Info Sharing Blog

Saturday, June 20, 2020

Hardening your Azure cloud platform and best practices.

June 20, 2020 Posted by jaacostan , ,
A quick reference on Azure Cloud platform security baseline based on CIS.
Baseline security checklist for commonly used Azure services. Please fast forward towards the end of this post, if you are looking for the CIS Microsoft Azure Foundations Security Benchmark
  • Turn on Azure Security Center - it's free - Upgrade your Azure subscription to Azure Security Center Standard. Security Center's Standard tier helps you find and fix security vulnerabilities, apply access and application controls to block malicious activity, detect threats using analytics and intelligence, and respond quickly when under attack.
  • Adopt CIS Benchmarks - Apply them to existing tenants.
  • Use CIS VMs for new workloads - from Azure Marketplace.
  • Store your keys and secrets in Azure Key Vault (and not in your source code) - Key Vault is designed to support any type of secret: passwords, database credentials, API keys and, certificates.
  • Install a web application firewall - Web application firewall (WAF) is a feature of Application Gateway that provides centralized protection of your web applications from common exploits and vulnerabilities.
  • Enforce multi-factor verification for users, especially your administrator accounts- Azure Multi-Factor Authentication (Azure MFA) helps administrators protect their organizations and users with additional authentication methods.
  • Encrypt your virtual hard disk files - This will help protect your boot volume and data volumes at rest in storage, along with your encryption keys and secrets.
  • Connect Azure virtual machines and appliances to other networked devices by placing them on Azure virtual networks - Virtual machines connected to an Azure virtual network can connect to devices on the same virtual network, different virtual networks, the Internet, or your own on-premises networks.
Operational Security best practices includes,
  • Manage your VM updates - Azure VMs, like all on-premises VMs, are meant to be user managed. Azure doesn't push Windows updates to them. Ensure you have solid processes in place for important operations such as patch management and backup.
  • Enable password management and use appropriate security policies to prevent abuse.
  • Review your Security Center dashboard regularly to get a central view of the security state of all of your Azure resources and take action on the recommendations.
A variety of security standards can help cloud service customers to achieve workload security when using cloud services. The following recommendations are based on CIS and should not be considered an exhaustive list of all possible security configurations and architectures but just as a starting point.
CIS has two implementation levels, and several categories of recommendations.
Level 1:
Recommended minimum security settings
These should be configured on all systems.
These should cause little or no interruption of services nor reduced functionality.
Level 2:
Recommendations for highly secure environments:
These might result in reduced functionality.
Categories of recommendations
1) Recommendations related to IAM policies
    -Restrict access to the Azure AD administration portal - Level 1
    -Enable Azure Multi-Factor Authentication (MFA) - Level 2
    -Block remembering MFA on trusted devices - Level 2
    -About guests - Level 1
        Ensure that no guest users exist, or alternatively if the business requires guest users, ensure to limit their permissions.
    -Password options
        -Notify users on password resets - Level 1
        -Notify all admins when other admins reset passwords - Level 2
        -Require two methods to reset passwords - Level 1
    -Establish an interval for reconfirming user authentication methods - Level 1
    -Members and guests can invite - Level 2
    -Users to create and manage security groups - Level 2
    -Self-service group management enabled - Level 2
    -Application options - Allow users to register apps - Level 2
2) Azure Security Center baseline
    Azure Security Center (ASC) provides unified security management and advanced threat protection for workloads running in Azure, on-premises, and in other clouds.
    -Enable the Standard pricing tier - Level 2
    -Enable the automatic provision of a monitoring agent - Level 1
        -When automatic provisioning is enabled, Security Center installs the Microsoft Monitoring Agent on all supported Azure VMs and any new ones that are created. Automatic provisioning is strongly recommended.
    -Enable System Updates - Level 1
    -Enable Security Configurations - Level 1
    -Enable Endpoint Protection (*) - Level 1
    -Enable Disk Encryption (*) - Level 1
    -Enable Network Security Groups (*) - Level 1
    -Enable Web Application Firewall (*) - Level 1
    -Enable Vulnerability Assessment (*) - Level 1
    -Enable Storage Encryption (*) - Level 1
    -Enable JIT Network Access (*) - Level 1
    -Enable Adaptive Application Controls (*) - Level 1
    -Enable SQL Auditing & Threat Detection (*) - Level 1
    -Enable SQL Encryption (*) - Level 1
    -Set Security Contact Email and Phone Number - Level 1
    -Enable Send me emails about alerts - Level 1
    -Enable Send email also to subscription owners - Level 1
3) Azure storage accounts baseline
    -Require security-enhanced transfers - Level 1
        Another step you should take to ensure the security of your Azure Storage data is to encrypt the data between the client and Azure Storage. The first recommendation is to always use the HTTPS protocol, which ensures secure communication over the public Internet. You can enforce the use of HTTPS when calling the REST APIs to access objects in storage accounts by enabling Secure transfer required for the storage account. Connections using HTTP will be refused once this is enabled.
    -Enable binary large object (blob) encryption - Level 1
    -Periodically regenerate access keys - Level 1
    -Require Shared Access Signature (SAS) tokens to expire within an hour - Level 1
    -Require SAS tokens to be shared only via HTTPS - Level 1
    -Enable Azure Files encryption - Level 1
    -Require only private access to blob containers - Level 1
        When you grant public access to a container, then anonymous users can read blobs within a publicly accessible container without authorizing the request.
4) Azure SQL Database baseline
    Azure SQL Server is a cloud-based relational database server that supports many of the same features as Microsoft SQL Server. It provides an easy transition from an on-premises database into a cloud-based one with built-in diagnostics, redundancy, security and scalability.
    -Enable auditing - Level 1
    -Enable all threat detection types - Level 1
    -Enable the option to send security alerts - Level 1
    -Enable the email service and co-administrators - Level 1
    -Configure audit retention for more than 90 days - Level 1
    -Configure threat detection retention for more than 90 days - Level 1
5) Logging and monitoring baseline
    Logging and monitoring are a critical requirement when trying to identify, detect, and mitigate security threats. Having a proper logging policy can ensure you can determine when a security violation has occurred, but also potentially identify the culprit responsible. Azure Activity logs provide data about both external access to a resources and diagnostic logs, which provide information about the operation of that specific resource.
    -Ensure that a log profile exists - Level 1
    -Ensure that activity log retention is set to 365 days or more - Level 1
    -Create an activity log alert for "Creating a policy assignment" - Level 1
    -Create an activity log alert for "Creating, updating, or deleting a Network Security Group" - Level 1
    -Create an activity log alerts for "Creating or updating an SQL Server firewall rule" - Level 1
6) Networking baseline
    Azure networking services maximize flexibility, availability, resiliency, security, and integrity by design. Network connectivity is possible between resources located in Azure, between on-premises and Azure-hosted resources, and to and from the Internet and Azure.
    -Restrict RDP and SSH access from the Internet - Level 1
        To enable access, use any of the following secure access offerings.
            -Point-to-site VPN
            -Site-to-site VPN
            -Azure ExpressRoute
            -Azure Bastion Host
    -Restrict SQL Server access from the Internet - Level 1
    -Configure the NSG flow log retention period for more than 90 days - Level 2
    -Enable Network Watcher - Level 1
7) Azure VM baseline
    Azure Policy is a service in Azure that you use to create, assign, and manage policies. These policies enforce different rules and effects over your resources, so those resources stay compliant with your corporate standards and service level agreements. Azure Policy meets this need by evaluating your resources for non-compliance with assigned policies.
    -A VM agent must be installed and enabled for data collection for Azure Security Center - Level 1
    -Ensure that OS disk are encrypted - Level 1
    -Ensure only approved extensions are installed - Level 1
    -Ensure that the OS patches for the VMs are applied - Level 1
    -Ensure that VMs have an installed and running endpoint protection solution - Level 1
8) Other baseline security considerations
    -Set an expiration date on all keys in Azure Key Vault - Level 1
    -Set an expiration date on all secrets in Azure Key Vault - Level 1
    -Set resource locks for mission-critical Azure resources - Level 2

Azure doesn't monitor security or respond to security incidents within the customer's area of responsibility. However, Azure does provide many tools (such as Azure Security Center, Azure Sentinel) that are used for this purpose.
 Link : CIS Microsoft Azure Foundations Security Benchmark.

 #Reference :