Azure AD Connect Overview #CloudScribblings

The Azure AD Connect synchronization service is used to synchronize identity data between your on-premise environment and Azure Active Directory.
There are two components for this service

• Azure AD Connect sync component – This is installed on the on-premise environment, recommended to be installed on a domain joined separate server and not on AD server directly.
• Azure AD Connect sync service – This service runs in Azure AD.

Prerequisites for Configuring the Azure AD connect.

• An Azure AD tenant
• You need to add and verify your domain in Azure AD
• The Azure AD Connect sync component must be installed on a Windows Server 2012 Standard or later (On-Premises). The server must have the full GUI installed. The server must be domain joined.Recommended no to install in the AD DC server directly.

The Azure AD Connect sync component requires a SQL Server database for storing identity data. By default , the installation of Azure AD Connect will install SQL Server 2012 Express LocalDB.During the configuration of the Azure AD Connect sync component, you need to use the following accounts and permissions.

• Azure AD Global Administrator account for the Azure AD tenant. The account should be a school or organization account and cannot be a Microsoft account
• An Enterprise Administrator account for the on-premise Active Directory
• The Azure AD Connect server needs DNS resolution for both intranet and internet. The DNS server must be able to resolve names both to your on-premises Active Directory and the Azure AD endpoints. When a user try to authenticate, the sign in page will be redirected to the On-Premises URL, based on your configuration.

There are two methods to connect your on-premise AD with the Azure AD.
Password Hash Synchronization
Here Azure AD Connect synchronizes a hash, of the hash, of a users password from an on-premises Active Directory instance to a cloud-based Azure AD instance.
The advantage is that you only need to maintain one password for both authentication in your on-premise environments and in the cloud.If a user change his/her password on the On-premise AD, the password will be synced onto Azure AD. But the reverse will not happen.
Pass-through Authentication
This is kind of similar to password hash synchronization, but here the users’ passwords is directly validated against the on-premise Active Directory. Means, when a user try to authenticate, the authentication request will be sent to the on-premise Active directory.
Password Write-Back
Password write-back is a feature enabled with Azure AD Connect that allows password changes in the cloud to be written back to an existing on-premises directory in real time. In this configuration, as users change or reset their passwords using Self Service Password Reset (SSPR) in the cloud, the updated passwords also written back to the on-premises AD DS environment. This can be configured along with Password Hash Synchronization & Pass-through Authentication if required.

Read More

Azure Active Directory Identity Protection #CloudScribblings

Azure Active Directory Identity Protection is used to ,

1. Automate the detection of any identity-based risks.
   
2. It can also be used to investigate any risks to using reports data in the portal
3. It can be used to expose risk detection data to third-party utilities for further analysis.
4. Also possible to auto remediate the risks
   

To use this feature fully fledged, Azure AD Premium P2 license is required.
The tool can detect the following risk factors,
Leaked credentials - If a user's credentials are leaked , AD Identity protection can get the intelligence and block the access.
Sign-ins from anonymous IP addresses - These are user sign-ins that are originated from an IP address that has been identified as an anonymous proxy IP address or VPN.
Logins from atypical locations - User sign-in occurs from geographically distant locations, where at least one of the locations may also be atypical for the user. For example, the user is login from New York and in the next hour another login request from New Delhi (Which is impossible to travel in one hour) for the same user.
Sign-in from unfamiliar locations - This processes uses the prior sign-ins of the user to detect unusual locations for new sign-ins from the user.
Sign-ins from infected devices/IP - Identifies any sign-ins that happens from devices infected with malware or Malware related IP Addresses.
Sign-ins from IP addresses with suspicious activity - Identifies the IP addresses from which a high number of failed sign-in attempts happens across multiple user accounts over a short period of time.

Read More

Application Registration in Azure Active Directory #CloudScribblings

When you register an application in Azure AD , you need to specify the application details and the permission details that the application should have when it access the Azure Services.
The application can authenticate through the Microsoft Identity platform. The Microsoft Identity platform uses OAuth 2.0 authorization service that enables a third-party application to access web-hosted resources. Once the application object is registered in Azure AD, it is called as a service principle.
When you register an application in Azure AD, you need to keep note of two things.
1) Application or Client Identity.
2) Directory or Tenant ID.

These ID's are automatically generated during the application registration. Normally, these two information are required to be specified at the application end.
After the registration, you may required to generate a client secret and that can be done from the AD -> Certificates & Secrets section. Note that once the secret is generated, you must copy the code somewhere secure (for example, your key vault). The moment you leaves the Certificates & Secrets page, you won't be able to see the generated secret again.
The final things that you may need to perform during the application registration process is, Configuring the API permission. (Under AD-> API permissions)
The Microsoft Identity platform supports the following permission types
Delegated permissions - Use this option when the applications have a signed-in user. The application is then delegated permissions to act on behalf of the signed-in user to make calls to a target resource.
Application permissions - These are applications that run without a signed-in user.

Finally, Grant Admin consent after creating the permission.

These are the major tasks that's needs to be performed in the Azure cloud, for registering an application in Azure Active Directory.

Read More

Azure Active Directory User Source of Authority (SoA) #cloudscribblings

Source of Authority (SoA) describes where the user is primarily defined. This can be classified in to four categories. A user can be defined in,

1) Azure Active Directory
This is a native cloud user account also known a member.
2) External Azure Active Directory
Invited user from another azure tenant. If you invite a user from another tenant to your tenant, the user's SoA will be External Azure Active Directory.
3) Microsoft Account
A person who creates the subscription (Subscription owner) with a Microsoft account (live, hotmail etc) will have the SoA of Microsoft Account.
4) Local Active Directory
Synchronized user accounts with an on-premises Active directory will have the SoA of Local Active Directory.

Read More

Azure Active Directory User Types #cloudscribblings

Azure Active Directory has two types of Users.

1) Member
A member is a normal cloud user. An Active Directory member can read all directory information and can invite external users. They can also manage their own profile information and can register applications in the AD.
2) Guest
Restricted user  who can manage only their own profile data. Cannot browse the directory and cannot register applications in the AD.

Read More

ESXi 6.x Custom Firewall Ruleset Creation

As you may all know, the ESXi host comes with an inbuild firewall similar to firewalld in Linux or Windows inbuilt Firewall and the ESXi firewall is enabled by default.

You can configure incoming and outgoing firewall connections for a service or a management agent from the vSphere Client or at the command line. But to define a custom firewall port for a service needs to be performed at the command line.

This article will help you to create a custom firewall ruleset in ESXi 6.x for any service. Here we take an Example of Syslog. You can refer the below article to know how to configure the syslog in ESXi which leverage the default syslog ports (TCP/UDP 514, 1514) as seen below.

https://docs.vmware.com/en/VMware-vSphere/6.7/com.vmware.esxi.upgrade.doc/GUID-9F67DB52-F469-451F-B6C8-DAE8D95976E7.html

-- Important point to remember that once you specify a custom port number in the above config, the logs will not be sent via the port until you create the ESXi custom firewall rule set.

 Syslog Service

Default Firewall Rule set for Syslog

Note- Each ESXi Service is tied to a firewall rule-set and when the service is started the rule-set gets enabled by default and there is no option in GUI to change the default Ports in the firewall rule set.

Why would you want to configure custom port?? It depends on several factors such as Security requirements or Syslog Log Collection Server requirements etc.

 

Set the syslog details in ESXi before creating the customer rule-set for it.

We can set the syslog details either via GUI (syslog.global.loghost) or command line as below:

In the above example, we use the port UDP 22222 as the custom port for syslog and syslog server IP as 192.168.5.5

Note: *The Port has to be configured & listening in the destination server *The Port has to be Allowed in the Network Firewall (if any)

To Set a Custom firewall Rule Set

Few important ESXi firewall commands can be found in the reference link listed at the last.

1.      Login to and browse to the ESXi firewall configuration location and perform a backup of the config.

$ cd /etc/vmware/firewall/

$ cp service.xml service.xml.bak        

      -- service.xml is the firewall config file

2.      No changes are allowed to the “service.xml” file by default only Read access. To enable access permissions, perform the below commands.

$ chmod 644 /etc/vmware/firewall/service.xml    -- To enable write Access

$ chmod +t /etc/vmware/firewall/service.xml       -- To toggle the sticky bit flag (This ensures only the file owner (root) user can modify the file permissions)

Above shows “Operation not permitted” Error, because by default the Firewall is Enabled and Loaded. Hence, disable and unload the firewall first as per Step 3 and perform step 2 again.

3.      To Disable the Firewall & Unload, run below

            $ esxcli network firewall set --enabled false

$ esxcli network firewall unload

4.      Perform Step 2 again to enable write permission to the file.

5.      Open the File in VI Editor to add the custom Rule set. Press “i” to insert and scroll to the bottom to add the new rule set.

6.      Add the below at the bottom of the configuration and save the file.

  <service id="increment the service id by 1 of the last entry">                

    <id>CustomSyslog</id>     

    <rule id='0000'>          

      <direction>outbound</direction>

      <protocol>udp</protocol>

      <porttype>dst</porttype>

      <port>22222</port>      

    </rule> 

    <enabled>true</enabled>

    <required>true</required>

  </service>          

Once saved, change back the permissions for the file to read only

$ chmod 444 /etc/vmware/firewall/service.xml

$ chmod -t /etc/vmware/firewall/service.xml

8.      Then Load the firewall and enable it.

$ esxcli network firewall load

$ esxcli network firewall set --enabled true

$ esxcli network firewall refresh

9.      You can view the new custom RuleSet created in the Firewall list in Gui and command-line as below:

 $ esxcli network firewall get

       $ esxcli network firewall ruleset list | grep -I “syslog”

You will see the new Custom Rule set named “CustomSyslog” is added with outgoing port set to UDP 22222

 Note: This article is written based on ESXi version 6.x

Reference

https://kb.vmware.com/s/article/2008226  

https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.esxi.upgrade.doc/GUID-9F67DB52-F469-451F-B6C8-DAE8D95976E7.html

https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.security.doc/GUID-8912DD42-C6EA-4299-9B10-5F3AEA52C605.html

https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.security.doc/GUID-7A8BEFC8-BF86-49B5-AE2D-E400AAD81BA3.html#GUID-7A8BEFC8-BF86-49B5-AE2D-E400AAD81BA3

https://pubs.vmware.com/vsphere-51/index.jsp?topic=%2Fcom.vmware.vsphere.troubleshooting.doc%2FGUID-54AFB94B-75DE-4895-B1BF-EE498F92B717.html

 

Read More

Mizrosoft Azure Services #Index

Microsoft Azure Services and Resources #Index

Compute - Virtual machines, virtual machine scale sets, app services

Networking - virtual networks, load balancer, VPN gateway, application gateway, content delivery network
Storage - Blog, disk, file, archive storage and Azure Files
Databases - Cosmos DB, SQL Database, database migration service, SQL Data Warehouse
IoT - IoT Central, IoT Hub
Big Data - HDInsight, Data Lake Analytics
AI - Azure Machine Learning Service, Azure Machine Learning Studio
Serverless - Azure Functions, Logic Apps
Identity services - identity concepts, Azure Active Directory, Multi Factor Authentication concepts
Security products - including both the Azure Security Center, Information Protection, Advanced Threat Protection and security features in the product groups above, like Network Security Groups
Governance - including Policy and Role Based Access Control, but also compliance and privacy concepts.
Monitoring - Azure Monitor and Service Health
Azure tools - like Azure Resource Manager, Azure CLI, Cloud Shell and PowerShell

Azure Blueprints
    This is a service that allows you to define a repeatable set of Azure resources.The definition of the Azure resources can adhere to an organization’s standards, patterns and requirements.Using blueprints , you can orchestrate the deployment of resources such as role assignments, policy assignments, Azure resource manager templates and resource groups.You can use blueprints to upgrade several subscriptions at once .
    
Azure Security Center

•     This is an infrastructure security management system.
•     You can use this tool to improve the security of your Azure based resources and on-premise resources as well.
•     Azure Security Center has in-built support for services such as Azure virtual machines , Function Apps, Azure SQL Server databases.
•     You can also allow Azure Security Center to give recommendations on what to do for on-premise Windows and Linux servers.
•     On these servers, you need to ensure you install the Microsoft Monitoring agent.
•     This service also helps detect and prevent threats at an Infrastructure layer

Azure AD Identity Protection
This is a service that can help detect suspicious actions related to user identities and add more security to the sign-ins to your Azure AD Account.

It can help in detecting the following,

•     Users with leaked credentials
•     Sign-ins from anonymous IP addresses
•     Sign-ins from infected devices
•     Sign-ins from IP addresses with suspicious activity
•     Sign-ins from unfamiliar locations
•     Impossible travel to atypical locations

Azure AD Privileged Identity Management
This is a service that can help manage, control and monitor access to important resources in your organization. With this service, you can provide just-in-time privileged access to Azure AD and Azure resources.

•     Provide time-bound access to resources using start and end dates.
•     Enforce multi-factor authentication to activate any role.
•     Get notifications when privileged roles are activated.
•     Conduct access reviews to ensure users still require the roles.

Read More

Difference between GibiBytes (GiB) and Gigabytes (GB)

GibiBytes is a unit of data. One GiB is approximately 1.074 GB. [One gibibyte is equal to 1073741824bytes = 1024 mebibytes]. Azure virtual disk sizes are measured in Gibibytes (GiB), which are not the same as Gigabytes (GB). Therefore, to obtain an approximate equivalent of your virtual disk size in GB, multiply the size in GiB by 1.074, and that will return a size in GB. For example, 32,767 GiB would be approximately 35,183 GB.

Whereas a Gigabyte is an another unit of data storage capacity, is approximately 1024 Mega Bytes (MB). Normal storage disks uses Gigabyte (GB) terminology to represent the storage capacity.

Read More

Difference between Azure management groups, Subscriptions and Resource groups

image courtesy : https://docs.microsoft.com

Azure management groups help you manage your Azure subscriptions by grouping them together. If your organization has many subscriptions, you might need a way to efficiently manage access, policies, and compliance for those subscriptions. Azure management groups provide a level of scope above subscriptions.

Azure subscriptions help you organize access to Azure resources and determine how resource usage is reported, billed, and paid for. Each subscription can have a different billing and payment setup, so you can have different subscriptions and plans by office, department, project, and so on.

Resource groups are containers that hold related resources for an Azure solution. A resource group includes those resources that you want to manage as a group. You decide which resources belong in a resource group based on what makes the most sense for your organization.

reference : https://docs.microsoft.com

Read More

Hardening your Azure cloud platform and best practices.

A quick reference on Azure Cloud platform security baseline based on CIS.

Baseline security checklist for commonly used Azure services. Please fast forward towards the end of this post, if you are looking for the CIS Microsoft Azure Foundations Security Benchmark

• Turn on Azure Security Center - it's free - Upgrade your Azure subscription to Azure Security Center Standard. Security Center's Standard tier helps you find and fix security vulnerabilities, apply access and application controls to block malicious activity, detect threats using analytics and intelligence, and respond quickly when under attack.
• Adopt CIS Benchmarks - Apply them to existing tenants.
• Use CIS VMs for new workloads - from Azure Marketplace.
• Store your keys and secrets in Azure Key Vault (and not in your source code) - Key Vault is designed to support any type of secret: passwords, database credentials, API keys and, certificates.
• Install a web application firewall - Web application firewall (WAF) is a feature of Application Gateway that provides centralized protection of your web applications from common exploits and vulnerabilities.
• Enforce multi-factor verification for users, especially your administrator accounts- Azure Multi-Factor Authentication (Azure MFA) helps administrators protect their organizations and users with additional authentication methods.
• Encrypt your virtual hard disk files - This will help protect your boot volume and data volumes at rest in storage, along with your encryption keys and secrets.
• Connect Azure virtual machines and appliances to other networked devices by placing them on Azure virtual networks - Virtual machines connected to an Azure virtual network can connect to devices on the same virtual network, different virtual networks, the Internet, or your own on-premises networks.

Related : Azure Cloud Security Documentation Glossary.

Operational Security best practices includes,

• Manage your VM updates - Azure VMs, like all on-premises VMs, are meant to be user managed. Azure doesn't push Windows updates to them. Ensure you have solid processes in place for important operations such as patch management and backup.
• Enable password management and use appropriate security policies to prevent abuse.
• Review your Security Center dashboard regularly to get a central view of the security state of all of your Azure resources and take action on the recommendations.

A variety of security standards can help cloud service customers to achieve workload security when using cloud services. The following recommendations are based on CIS and should not be considered an exhaustive list of all possible security configurations and architectures but just as a starting point.
CIS has two implementation levels, and several categories of recommendations.
Level 1:
Recommended minimum security settings
These should be configured on all systems.
These should cause little or no interruption of services nor reduced functionality.
Level 2:
Recommendations for highly secure environments:
These might result in reduced functionality.

Categories of recommendations

1) Recommendations related to IAM policies
    -Restrict access to the Azure AD administration portal - Level 1
    -Enable Azure Multi-Factor Authentication (MFA) - Level 2
    -Block remembering MFA on trusted devices - Level 2
    -About guests - Level 1
        Ensure that no guest users exist, or alternatively if the business requires guest users, ensure to limit their permissions.
    -Password options
        -Notify users on password resets - Level 1
        -Notify all admins when other admins reset passwords - Level 2
        -Require two methods to reset passwords - Level 1
    -Establish an interval for reconfirming user authentication methods - Level 1
    -Members and guests can invite - Level 2
    -Users to create and manage security groups - Level 2
    -Self-service group management enabled - Level 2
    -Application options - Allow users to register apps - Level 2
2) Azure Security Center baseline
    Azure Security Center (ASC) provides unified security management and advanced threat protection for workloads running in Azure, on-premises, and in other clouds.
    -Enable the Standard pricing tier - Level 2
    -Enable the automatic provision of a monitoring agent - Level 1
        -When automatic provisioning is enabled, Security Center installs the Microsoft Monitoring Agent on all supported Azure VMs and any new ones that are created. Automatic provisioning is strongly recommended.
    -Enable System Updates - Level 1
    -Enable Security Configurations - Level 1
    -Enable Endpoint Protection (*) - Level 1
    -Enable Disk Encryption (*) - Level 1
    -Enable Network Security Groups (*) - Level 1
    -Enable Web Application Firewall (*) - Level 1
    -Enable Vulnerability Assessment (*) - Level 1
    -Enable Storage Encryption (*) - Level 1
    -Enable JIT Network Access (*) - Level 1
    -Enable Adaptive Application Controls (*) - Level 1
    -Enable SQL Auditing & Threat Detection (*) - Level 1
    -Enable SQL Encryption (*) - Level 1
    -Set Security Contact Email and Phone Number - Level 1
    -Enable Send me emails about alerts - Level 1
    -Enable Send email also to subscription owners - Level 1
3) Azure storage accounts baseline
    -Require security-enhanced transfers - Level 1
        Another step you should take to ensure the security of your Azure Storage data is to encrypt the data between the client and Azure Storage. The first recommendation is to always use the HTTPS protocol, which ensures secure communication over the public Internet. You can enforce the use of HTTPS when calling the REST APIs to access objects in storage accounts by enabling Secure transfer required for the storage account. Connections using HTTP will be refused once this is enabled.
    -Enable binary large object (blob) encryption - Level 1
    -Periodically regenerate access keys - Level 1
    -Require Shared Access Signature (SAS) tokens to expire within an hour - Level 1
    -Require SAS tokens to be shared only via HTTPS - Level 1
    -Enable Azure Files encryption - Level 1
    -Require only private access to blob containers - Level 1
        When you grant public access to a container, then anonymous users can read blobs within a publicly accessible container without authorizing the request.
4) Azure SQL Database baseline
    Azure SQL Server is a cloud-based relational database server that supports many of the same features as Microsoft SQL Server. It provides an easy transition from an on-premises database into a cloud-based one with built-in diagnostics, redundancy, security and scalability.
    -Enable auditing - Level 1
    -Enable all threat detection types - Level 1
    -Enable the option to send security alerts - Level 1
    -Enable the email service and co-administrators - Level 1
    -Configure audit retention for more than 90 days - Level 1
    -Configure threat detection retention for more than 90 days - Level 1
5) Logging and monitoring baseline
    Logging and monitoring are a critical requirement when trying to identify, detect, and mitigate security threats. Having a proper logging policy can ensure you can determine when a security violation has occurred, but also potentially identify the culprit responsible. Azure Activity logs provide data about both external access to a resources and diagnostic logs, which provide information about the operation of that specific resource.
    -Ensure that a log profile exists - Level 1
    -Ensure that activity log retention is set to 365 days or more - Level 1
    -Create an activity log alert for "Creating a policy assignment" - Level 1
    -Create an activity log alert for "Creating, updating, or deleting a Network Security Group" - Level 1
    -Create an activity log alerts for "Creating or updating an SQL Server firewall rule" - Level 1
6) Networking baseline
    Azure networking services maximize flexibility, availability, resiliency, security, and integrity by design. Network connectivity is possible between resources located in Azure, between on-premises and Azure-hosted resources, and to and from the Internet and Azure.
    -Restrict RDP and SSH access from the Internet - Level 1
        To enable access, use any of the following secure access offerings.
            -Point-to-site VPN
            -Site-to-site VPN
            -Azure ExpressRoute
            -Azure Bastion Host
    -Restrict SQL Server access from the Internet - Level 1
    -Configure the NSG flow log retention period for more than 90 days - Level 2
    -Enable Network Watcher - Level 1
7) Azure VM baseline
    Azure Policy is a service in Azure that you use to create, assign, and manage policies. These policies enforce different rules and effects over your resources, so those resources stay compliant with your corporate standards and service level agreements. Azure Policy meets this need by evaluating your resources for non-compliance with assigned policies.
    -A VM agent must be installed and enabled for data collection for Azure Security Center - Level 1
    -Ensure that OS disk are encrypted - Level 1
    -Ensure only approved extensions are installed - Level 1
    -Ensure that the OS patches for the VMs are applied - Level 1
    -Ensure that VMs have an installed and running endpoint protection solution - Level 1
8) Other baseline security considerations
    -Set an expiration date on all keys in Azure Key Vault - Level 1
    -Set an expiration date on all secrets in Azure Key Vault - Level 1
    -Set resource locks for mission-critical Azure resources - Level 2

Azure doesn't monitor security or respond to security incidents within the customer's area of responsibility. However, Azure does provide many tools (such as Azure Security Center, Azure Sentinel) that are used for this purpose.
 Link : CIS Microsoft Azure Foundations Security Benchmark.
 
 #Reference : docs.microsoft.com

Read More