Archive for the ‘Security’ Tag
In Azure there are multiple options to add a Firewall to your Azure landing zone. But the standard Azure firewall comes with an option Classic or firewall policy, and there is a good change that you already have an Azure firewall classic then you can migrate to a premium SKU see the link to get the process https://docs.microsoft.com/en-us/azure/firewall/premium-migrate?WT.mc_id=AZ-MVP-4025011
Azure Firewall pricing
https://azure.microsoft.com/en-us/pricing/details/azure-firewall?WT.mc_id=AZ-MVP-4025011
Azure Firewall Standard
- Stateful firewall as a service
- Built-in high availability with unrestricted cloud scalability
- Centralized network and application level connectivity policy
- Threat intelligence-based filtering
- Support for hybrid connectivity through deployment behind VPN and ExpressRoute Gateways
Azure Firewall Premium (Public Preview)
- Built-in TLS Inspection for customer’s selected encrypted applications
- Ability to detect and block malicious traffic through advanced IDPS engine
- Restrict access to Web content via built-in URL Filtering for both plain text and encrypted traffic
- Web Categories provide enhanced content filtering capabilities
- IDPS signatures and Web categories are fully managed and constantly updated
Initial I setup a Azure Firewall premium
Premium firewalls support additional capabilities, such as SSL termination and IDPS. Additional costs may apply. Migrating a Standard firewall to Premium will require some down-time.
As you can see there is an option standard or premium and use the Firewall policy or the Classic. In premium there is no classic any more the only option is firewall policy.
Choosing the Premium and the option firewall management is gray out.
As I already have some Firewall policy’s I can already attach these to my new firewall, this is one of the great options, In the firewall manager you can create Firewall policy’s with out having a azure firewall running, you can already prepare the landing zone with all kind of rules .
Keep in mind that the firewall must be in the same resource group as your vnet.
Setting up a Azure Firewall with PowerShell is easy but you need to have the resources already in place
# Create the firewall
$Azfw = New-AzFirewall `
-Name $FirewallName `
-ResourceGroupName $rgNamevnet `
-Location $Location `
-VirtualNetworkName $VnetName `
-PublicIpName $pip01 `
-SkuTier Premium
Now that The Firewall I created We can see the policy’s attached in the Firewall manager.
Azure Firewall Manager is a security management service that provides central security policy and route management for cloud-based security perimeters.
Firewall Manager can provide security management for two network architecture types:
Secured virtual hub
An Azure Virtual WAN Hub is a Microsoft-managed resource that lets you easily create hub and spoke architectures. When security and routing policies are associated with such a hub, it is referred to as a secured virtual hub.
Hub virtual network
This is a standard Azure virtual network that you create and manage yourself. When security policies are associated with such a hub, it is referred to as a hub virtual network. At this time, only Azure Firewall Policy is supported. You can peer spoke virtual networks that contain your workload servers and services. You can also manage firewalls in standalone virtual networks that aren’t peered to any spoke.
Azure Firewall Premium Preview in the Azure portal | Microsoft Docs
So now that the firewall is in place and we already had an policy attached but you can change that real quick.
Go to the Firewall blade and her you can see the policy and change it directly
Or if you go to the firewall manager and select the virtual networks you can see a good overview of where and what is attached to the vnet
Remember the firewall need to be in the same resource group as your network, and there come’s also the hard part if you want to switch policy’s
Looking at the firewall policys from here you can add them to a hub or a vnet
here you see an overview of the firewall policy’s
When associate a policy to a vnet or multiple vnets we got a good overview on what is available and what not.
Adding the Policy to a network,
The firewall manager blade with all the rules and options
You can add rule collection groups and rule collections, In a rule collection group can hold multiple rule collections, I would advise you to build these collections as it is real handy if you want to change later some item or you want to export a collection and import them in a different collection group
Also new is the application rules here you can set web category’s that are allowed or denied.
using the application rules with the internet categories is still in preview but is a great addition for Azure virtual desktop #AVD
Setting up the web categories is easy selectable in the destination type. and then select one or multiple.
Remember the naming if you want to find this later in your rules, keep it clean and neat
Keep in mind that when you are selecting multiple categories the naming field is also corresponding to that
Removing the Firewall does not mean that you will loose the policy’s or removing the policy and loose the firewall unless…
Keep in mind when you remove a policy and you will set the little checkbox the firewall will be removed. If it is added to multiple vnets you may have a failure on the firewall deletion as there is still a policy attached
Overall the firewall manager is a great step to a modern security management in Azure, there a multiple items that I could wish for in the Firewall manager like management of all the NSG’s who nice would that be and traffic logging etc one thing is clear Azure is getting better and better and true the more options we get the more complex items we are building, and that’s fine keeps me off the streets and my work is never gets boring
Follow Me on Twitter @ClusterMVP
Follow My blog https://robertsmit.wordpress.com
Linkedin Profile Robert Smit MVP Linkedin profile
Google : Robert Smit MVP profile
Like this:
Like Loading...
Webinar – Your 5 Most Critical M365 Vulnerabilities Revealed and How to Fix Them
Microsoft 365 is an incredibly powerful software suite for businesses, but it is becoming increasingly targeted by people trying to steal your data. The good news is that there are plenty of ways admins can fight back and safeguard their Microsoft 365 infrastructure against attack.
This free upcoming webinar, on June 23 and produced by Hornetsecurity/Altaro, features two enterprise security experts from the leading security consultancy Treusec – Security Team Leader Fabio Viggiani and Principal Cyber Security Advisor Hasain Alshakarti. They will explain the 5 most critical vulnerabilities in your M365 environment and what you can do to mitigate the risks they pose. To help attendees fully understand the situation, a series of live demonstrations will be performed to reveal the threats and their solutions covering:
· O365 Credential Phishing
· Insufficient or Incorrectly Configured MFA Settings
· Malicious Application Registrations
· External Forwarding and Business Email Compromise Attacks
· Insecure AD Synchronization in Hybrid Environments
This is truly an unmissable event for all Microsoft 365 admins!
The webinar will be presented live twice on June 23 to enable as many people as possible to join the event live and ask questions directly to the expert panel of presenters. It will be presented at 2pm CEST/8am EDT/5am PDT and 7pm CEST/1pm EDT/10am PDT.
Don’t miss out – Save your seat now!
Follow Me on Twitter @ClusterMVP
Follow My blog https://robertsmit.wordpress.com
Linkedin Profile Robert Smit MVP Linkedin profile
Google : Robert Smit MVP profile
Like this:
Like Loading...
Received a great FIDO2 Test kit from the vendor PointBlank Security / TrustKey Solutions https://www.trustkeysolutions.com/ https://www.pointblank.de/en/
As FIDO2 is the new hot item in the security world, let see if it is that easy to implement and to use. I’m not going into the depth specs of the keys but more as a user view. easy to use and setup is this key to use by anyone.
for all the Azure AD login this is usable when the Microsoft authentication challenge is the say for Windows virtual desktop (WVD) you can use this.
I have a USB key and a USB-C type key.
I use my Computer with the normal USB for this so the Trustkey G310 model
Setting the Key en use it is simple I configured the Azure Active directory did some easy settings add the Key to my profile and ready.
First we Enable FIDO2 security key in the Azure AD this is been configured from the Azure Portal.
Azure Active directory <> Security
Next we go to authentication methods.
Here we can change the authentication type for all users of for a select of users.
When this is done you can set the fido option in your profile. If this is your own account then in the top of the azure portal you can go directly to your user account . or go to https://myaccount.microsoft.com/
Go to Security info
Here you can do add a method
Adding the Security key or if you want to used the phone the method is similar.
Now that we have chosen the FIDO2 Security Key we can configure this with a PIN.
Choose a proper Pin and use the Key. Now everything is set and ready to use.
Whenever you are challenged to login with the Microsoft Azure AD account you can make the choice on using the USB key. You can also make this dedicated
So for samples we go to Browse to https://myprofile.microsoft.com use an in private session or different browser to make sure you test this right.
select sign in with a security key
When entering the PIN and touching the USB you will be granted to login when it was successful you will see the page else it will prompt you again.
All this is perfect usable to login into your WVD portal
https://rdweb.wvd.microsoft.com/webclient/index.html
Follow Me on Twitter @ClusterMVP
Follow My blog https://robertsmit.wordpress.com
Linkedin Profile Robert Smit MVP Linkedin profile
Google : Robert Smit MVP profile
Like this:
Like Loading...
Sometimes you are building things in Azure and thinking if this is possible than that would be a cool feature. Suddenly you are building this and noticed that it is already there in Azure. How Cool is that.
Today I was building a demo website but I did not want to expose this directly to the web, play with this and still get the use of Azure Cloud over the internet. Reading the Azure Endpoint services there is no WebApp Endpoint services. Using a NSG or enable the Azure Firewall well it is just a test so lets see what we can do with all the basic stuff. But during the test I saw this option Microsoft.Web in the service endpoints.
More security is needed in everything you expose to the internet. And in Azure it all starts with a Vnet.
Virtual Network (VNet) service endpoints extend your virtual network private address space and the identity of your VNet to the Azure services, over a direct connection. Endpoints allow you to secure your critical Azure service resources to only your virtual networks. Traffic from your VNet to the Azure service always remains on the Microsoft Azure network.
First we create a new Vnet, while we creating this wen can enable an pick the right service endpoints. this can also be done afterwards.
Azure service traffic from a virtual network uses public IP addresses as source IP addresses. With service endpoints, service traffic switches to use virtual network private addresses as the source IP addresses when accessing the Azure service from a virtual network. This switch allows you to access the services without the need for reserved, public IP addresses used in IP firewalls.
In case you have already a Vnet, just go to the Service points and add the selected service you want to add or select it all.
At this point there is no Configuration, it is just adding a services to the network or subnet.
Below is a list of the Azure services that are currently available.
Generally available
Public Preview
The Web app is not listed but the option is there, and working. The Azure service Endpoint is not a Firewall, as the Azure Firewall this is a totally different service.
For Samples you have a Web application, and it needs to have connection to storage or SQL server and connection to an other Web services, without setting this open to Any – Any you can restrict this with the Azure Service Endpoints
Creating the Rules is a quick process, these are similar as in the NSG.
First we go the the Web App Service. in Networking and the non readers will click the VNet integration. #Wrong
In this case I don’t want a premium network, So we go to Configure Access Restrictions
Here we create a access rule, on who gets access to this web application.
I created a deny rule for a specific IP.
And the pages shows an error webapp is stopped. here you can also see the difference between a complete port block and no access to the application.
Changing this to Allow the App is visible
Also for the KUDU SCM you can have different rules or apply the same rules. with the little check box
With these options you can create a more secure environment again this is a great add on.
Follow Me on Twitter @ClusterMVP
Follow My blog https://robertsmit.wordpress.com
Linkedin Profile Robert Smit MVP Linkedin profile
Google : Robert Smit MVP profile
Like this:
Like Loading...
The Secure DevOps Kit for Azure is a collection of scripts, tools, extensions, automations.
The kit is based on Powershell and can be extended to Azure log analytics with some nice dashboarding. But if you have a large subscription the Powershell query can take some time. With this toolkit Devops teams using extensive automation and smoothly integrating security into native Devops workflows helping accomplish secure Devops with these 6 focus areas:
- Secure the subscription: A secure cloud subscription provides a core foundation upon which subsequent development and deployment activities can be conducted. An engineering team should have the capabilities to deploy and configure security in the subscription including elements such as alerts, ARM policies, RBAC, Security Center policies, JEA, Resource Locks, etc. Likewise, it should be possible to check that all settings are in conformance to a secure baseline
- Enable secure development: During the coding and early development stages, developers should have the ability to write secure code and to test the secure configuration of their cloud applications. Just like build verification tests (BVTs), we introduce the concept of security verification tests (SVTs) which can check for security of various resource types in Azure
- Integrate security into CICD: Test automation is a core tenet of devops. We emphasize this by providing the ability to run SVTs as part of the VSTS CICD pipeline. These SVTs can be used to ensure that the target subscription used to deploy a cloud application and the Azure resources the application is built upon are all setup in a secure manner
- Continuous Assurance: In the constantly changing dev ops environment, it is important to move away from the mindset of security being a milestone. We have to treat security as a continuously varying state of a system. This is made possible through capabilities that enable continuous assurance using a combination of automation runbooks, schedules, etc.
- Alerting & Monitoring: Visibility of security status is important for individual application teams and also for central enterprise teams. We provide solutions that cater to the needs of both. Moreover, the solution spans across all stages of dev ops in effect bridging the gap between the dev team and the ops team from a security standpoint through the single, integrated views it generates
- Cloud Risk Governance: Lastly, underlying all activities in the kit is a telemetry framework that generates events capturing usage, adoption, evaluation results, etc. This allows us to make measured improvements to security targeting areas of high risk and maximum usage before others.
Keep in mind that The OMS portal will is retired on January 15, 2019. You can continue to use your existing services and licensing in the Azure portal.
Even in the Azure portal you can still connect to OMS
Complete feature set of Secure DevOps Kit for Azure
Setting up Secure DevOps Kit for Azure (AzSK)
First make sure you have the right Azure modules installed, I noticed the automation module failed So I added this manualy.
Import-Module AzureRM.Automation
Get-AzSKAzureServicesSecurityStatus -SubscriptionId
Installing the Secure DevOps Kit for Azure (AzSK)
Install-Module AzSK -Scope CurrentUser
Now that the Powershell modules are installed we can start the (AzSK) Scan
Get-AzSKAzureServicesSecurityStatus –SubscriptionId ID
In this subscription there are 44 items that are been checked
Items are been checked on the security issues
Nice detailed overview is shown. Also a log folder is been created with all the issues. per resource Item.
As you can see I have some failed items and with a High, so I need to take a good look at this and fix this.
This maybe one of the best Items here an excel sheet with al the issues listed with the solution mentioned and if this can be automated.
If needed there is an URL that points you to the right solution.
As Azure log analytics is great and it can be integrated with some OMS (Azure monitoring Dashboards)
The OMS portal will be retired on January 15, 2019. You can continue to use your existing services and licensing in the Azure portal. So the current documentation need some updating.
Pressing the OMS button in the Azure portal brings you to the OMS portal but then nothing. As it is now all Azure portal.
Setting up the dashboards failed on me during the first installation but when I did run this a second time the dashboard was there. (Timing)
Creating the OMS default dashboard we need to run some powershell scripts.
$omsSubId =”id” #subscription hosting the OMS workspace
$omsWSId =’OMS ID’
$omsRGName =’omsrsg’ #RG where the OMS workspace is hosted
$azSkViewName = ‘MVP_AzSK_view’ #This will identify the tile for AzSK view in OMS.
#This command will deploy the AzSK view in the OMS workspace.
Install-AzSKOMSSolution -OMSSubscriptionId $omsSubId `
-OMSResourceGroup $omsRGName `
-OMSWorkspaceId $omsWSId `
-ViewName $azSkViewName
Note:
1) The blades of the OMS view created by this command will start populating only after AzSK scan events become available in the corresponding OMS workspace.
To understand how to send AzSK events to an OMS workspace see https://aka.ms/devopskit/oms.
2) The OMS view installed contains a basic set of queries over DevOps Kit scan events. Please feel free to customize them once you get familiar with the que
ries.
We also periodically publish updated/richer queries at: https://aka.ms/devopskit/omsqueries.
Checking the OMS – log analytics workspace it has not much issues as this is a test subscription and if it was all perfect then there is no fun.
and with longer logging and more Items in azure you will get a different overview.
There are lots of options you can set and there is a detailed description on how to use this on Github
Setting up ARM policys is also one of the options
Set-AzSKARMPolicies –SubscriptionId
So get started with the DevOpsKit https://github.com/azsk/DevOpsKit-docs
https://github.com/azsk/DevOpsKit-docs/tree/master/05-Alerting-and-Monitoring
AzSK Security Controls Portal @https://aka.ms/azskosstcp
With this it’s a nice tool and yes a bit time consuming but learned a lot and make me see things different in the Azure Subscription
And If you combine this directly and not afterwards then this could be your time saver to fix all the security items
Follow Me on Twitter @ClusterMVP
Follow My blog https://robertsmit.wordpress.com
Linkedin Profile Robert Smit MVP Linkedin profile
Google : Robert Smit MVP profile
Like this:
Like Loading...
