unless you have a really good reason
Finally, there are some network functions that should be disabled unless you know what you’re doing and have a very clear reason for it.
Disable RDP access. Remote Desktop Protocol opens up the possibility of hackers brute-forcing their way into your virtual machines, and once they’re in, your entire cloud network is potentially compromised. SSH access should be disabled for the same reason. Also, globally disable Telnet (port 23) for network security groups, and only enable it on a case-by-case per-IP basis if there are specific individuals who need Telnet access.
AuditWolf Can Streamline Your Azure Security Configuration And Oversight
AuditWolf is here to help your business easily adopt Azure services, while remaining entirely confident in your Azure security and configuration setup. Our platform makes cloud configuration management easier to adjust to and is designed with non-experts in mind, allowing anyone to make the most of Azure without compromising themselves or their partners.