Archive for the ‘Security’ Tag

Step by Step Azure network security groups NSG – Security Center #Azure #NSG #Network   Leave a comment

Now Days I see that people not fully understand  the security needs in Azure. There are a lot of options in Azure to improve the security.

A great option is the Security Center. This is a great dashboard to get a quick over view an the security status of your subscription.

image

 

image

 

But the other Option is setting up a network security group (NSG)

image

A network security group (NSG) contains a list of security rules that allow or deny network traffic to resources connected to Azure Virtual Networks (VNet). NSGs can be associated to subnets, individual VMs (classic), or individual network interfaces (NIC) attached to VMs (Resource Manager).

When an NSG is associated to a subnet, the rules apply to all resources connected to the subnet. Traffic can further be restricted by also associating an NSG to a VM or NIC.

Associating NSGs

You can associate an NSG to VMs, NICs, and subnets, depending on the deployment model you are using, as follows:

  • VM (classic only): Security rules are applied to all traffic to/from the VM.
  • NIC (Resource Manager only): Security rules are applied to all traffic to/from the NIC the NSG is associated to. In a multi-NIC VM, you can apply different (or the same) NSG to each NIC individually.
  • Subnet (Resource Manager and classic): Security rules are applied to any traffic to/from any resources connected to the VNet.

You can associate different NSGs to a VM (or NIC, depending on the deployment model) and the subnet that a NIC or VM is connected to. Security rules are applied to the traffic, by priority, in each NSG, in the following order:

  • Inbound traffic

    1. NSG applied to subnet: If a subnet NSG has a matching rule to deny traffic, the packet is dropped.

    2. NSG applied to NIC (Resource Manager) or VM (classic): If VM\NIC NSG has a matching rule that denies traffic, packets are dropped at the VM\NIC, even if a subnet NSG has a matching rule that allows traffic.

  • Outbound traffic

    1. NSG applied to NIC (Resource Manager) or VM (classic): If a VM\NIC NSG has a matching rule that denies traffic, packets are dropped.

    2. NSG applied to subnet: If a subnet NSG has a matching rule that denies traffic, packets are dropped, even if a VM\NIC NSG has a matching rule that allows traffic.

image

As most items in Azure there are Limits to the number of NSGs you can have in a subscription and number of rules per NSG. To learn more about the limits, read the Azure limits article.

image

Creating a network security group (NSG) is easy you can do this in the portal or with Powershell

imageimage

As I mentioned above you can set the network security group (NSG) on a subnet or VM. Add multiple items in a network security group (NSG)

image

By default all is set to basic just pick a service and open or close the port.

imageimage

But when checking the Advanced option the Rule pane will change into a rich and flexible option menu.

 

image   Instead of selecting just a service You can also add a IP range to exclude others for accessing this machine.

image

Setting this in the GUI is nice but when you need to change or add a lot of these you will need Powershell or ARM templates.

Below are just some examples on how to use them

Login-AzureRmAccount
 
# Select a subscription
$subscriptionId = (Get-AzureRmSubscription | Out-GridView -Title ‘Select your Azure Subscription:’ -PassThru)
Select-AzureRmSubscription -SubscriptionId $subscriptionId.Id
 
# Select a Resource Group
$rgName = (Get-AzureRmResourceGroup | Out-GridView -Title ‘Select your Azure Resource Group:’ -PassThru).ResourceGroupName
 
# Set the NSG name and Azure region
$nsgName = "Trusted-Nsg01"
$location = "West Europe"
$source1 = "8.8.8.8/32"
$source2 = "8.8.4.4/32"
$source3 = "*"
$dest1="3389"
$dest2="443"
$dest3="80"
$tag="blog"

#Below are Sample Rules
$rule1 = New-AzureRmNetworkSecurityRuleConfig -Name rdp-rule -Description "Allow RDP" `
-Access Allow -Protocol Tcp -Direction Inbound -Priority 100 `
-SourceAddressPrefix $source1 -SourcePortRange * `
-DestinationAddressPrefix * -DestinationPortRange $dest1

$rule2 = New-AzureRmNetworkSecurityRuleConfig -Name web-rule2 -Description "Allow Port" `
-Access Allow -Protocol Tcp -Direction Inbound -Priority 101 `
-SourceAddressPrefix $source2 -SourcePortRange * -DestinationAddressPrefix * `
-DestinationPortRange $dest2

$rule3 = New-AzureRmNetworkSecurityRuleConfig -Name web-rule3 -Description "Allow Port" `
-Access Allow -Protocol Tcp -Direction Inbound -Priority 103 `
-SourceAddressPrefix $source3 -SourcePortRange * -DestinationAddressPrefix * `
-DestinationPortRange $dest3

$rule4 = New-AzureRmNetworkSecurityRuleConfig -Name web-rule4 -Description "Allow Port" `
-Access Allow -Protocol Tcp -Direction Inbound -Priority 104 `
-SourceAddressPrefix Internet -SourcePortRange * -DestinationAddressPrefix * `
-DestinationPortRange 88

 

Now that the port Rules are created we need to put them in a security group

#applying the Rules
$nsg = New-AzureRmNetworkSecurityGroup -ResourceGroupName $rgName -Location $location -Name $nsgName -SecurityRules $rule1,$rule2,$rule3,$rule4

image

# Display default and security rules for NSG
 
(Get-AzureRmNetworkSecurityGroup -Name $nsgName -ResourceGroupName $rgName).SecurityRules | Select-Object * | Out-GridView
(Get-AzureRmNetworkSecurityGroup -Name $nsgName -ResourceGroupName $rgName).DefaultSecurityRules | Select-Object * | Out-GridView

#Remove NSG

Remove-AzureRmNetworkSecurityGroup -Name $nsgName -ResourceGroupName $rgName

 

Now that we created a network security group (NSG) we can add it to a VM this can also be done with PowerShell but there is a BUT.

let me show you, Go to the VM and select the network card.

image

The Nic can be named nic245768323 something, I always use named NIC’s so that is easy but if not the NSG could be applied on an other VM and maybe it will fail.

imageimage

When selecting this manual you can see the nic and if you are sure on the other machines you can do this with PowerShell also.

 

Follow Me on Twitter @ClusterMVP

Follow My blog https://robertsmit.wordpress.com

Linkedin Profile Http://nl.linkedin.com/in/robertsmit

Google Me : https://www.google.nl

Bing Me : http://tinyurl.com/j6ny39w

LMGTFY : http://lmgtfy.com/?q=robert+smit+mvp+blog

Advertisements

Posted September 11, 2017 by Robert Smit [MVP] in Azure

Tagged with ,

Enhanced Mitigation Experience Toolkit #EMET #security   Leave a comment

The Enhanced Mitigation Experience Toolkit (EMET) helps raise the bar against attackers gaining access to computer systems. EMET anticipates the most common actions and techniques adversaries might use in compromising a computer, and helps protect by diverting, terminating, blocking, and invalidating those actions and techniques. EMET helps protect your computer systems even before new and undiscovered threats are formally addressed by security updates and antimalware software. EMET benefits enterprises and all computer users by helping to protect against security threats and breaches that can disrupt businesses and daily lives.

 

Enhanced Mitigation Experience Toolkit

Download The Enhanced Mitigation Experience Toolkit (EMET) : http://www.microsoft.com/en-us/download/details.aspx?id=41963

 

EMET 5.0 Technical preview introduces a mitigation that can be used to reduce the exposure of components at risk to remote attackers. ASR is a new feature that can be used to block the usage of specific modules or plugins within an application. For example, EMET can be configured to prevent Microsoft Word/Excel from loading the Flash plugin, or, with the support of security zones, can be used to prevent Internet Explorer from loading the Java plugin on an Internet Zone website while continuing to allow Java on Intranet Zone websites. The mechanism simply prevents DLL loading in a selective way per-process and it essentially adds the benefit of the “killbit” mechanism to any application without need of complicated CLSID.
NOTE: The list of blocked modules for ASR and the zones with exceptions (where the modules are allowed to be loaded) should be manually defined by the user in the following registry key per-application:

HKLM\SOFTWARE\Microsoft\EMET\_settings_\{CLSID}\asr_modules = “…”
HKLM\SOFTWARE\Microsoft\EMET\_settings_\{CLSID}\asr_zones = “…”
In EMET 5.0TP the feature is enabled only for the following combinations of processes and modules:

image

The list of security zones is the standard one used by Internet Explorer: Local (0), Intranet (1), Trusted (2), Internet (3), Untrusted (4).

image

imageimage

EMET offers the “Early Warning Program” reporting feature. When an exploitation attempt is detected and blocked by EMET, a set of information related to the attack will be sent back to Microsoft through the standard Windows Error Reporting channel.

This information will help Microsoft to obtain information related to 0day exploits and will facilitate the remediation of the issue before it becomes a large scale threat. If the vulnerability is related to a software from a third party vendor, Microsoft will work with the affected vendor through the Microsoft Vulnerability Research program to remediate the issue.

The Early Warning Program reporting feature will also send back to Microsoft information related to suspicious SSL certificates related to Microsoft online services. Please refer to the “Privacy Statement.rtf” file, available also through the “Help” ribbon in EMET GUI, and at http://aka.ms/emet41ps, for more information on the type of data that will be sent to Microsoft.

Posted March 10, 2014 by Robert Smit [MVP] in Security

Tagged with

Enhanced Mitigation Experience #Toolkit #EMET Version 4.0 #msteched #TEE13   3 comments

 

image

http://www.microsoft.com/en-us/download/details.aspx?id=39273

 

The Enhanced Mitigation Experience Toolkit (EMET) is designed to help prevent hackers from gaining access to your system.
Software vulnerabilities and exploits have become an everyday part of life. Virtually every product has to deal with them and consequently, users are faced with a stream of security updates. For users who get attacked before the latest updates have been applied or who get attacked before an update is even available, the results can be devastating: malware, loss of PII, etc.
Security mitigation technologies are designed to make it more difficult for an attacker to exploit vulnerabilities in a given piece of software. EMET allows users to manage these technologies on their system and provides several unique benefits

Emet install shotimageimage

Quick installation shots , trusted applications

image

EMET is designed to work with any software, whether it is developed by Microsoft or by other vendors. However, you should be aware that some software may be incompatible with EMET. Some applications rely on exactly the behavior that the mitigations block. It is important to use test scenarios on all target computers before you deploy EMET in a production environment.

After you install EMET, you must configure EMET to provide protection for a piece of software. This requires you to provide the name and location of the executable file that you want to protect. To do this, use one of the following methods:

  • Work with the Application Configuration feature of the graphical application
  • Use the command prompt utility

If you want to leverage the Certificate Trust feature, you have to provide the list of the websites that you want to protect and certificate pinning rules that apply to those websites. To do this, you have to work with the Certificate Trust Configuration feature of the graphical application.

Alternatively, you can use the new Configuration Wizard that allows you to automatically configure EMET with the recommended settings.

Get the toolkit here : http://www.microsoft.com/en-us/download/details.aspx?id=39273

Posted June 18, 2013 by Robert Smit [MVP] in Security

Tagged with

SCM 3.0 with Windows Server 2012, Windows 8, and IE 10 baselines Now in beta   2 comments

SCM is a free tool from the Microsoft Solution Accelerators team that enables you to quickly configure and manage your computers whether their located on desks, in traditional datacenter, or in a private cloud using Group Policy and Microsoft® System Center Configuration Manager. To learn more about the current version of Security Compliance Manager, SCM 2.5, visit the TechNet Library More info about SCM get it here.

 

Secure your environment with new product baselines for Windows Server 2012, Windows 8, and Windows Internet Explorer 10. The beta release of Security Compliance Manager (SCM) 3.0 provides all the same great features for these new baselines, as well as an enhanced setting library for these new Microsoft products. This beta release includes fixes that resolve many previously reported issues in the setting library. The updated setting library also gives you the ability to further customize baselines. SCM 3.0 provides a single location for you to create, manage, analyze, and customize baselines to secure your environment faster and more efficiently.

As part of a select group of our key customers, we invite you to participate in the Beta Review Program of these new product baselines that include security enhancements for the following server roles and features:

Windows Server 2012 Security Baselines:

  • Domain Controller Security Compliance
  • Domain Security Compliance
  • Hyper-V Security Compliance
  • Member Server Security Compliance
  • Web Server Security Compliance

Windows 8 Security Baselines:

  • BitLocker Security
  • Computer Security Compliance
  • Domain Security Compliance

User Security Compliance:

  • Internet Explorer 10 Security Baselines:
  • Computer Security Compliance
  • User Security Compliance

What is not available in this beta release

The ability to export compliance data using formats that work with the DCM feature in Microsoft System Center Configuration Manager and the Security Content Automation Protocol (SCAP) is temporarily blocked in the new baselines for Windows Server 2012, Windows 8, and Internet Explorer 10. This functionality will be enabled in the next beta release update.

This beta release includes five baselines for Windows Server 2012. The following additional server role baselines will be included in the next beta release update:

  • Active Directory Certificate Services (AD CS)
  • DNS Server
  • DHCP Server
  • File Services
  • Network Policy and Access Servers
  • Print Services
  • Remote Access
  • Remote Desktop Services

If you perform a clean installation of SCM 3.0 Beta on a computer running either Windows 8 or Windows Server 2012 that does not also have Microsoft SQL Server software installed on it, you may receive the following compatibility warning message.

clip_image002

 

A setting named Configure Windows SmartScreen in the Windows 8 Computer Security baseline may not be set in the registry correctly after its Group Policy Object (GPO) is applied. This is a known issue in this beta release that will be fixed in the final commercial release of SCM. The workaround to resolve this issue is to disable or not configure this setting in the baseline before exporting the GPO.

If you export the Windows 8 Computer Security Compliance baseline into a GPO, import the GPO into SCM 3.0 Beta, and then export it to a computer running a Windows operating system earlier than Windows 8 and Windows Server 2012, an application exception message may appear. This is a known issue in this beta release that will be fixed in the final commercial release of SCM. The workaround to resolve this issue is to disable the setting named Configure Windows SmartScreen before clicking GPO Backup (folder) in the Export area of the Action pane in SCM 3.0 Beta.

Posted September 15, 2012 by Robert Smit [MVP] in Security Compliance Manager

Tagged with ,

Security Compliance Manager 2.5 Beta   1 comment

The Microsoft Security Compliance Manager (SCM) tool—version 2.5—is now available for beta download

NEW baselines include:
•Exchange Server 2007 SP3 Security Baseline
•Exchange Server 2010 SP2 Security Baseline

Updated client product baselines include:
•Windows 7 SP1 Security Compliance Baseline
•Windows Vista SP2 Security Compliance Baseline
•Windows XP SP3 Security Compliance Baseline
•Office 2010 SP1 Security Baseline
•Internet Explorer 8 Security Compliance Baseline

SCM 2.5 enables you to quickly configure and manage your desktops and laptops, traditional data center, and private cloud using Group Policy and Microsoft System Center Configuration Manager.

Configure and manage your computers, traditional data center and private cloud with new and updated baseline configurations available with SCM 2.5 Beta. In addition to key features from the previous version, SCM 2.5 offers new Exchange Server 2010 and 2007 security baselines. Updated SCM2 client product baselines are included in the Beta download as well. Beta client product baselines include Windows 7 SP1, Windows Vista SP2, Windows XP SP3, Microsoft Office 2010 SP1, and Internet Explorer 8.

KeyFeatures in SCM 2.5 include:

  • Integration with the System Center 2012 IT GRC Process Pack for Service Manager-Beta:Product baseline configurations are integrated into the IT GRC Process Pack to provide oversight and reporting of your compliance activities.
  • Gold master support: Import and take advantage of your existing Group Policy or create a snapshot of a reference machine to kick-start your project.
  • Configure stand-alone machines: Deploy your configurations to non-domain joined computers using the new GPO Pack feature.
  • Updated security guidance: Take advantage of the deep security expertise and best practices in the updated security guides, and the attack surface reference workbooks to help reduce the security risks that you consider to be the most important.
  • Compare against industry best practices: Analyze your configurations against prebuilt baselines for the latest Windows client and server operating systems.

SCM2 tool released in September 2011 with a full complement of Microsoft product baselines, including Windows Internet Explorer 9, Windows Server 2008 R2 Service Pack 1 (SP1), Windows Server 2008 SP2, and Windows Server 2003 SP2. As well as new features such as GPO import, baseline setting customization, Local GPO functionality, enhanced UI and improved installation with SQL Server 2005 and later releases of SQL Server.

To learn more about the Security Compliance Manager tool, visit the TechNet Library page  Microsoft.com .

Next Steps

Microsoft Security Compliance Manager (SCM 2) tool   2 comments

Secure Client Computers with updated SCM 2 Client Baselines—Beta now available for download

Available beta baselines are:

  • Windows 7 SP1 Security Compliance Baseline
  • Windows Vista SP2 Security Compliance Baseline
  • Windows XP SP3 Security Compliance Baseline
  • Office 2010 SP1 Security Baseline
  • Internet Explorer 8 Security Compliance Baseline

SCM 2 enables you to quickly configure and manage your desktops and laptops, traditional data center, and private cloud using Group Policy and Microsoft System Center Configuration Manager.

SCM 2 is a free tool from the Microsoft Solution Accelerators team that enables you to quickly configure and manage your computers, traditional data center, and private cloud using Group Policy and Microsoft System Center Configuration Manager.

Key features in SCM 2 include:

  • Integration with the System Center 2012 IT GRC Process Pack for Service Manager-Beta:Product configurations are integrated into the IT GRC Process Pack to provide oversight and reporting of your compliance activities.

  • Gold master support: Import andtake advantage of your existing Group Policy or create a snapshot of a reference machine to kick-start your project.

  • Configure stand-alone machines: Deploy your configurations to non-domain joined computers using the new GPO Pack feature.

  • Updated security guidance: Take advantage of the deep security expertise and best practices in the updated security guides, and the attack surface reference workbooks to help reduce the security risks that you consider to be the most important.

  • Compare against industry best practices: Analyze your configurations against prebuilt baselines for the latest Windows client and server operating systems.

  • image

SCM 2 released with the a full complement of Microsoft product baselines, including Windows Internet Explorer 9, Windows Server 2008 R2 Service Pack 1 (SP1), Windows Server 2008 SP2, and Windows Server 2003 SP2.

Also the security guides are also in the download.

 

Get SCM2 from the Microsoft Download Center. Click here to download the latest version of the tool.

Security and Compliance Baselines

In addition to the previously released security baselines, the SCM 2 includes a new Windows Internet Explorer 9 Security Baseline, and updated versions of the security and compliance baselines for Windows Server 2008 R2 SP1, Windows Server 2008 SP2, and Windows Server 2003 SP2.

These new beta baselines provide:

  • Setting severity ratings, allowing you to quickly sort, prioritize, and apply Microsoft security recommendations.
  • Consolidated product baselines that eliminate EC and SSLF baseline components, and make viewing, customizing, and implementing your security baselines easier than ever!
  • New compliance-based settings groups allow quicker and easier compliance reporting and audit preparation, when used with theGRC management solution within System Center.

Security Compliance Manager 2   Leave a comment

Microsoft Security Compliance Manager (SCM) 2 enables you to take better advantage of your organization’s existing knowledge and investments, and customize security settings with ease.

SCM main screen

New Features in SCM 2 Include:

  • GPO import: SCM 2 is can now able to import Group Policy Object (GPO) Backup files to allow organizations to import and compare their existing knowledge against Microsoft baseline recommendations. This long-awaited feature effectively helps you to customize and manage your organization’s existing knowledge stored in Active Directory.
  • Baseline setting customization: Modifying baselines just got easier. Adding, extending, or deleting settings from a baseline is an effortless process in this new version of the tool.
  • Local GPO functionality: Apply security baselines directly to client and server computers using the LocalGPO command-line tool, which enables you to secure stand-alone computers and test different baselines without using Active Directory to deploying them. Use this tool to create local policy snapshots that you can import into SCM 2, using the new GPO import capabilities, which you can then compare, customize, and export as needed.
  • Additional features: These include a new and enhanced UI that provides simpler navigation in the tool, and improved installation with SQL Server 2005 and later releases of SQL Server.

Version 2 of the SCM tool will release with the a full complement of Microsoft product baselines, including Windows Internet Explorer 9, Windows Server 2008 R2 Service Pack 1 (SP1), Windows Server 2008 SP2, and Windows Server 2003 SP2.

Security and Compliance Baselines

In addition to the previously released security baselines, the SCM 2 beta download includes a new Windows Internet Explorer 9 Security Baseline, and updated versions of the security and compliance baselines for Windows Server 2008 R2 SP1, Windows Server 2008 SP2, and Windows Server 2003 SP2.

These new beta baselines provide:

  • Setting severity ratings, allowing you to quickly sort, prioritize, and apply Microsoft security recommendations.
  • Consolidated product baselines that eliminate EC and SSLF baseline components, and make viewing, customizing, and implementing your security baselines easier than ever!
  • New compliance-based settings groups allow quicker and easier compliance reporting and audit preparation, when used with the GRC management solution within System Center.

Looking Ahead

Additional product baselines are currently in development, including baselines for:

  • Windows 7 SP1
  • Microsoft Exchange Server 2007
  • Exchange Server 2010
  • SQL Server 2008 and SQL Server 2008 R2 (multiple roles)
  • Microsoft Office 2010
  • Windows Vista SP2
  • Windows XP SP3
  • Windows Internet Explorer 8

Previously released security baselines include: Windows 7, Windows Vista, Windows XP, Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, Internet Explorer 8, Microsoft Office 2010, and Office 2007.

 
You can use local GPo settings

and some screens about group viewing or simple view in the old version all info is on one screen

now it is much better but still you have to know what you are doing. and not all IT pro’s are aware of this. With GPO’s you can easy tear down your domain so never test in the production environment. I see to often that GPo’s are quickly set and have problems afterwards.

Compliance Group View

(IT GRC compliance) Group View.

 

Great tool that can help you to secure your environment based on the templates.

  • Twitter

  • %d bloggers like this: