Archive for the ‘Security’ Tag

Configure Azure Service Endpoints for Web Applications #Azure #ASE #Endpoints #AzureServiceEndpoints #webapp #AzureDevOps   2 comments

Sometimes you are building things in Azure and thinking if this is possible than that would be a cool feature. Suddenly you are building this and noticed that it is already there in Azure. How Cool is that.

Today I was building a demo website but I did not want to expose this directly to the web, play with this and still get the use of Azure Cloud over the internet. Reading the Azure Endpoint services there is no WebApp Endpoint services. Using a NSG or enable the Azure Firewall well it is just a test so lets see what we can do with all the basic stuff. But during the test I saw this option Microsoft.Web in the service endpoints.


More security is needed in everything you expose to the internet. And in Azure it all starts with a Vnet.

Virtual Network (VNet) service endpoints extend your virtual network private address space and the identity of your VNet to the Azure services, over a direct connection. Endpoints allow you to secure your critical Azure service resources to only your virtual networks. Traffic from your VNet to the Azure service always remains on the Microsoft Azure network.

First we create a new Vnet, while we creating this wen can enable an pick the right service endpoints. this can also be done afterwards.


Azure service traffic from a virtual network uses public IP addresses as source IP addresses. With service endpoints, service traffic switches to use virtual network private addresses as the source IP addresses when accessing the Azure service from a virtual network. This switch allows you to access the services without the need for reserved, public IP addresses used in IP firewalls.

In case you have already a Vnet, just go to the Service points and add the selected service you want to add or select it all.

image image image

At this point there is no Configuration, it is just adding a services to the network or subnet.


Below is a list of the Azure services that are currently available.

Generally available

Public Preview

The Web app is not listed but the option is there, and working. The Azure service Endpoint is not a Firewall, as the Azure Firewall this is a totally different service.


For Samples you have a Web application, and it needs to have connection to storage or SQL server and connection to an other Web services, without setting this open to Any – Any you can restrict this with the Azure Service Endpoints


Creating the Rules is a quick process, these are similar as in the NSG.

  • Network security groups (NSGs) with service endpoints:

    • By default, NSGs allow outbound Internet traffic and so, also allow traffic from your VNet to Azure services. This continues to work as is, with service endpoints.
    • If you want to deny all outbound Internet traffic and allow only traffic to specific Azure services, you can do so using service tags in your NSGs. You can specify supported Azure services as destination in your NSG rules and the maintenance of IP addresses underlying each tag is provided by Azure.

First we go the the Web App Service. in Networking and the non readers will click the VNet integration. #Wrong 



In this case I don’t want a premium network, So we go to Configure Access Restrictions


Here we create a access rule, on who gets access to this web application.


I created a deny rule for a specific IP.



And the pages shows an error webapp is stopped. here you can also see the difference between a complete port block and no access to the application.


Changing this to Allow the App is visible


Also for the KUDU SCM you can have different rules or apply the same rules. with the little check box


With these options you can create a more secure environment again this is a great add on.

Follow Me on Twitter @ClusterMVP

Follow My blog

Linkedin Profile Robert Smit MVP Linkedin profile

Google  : Robert Smit MVP profile

Posted May 29, 2019 by Robert Smit [MVP] in Azure

Tagged with ,

Secure DevOps Kit for Azure (AzSK) With Security Monitoring #Devops #Azure #AzSK #Security #LogAnalytics #PowerShell   Leave a comment

The Secure DevOps Kit for Azure is a collection of scripts, tools, extensions, automations.


The kit is based on Powershell and can be extended to Azure log analytics with some nice dashboarding. But if you have a large subscription the Powershell query can take some time. With this toolkit Devops teams using extensive automation and smoothly integrating security into native Devops workflows helping accomplish secure Devops with these 6 focus areas:

  • Secure the subscription: A secure cloud subscription provides a core foundation upon which subsequent development and deployment activities can be conducted. An engineering team should have the capabilities to deploy and configure security in the subscription including elements such as alerts, ARM policies, RBAC, Security Center policies, JEA, Resource Locks, etc. Likewise, it should be possible to check that all settings are in conformance to a secure baseline
  • Enable secure development: During the coding and early development stages, developers should have the ability to write secure code and to test the secure configuration of their cloud applications. Just like build verification tests (BVTs), we introduce the concept of security verification tests (SVTs) which can check for security of various resource types in Azure
  • Integrate security into CICD: Test automation is a core tenet of devops. We emphasize this by providing the ability to run SVTs as part of the VSTS CICD pipeline. These SVTs can be used to ensure that the target subscription used to deploy a cloud application and the Azure resources the application is built upon are all setup in a secure manner
  • Continuous Assurance: In the constantly changing dev ops environment, it is important to move away from the mindset of security being a milestone. We have to treat security as a continuously varying state of a system. This is made possible through capabilities that enable continuous assurance using a combination of automation runbooks, schedules, etc.
  • Alerting & Monitoring: Visibility of security status is important for individual application teams and also for central enterprise teams. We provide solutions that cater to the needs of both. Moreover, the solution spans across all stages of dev ops in effect bridging the gap between the dev team and the ops team from a security standpoint through the single, integrated views it generates
  • Cloud Risk Governance: Lastly, underlying all activities in the kit is a telemetry framework that generates events capturing usage, adoption, evaluation results, etc. This allows us to make measured improvements to security targeting areas of high risk and maximum usage before others.

Keep in mind that The OMS portal will is retired on January 15, 2019. You can continue to use your existing services and licensing in the Azure portal.

Even in the Azure portal you can still connect to OMS

Complete feature set of Secure DevOps Kit for Azure

Feature Area Secure DevOps Kit Feature
Secure the subscription
  • Subscription Health Check
  • Subscription Provisioning
    • Alerts Configuration
    • ARM Policy Configuration
    • Azure Security Center Configuration
    • Access control (IAM) Hygiene
Enable secure development
  • Security Verification Tests (SVT)
  • Security IntelliSense- VS Extension
Integrate security into CICD
  • AzSK VS Extension-executes SVTs in a CICD pipeline
Continuous Assurance
  • Security scanning via Azure Automation Runbooks
Alerting & Monitoring
  • OMS Solution for AzSK containing:
    • Security dashboard views covering security state/actions
    • Alerts with pertinent search queries
Cloud Risk Governance
  • Control/usage telemetry through Insights

Setting up Secure DevOps Kit for Azure (AzSK)

First make sure you have the right Azure modules installed, I noticed the automation module failed So I added this manualy.

Import-Module AzureRM.Automation

Get-AzSKAzureServicesSecurityStatus -SubscriptionId


Installing the Secure DevOps Kit for Azure (AzSK)

Install-Module AzSK -Scope CurrentUser


Now that the Powershell modules are installed we can start the (AzSK) Scan

Get-AzSKAzureServicesSecurityStatus –SubscriptionId  ID


In this subscription there are 44 items that are been checked


Items are been checked on the security issues


Nice detailed overview is shown. Also a log folder is been created with all the issues. per resource Item.


As you can see I have some failed items and with a High, so I need to take a good look at this and fix this.


This maybe one of the best Items here an excel sheet with al the issues listed with the solution mentioned and if this can be automated.

If needed there is an URL that points you to the right solution.


As Azure log analytics is great and it can be integrated with some OMS (Azure monitoring Dashboards)

The OMS portal will be retired on January 15, 2019. You can continue to use your existing services and licensing in the Azure portal. So the current documentation need some updating.


Pressing the OMS button in the Azure portal brings you to the OMS portal but then nothing. As it is now all Azure portal.

Setting up the dashboards failed on me during the first installation but when I did run this a second time the dashboard was there.  (Timing) 


Creating the OMS default dashboard we need to run some powershell scripts.

$omsSubId =”id”   #subscription hosting the OMS workspace

$omsWSId =’OMS ID’

$omsRGName =’omsrsg’     #RG where the OMS workspace is hosted

$azSkViewName = ‘MVP_AzSK_view’ #This will identify the tile for AzSK view in OMS.

    #This command will deploy the AzSK view in the OMS workspace.  
    Install-AzSKOMSSolution -OMSSubscriptionId $omsSubId `

                    -OMSResourceGroup $omsRGName `

                    -OMSWorkspaceId $omsWSId `

                    -ViewName $azSkViewName



1) The blades of the OMS view created by this command will start populating only after AzSK scan events become available in the corresponding OMS workspace.

To understand how to send AzSK events to an OMS workspace see

2) The OMS view installed contains a basic set of queries over DevOps Kit scan events. Please feel free to customize them once you get familiar with the que


We also periodically publish updated/richer queries at:


Checking the OMS – log analytics workspace it has not much issues as this is a test subscription and if it was all perfect then there is no fun.



and with longer logging and more Items in azure you will get a different overview.


There are lots of options you can set and there is a detailed description on how to use this on Github

Setting up ARM policys is also one of the options

Set-AzSKARMPolicies –SubscriptionId


So get started with the DevOpsKit 


AzSK Security Controls Portal @

With this it’s a nice tool and yes a bit time consuming but learned a lot and make me see things different in the Azure Subscription 

And If you combine this directly and not afterwards then this could be your time saver to fix all the security items



Follow Me on Twitter @ClusterMVP

Follow My blog

Linkedin Profile Robert Smit MVP Linkedin profile

Google  : Robert Smit MVP profile

Posted January 24, 2019 by Robert Smit [MVP] in Azure

Tagged with , , ,

Step by Step Azure network security groups NSG – Security Center #Azure #NSG #Network   3 comments

Now Days I see that people not fully understand  the security needs in Azure. There are a lot of options in Azure to improve the security.

A great option is the Security Center. This is a great dashboard to get a quick over view an the security status of your subscription.





But the other Option is setting up a network security group (NSG)


A network security group (NSG) contains a list of security rules that allow or deny network traffic to resources connected to Azure Virtual Networks (VNet). NSGs can be associated to subnets, individual VMs (classic), or individual network interfaces (NIC) attached to VMs (Resource Manager).

When an NSG is associated to a subnet, the rules apply to all resources connected to the subnet. Traffic can further be restricted by also associating an NSG to a VM or NIC.

Associating NSGs

You can associate an NSG to VMs, NICs, and subnets, depending on the deployment model you are using, as follows:

  • VM (classic only): Security rules are applied to all traffic to/from the VM.
  • NIC (Resource Manager only): Security rules are applied to all traffic to/from the NIC the NSG is associated to. In a multi-NIC VM, you can apply different (or the same) NSG to each NIC individually.
  • Subnet (Resource Manager and classic): Security rules are applied to any traffic to/from any resources connected to the VNet.

You can associate different NSGs to a VM (or NIC, depending on the deployment model) and the subnet that a NIC or VM is connected to. Security rules are applied to the traffic, by priority, in each NSG, in the following order:

  • Inbound traffic

    1. NSG applied to subnet: If a subnet NSG has a matching rule to deny traffic, the packet is dropped.

    2. NSG applied to NIC (Resource Manager) or VM (classic): If VM\NIC NSG has a matching rule that denies traffic, packets are dropped at the VM\NIC, even if a subnet NSG has a matching rule that allows traffic.

  • Outbound traffic

    1. NSG applied to NIC (Resource Manager) or VM (classic): If a VM\NIC NSG has a matching rule that denies traffic, packets are dropped.

    2. NSG applied to subnet: If a subnet NSG has a matching rule that denies traffic, packets are dropped, even if a VM\NIC NSG has a matching rule that allows traffic.


As most items in Azure there are Limits to the number of NSGs you can have in a subscription and number of rules per NSG. To learn more about the limits, read the Azure limits article.


Creating a network security group (NSG) is easy you can do this in the portal or with Powershell


As I mentioned above you can set the network security group (NSG) on a subnet or VM. Add multiple items in a network security group (NSG)


By default all is set to basic just pick a service and open or close the port.


But when checking the Advanced option the Rule pane will change into a rich and flexible option menu.


image   Instead of selecting just a service You can also add a IP range to exclude others for accessing this machine.


Setting this in the GUI is nice but when you need to change or add a lot of these you will need Powershell or ARM templates.

Below are just some examples on how to use them

# Select a subscription
$subscriptionId = (Get-AzureRmSubscription | Out-GridView -Title ‘Select your Azure Subscription:’ -PassThru)
Select-AzureRmSubscription -SubscriptionId $subscriptionId.Id
# Select a Resource Group
$rgName = (Get-AzureRmResourceGroup | Out-GridView -Title ‘Select your Azure Resource Group:’ -PassThru).ResourceGroupName
# Set the NSG name and Azure region
$nsgName = "Trusted-Nsg01"
$location = "West Europe"
$source1 = ""
$source2 = ""
$source3 = "*"

#Below are Sample Rules
$rule1 = New-AzureRmNetworkSecurityRuleConfig -Name rdp-rule -Description "Allow RDP" `
-Access Allow -Protocol Tcp -Direction Inbound -Priority 100 `
-SourceAddressPrefix $source1 -SourcePortRange * `
-DestinationAddressPrefix * -DestinationPortRange $dest1

$rule2 = New-AzureRmNetworkSecurityRuleConfig -Name web-rule2 -Description "Allow Port" `
-Access Allow -Protocol Tcp -Direction Inbound -Priority 101 `
-SourceAddressPrefix $source2 -SourcePortRange * -DestinationAddressPrefix * `
-DestinationPortRange $dest2

$rule3 = New-AzureRmNetworkSecurityRuleConfig -Name web-rule3 -Description "Allow Port" `
-Access Allow -Protocol Tcp -Direction Inbound -Priority 103 `
-SourceAddressPrefix $source3 -SourcePortRange * -DestinationAddressPrefix * `
-DestinationPortRange $dest3

$rule4 = New-AzureRmNetworkSecurityRuleConfig -Name web-rule4 -Description "Allow Port" `
-Access Allow -Protocol Tcp -Direction Inbound -Priority 104 `
-SourceAddressPrefix Internet -SourcePortRange * -DestinationAddressPrefix * `
-DestinationPortRange 88


Now that the port Rules are created we need to put them in a security group

#applying the Rules
$nsg = New-AzureRmNetworkSecurityGroup -ResourceGroupName $rgName -Location $location -Name $nsgName -SecurityRules $rule1,$rule2,$rule3,$rule4


# Display default and security rules for NSG
(Get-AzureRmNetworkSecurityGroup -Name $nsgName -ResourceGroupName $rgName).SecurityRules | Select-Object * | Out-GridView
(Get-AzureRmNetworkSecurityGroup -Name $nsgName -ResourceGroupName $rgName).DefaultSecurityRules | Select-Object * | Out-GridView

#Remove NSG

Remove-AzureRmNetworkSecurityGroup -Name $nsgName -ResourceGroupName $rgName


Now that we created a network security group (NSG) we can add it to a VM this can also be done with PowerShell but there is a BUT.

let me show you, Go to the VM and select the network card.


The Nic can be named nic245768323 something, I always use named NIC’s so that is easy but if not the NSG could be applied on an other VM and maybe it will fail.


When selecting this manual you can see the nic and if you are sure on the other machines you can do this with PowerShell also.


Follow Me on Twitter @ClusterMVP

Follow My blog

Linkedin Profile Http://

Google Me :

Bing Me :


Posted September 11, 2017 by Robert Smit [MVP] in Azure

Tagged with ,

Enhanced Mitigation Experience Toolkit #EMET #security   Leave a comment

The Enhanced Mitigation Experience Toolkit (EMET) helps raise the bar against attackers gaining access to computer systems. EMET anticipates the most common actions and techniques adversaries might use in compromising a computer, and helps protect by diverting, terminating, blocking, and invalidating those actions and techniques. EMET helps protect your computer systems even before new and undiscovered threats are formally addressed by security updates and antimalware software. EMET benefits enterprises and all computer users by helping to protect against security threats and breaches that can disrupt businesses and daily lives.


Enhanced Mitigation Experience Toolkit

Download The Enhanced Mitigation Experience Toolkit (EMET) :


EMET 5.0 Technical preview introduces a mitigation that can be used to reduce the exposure of components at risk to remote attackers. ASR is a new feature that can be used to block the usage of specific modules or plugins within an application. For example, EMET can be configured to prevent Microsoft Word/Excel from loading the Flash plugin, or, with the support of security zones, can be used to prevent Internet Explorer from loading the Java plugin on an Internet Zone website while continuing to allow Java on Intranet Zone websites. The mechanism simply prevents DLL loading in a selective way per-process and it essentially adds the benefit of the “killbit” mechanism to any application without need of complicated CLSID.
NOTE: The list of blocked modules for ASR and the zones with exceptions (where the modules are allowed to be loaded) should be manually defined by the user in the following registry key per-application:

HKLM\SOFTWARE\Microsoft\EMET\_settings_\{CLSID}\asr_modules = “…”
HKLM\SOFTWARE\Microsoft\EMET\_settings_\{CLSID}\asr_zones = “…”
In EMET 5.0TP the feature is enabled only for the following combinations of processes and modules:


The list of security zones is the standard one used by Internet Explorer: Local (0), Intranet (1), Trusted (2), Internet (3), Untrusted (4).



EMET offers the “Early Warning Program” reporting feature. When an exploitation attempt is detected and blocked by EMET, a set of information related to the attack will be sent back to Microsoft through the standard Windows Error Reporting channel.

This information will help Microsoft to obtain information related to 0day exploits and will facilitate the remediation of the issue before it becomes a large scale threat. If the vulnerability is related to a software from a third party vendor, Microsoft will work with the affected vendor through the Microsoft Vulnerability Research program to remediate the issue.

The Early Warning Program reporting feature will also send back to Microsoft information related to suspicious SSL certificates related to Microsoft online services. Please refer to the “Privacy Statement.rtf” file, available also through the “Help” ribbon in EMET GUI, and at, for more information on the type of data that will be sent to Microsoft.

Posted March 10, 2014 by Robert Smit [MVP] in Security

Tagged with

Enhanced Mitigation Experience #Toolkit #EMET Version 4.0 #msteched #TEE13   3 comments




The Enhanced Mitigation Experience Toolkit (EMET) is designed to help prevent hackers from gaining access to your system.
Software vulnerabilities and exploits have become an everyday part of life. Virtually every product has to deal with them and consequently, users are faced with a stream of security updates. For users who get attacked before the latest updates have been applied or who get attacked before an update is even available, the results can be devastating: malware, loss of PII, etc.
Security mitigation technologies are designed to make it more difficult for an attacker to exploit vulnerabilities in a given piece of software. EMET allows users to manage these technologies on their system and provides several unique benefits

Emet install shotimageimage

Quick installation shots , trusted applications


EMET is designed to work with any software, whether it is developed by Microsoft or by other vendors. However, you should be aware that some software may be incompatible with EMET. Some applications rely on exactly the behavior that the mitigations block. It is important to use test scenarios on all target computers before you deploy EMET in a production environment.

After you install EMET, you must configure EMET to provide protection for a piece of software. This requires you to provide the name and location of the executable file that you want to protect. To do this, use one of the following methods:

  • Work with the Application Configuration feature of the graphical application
  • Use the command prompt utility

If you want to leverage the Certificate Trust feature, you have to provide the list of the websites that you want to protect and certificate pinning rules that apply to those websites. To do this, you have to work with the Certificate Trust Configuration feature of the graphical application.

Alternatively, you can use the new Configuration Wizard that allows you to automatically configure EMET with the recommended settings.

Get the toolkit here :

Posted June 18, 2013 by Robert Smit [MVP] in Security

Tagged with

  • Twitter

  • RSS Azure and Microsoft Windows Server Blog

  • %d bloggers like this: