Azure Security Center – Continuous Export via Azure Policy

April 2, 2020April 2, 2020 · Leave a comment ·

Earlier this week, I highlighted how you can use Azure Security Center (ASC) and its Continuous Export feature to send Security Alerts and Recommendations to Event Hubs (and/or Log Analytics) — you can find that post HERE. Today I want to show you how to can use Governance best practices, and leverage Azure Policy to ensure ASC is configured to forward to either Event Hubs and/or Log Analytics.

As a quick intro, Azure Security Center (ASC) is a holistic solution provided by Microsoft to not only assess your Azure resources, but can also be extended to your On-Premises infrastructure as well. ASC is a security management solution that improves your overall security posture within your Azure environment and on-premises infrastructure. I work with a lot of customers where they require an “agnostic” SIEM solution. ASC generates detailed security recommendations and alerts that can be viewed through the ASC portal. However when customers have a requirement to send this telemetry to some third party SIEM, such as QRadar, Splunk, etc. In short, your Azure resources can send their security events directly to Event Hubs (via Diagnostic Agents) or can be configured (the easier approach) with ASC.

To get these policies, go HERE to the Azure GitHub repo. Next post, I will walk you through the setup and all the necessary parameters that are required to get this policy up and ‘governing’.

Azure Security Center – Continuous Export

March 30, 2020 · Leave a comment ·

Azure Security Center (ASC) is a great holistic solution provided by Microsoft to not only assess your Azure resources, but can also be extended to your On-Premises infrastructure as well. ASC is a security management solution that improves your overall security posture within your Azure environment and on-premises infrastructure. I work with a lot of customers where they require an “agnostic” SIEM solution, so they don’t have all of their eggs in one basket (sort of speak) with a single vendor. Azure Sentinel is a great solution, but still lacks maturity in comparison to other products like IBM’s QRadar, Splunk and some others.

ASC also generates detailed security recommendations and alerts that can be viewed through the ASC portal. However when customers have a requirement to send this telemetry to some third party SIEM, Azure’s Event Hubs is a great middleman solution.

In short, your Azure resources can send their security events directly to Event Hubs (via Diagnostic Agents) or can be configured (the easier approach) with ASC. Choosing the latter, we can also configure ASC to Continuously Export the data being collected in ASC to be forwarded to Event Hubs. Which in turn will allow the third party SIEM to ingest the data within Event Hubs.

Once you have enabled ASC, enrolled your resources, (assuming you have already configured Event Hubs and a third party SIEM) you can then setup Continuous Export within the ASC console as shown below.

Setting up ASC Continuous Export is pretty straightforward, provided you have already configured Event Hubs, and your SIEM to ingest from Event Hubs. Within ASC, select Continuous Export. Enable which workspace to send the data to, either Event Hubs, or Log Analytics (Sentinel). Select the type of alerts and recommendations (All, Low, Medium, High). Specify the Subscription where Event Hubs lives, the Event Hub Namespace, Name, and Policy Name. Hit Save, and that is it!

That is, pretty simple. Definitely a much easier solution than deploying Linux and Windows Agent Diagnostic (LAD/WAD) — another post for another day 🙂

Azure Security Center – Secure Score Enhancements

March 20, 2020June 24, 2020 · Leave a comment ·

Over the last few days, Azure Security Center (ASC) made an update to how Secure Score is calculated. This new enhancement simplifies how the Secure Score is calculated, and in this post I would like to show how this is done.

As previously mentioned, Azure Security Center is a high-level, holistic assessment of your Azure environment. Azure Security Center can also be extended to your on-premises environment as well. Nevertheless, one of the key functionalities ASC provides is a Secure Score. Secure Score is a calculation based on your specific environment, and the resources deployed within your environment. The Secure Score provides a ratio between your healthy resources and total resources deployed within your environment as per recommendation for each security/vulnerability.

To see your Secure Score, go to Azure Security Center, and looked for your score within the Policy & Compliance blade:

Now let’s look at how the Secure Score is calculated.

If you drill down to your recommendations section, you can see how each control and its potential score. You can also review how you can achieve a higher score by implementing the suggested recommendations.

If we select one of the many recommendations, we can see by implementing MFA in the environment, our overall Secure Score has the potential to increase by 10 points, or 18%.

To get the full list of Security Controls and each recommendations, please see Microsoft’s documentation HERE.

Azure Policy – Restrict Storage Accounts to Internet Access

January 28, 2020January 28, 2020 · Leave a comment ·

The other day I had a customer request where they needed to ensure no Azure Storage Accounts to be exposed to the Internet. Restricting already provisioned Storage Accounts to the Internet is a pain in the a$$, however with Azure Policy we can ensure no future Storage Accounts will ever be exposed to the Internet. As an FYI, by default, most Azure services, like Storage Accounts, Key Vaults, and many other services are exposed to the Internet. Not too sure why Microsoft elected to go this route… For example, in AWS, services like Storage Accounts (S3) are not accessible by the Internet by default, you have to intentionally expose them. I almost prefer this method. I regress. In Azure to ensure Cloud Administrators are not creating storage accounts and leaving them exposed to the Internet, we can either manually restrict the storage account by enforcing VNet access only — which is tedious and very time consuming, especially if you have 100’s. Or, better yet, we can deploy an Azure Policy to ensure no future Storage Account will ever be exposed to the Internet.

Below is a simple Azure Policy (JSON format) that you can deploy and ensure at least your future Azure storage accounts will never be accessible by the Internet at creation time.


{
"type": "Microsoft.Authorization/policyDefinitions",
"name": "restrict-public-storageAccounts-policyDef",
"properties": {
  "displayName": "Restrict Internet access for Storage Accounts",
  "description": "This policy restricts Storage Accounts from being exposed to the Internet.",
  "metadata": {
   "category": "Storage"
  },
  "parameters": {},
  "policyRule": {
   "if": {
    "allOf": [
    {
     "field": "type",
     "equals": "Microsoft.Storage/storageAccounts"
    },
    {
     "field": "Microsoft.Storage/storageAccounts/networkAcls.defaultAction",
     "notequals": "Deny"
    }
    ]
   },
   "then": {
    "effect": "deny"
   }
  }
 }
}

Once you have this Policy applied and enabled, go ahead and test it out by creating a Storage Account that is not VNet restricted. You should get something like this!

I hope this was helpful, Cheers!

Automate and Deploy Microsoft Defender Advanced Threat Protection (MDATP) via PowerShell

December 18, 2019March 30, 2020 · 1 Comment ·

A few days ago, I needed to on-board Azure Windows Server VMs with Microsoft Windows Defender Advanced Threat Protection, or in short, MDATP. Sometimes Azure Security Center (ASC) has issues with on-boarding VMs and deploying the MDATP agent. As a result, I wrote the following PowerShell script that will download the MDATP.cmd file from my Azure Blob container and install it locally to the VM. This script allows you to automate it for many VMs to the scope of a Resource Group.

Now there are a few assumptions here…

Download the MDATP.cmd file from the Defender Security Center portal
Remove the requirement for user consent for the MDATP execution
Upload the modified MDATP file to an Azure Blob container
Generated a SAS URI for the MDATP file

There are many examples on the Internet on how to go step #4. Maybe in time I will do another post.

To remove the requirement of the MDATP agent to execute based on user interaction/consent can be done by removing, or commenting out the following lines of code. Launch the MDATP.cmd file within Notepad, and add a “:” before each line of code from lines 9 through 19, except line 14. Should look something like this.

Now, update and run the following PowerShell code. You can validate the VM is calling back to the Defender Security Center portal or by running the MDATPClientAnalyzer on the VM.

#update resource as needed
$resourcegroup = "YOUR_RESOURCE_GROUP"
#get only Windows Server VMs
$vms = Get-AzVM -ResourceGroupName $resourcegroup | Where-Object {$_.StorageProfile.OSDisk.OSType -eq "Windows"} | Select-Object Name
foreach ($vm in $vms)
{
    #friendly start message to indicate which server has started
    Write-Host "Server $vm has started..."
    #create folder, do not display error if folder already exists
    New-Item -Path "C:\" -Name "MDATP" -ItemType "directory" -ErrorAction SilentlyContinue
    #download MDATP.cmd file from Storage Account with SAS URI. Execute the cmd file. Passing "Y" to continue with installation.
    Invoke-WebRequest -Uri "YOUR_URI_SAS" -OutFile WindowsDefenderATPLocalOnboardingScript.cmd; Start-Process -FilePath "C:\MDATP\WindowsDefenderATPLocalOnboardingScript.cmd" -Verb RunAs
    #sleep for 5 seconds
    Start-Sleep -Seconds 5
    #restart-server
    Restart-Computer -ComputerName $vm
    #friendly finished message to indicate which server has completed and will now reboot
    Write-Host "Server $vm has completed, reboot initiated..."
}

Azure Conditional Access – Report-Only Mode

November 13, 2019March 30, 2020 · Leave a comment ·

What is Conditional Access Report-Only mode?

Not too long ago, Azure Conditional Access introduced a new feature that allows Azure Active Directory administrators to test conditional access policies and its impact without actually enforcing the policy — ie. Report-Only mode.

For starters, Azure Conditional Access allows Azure Active Directory (Azure AD) administrators to enforce a specific set of conditions to be satisfied before a user (or group) can access specific resources within Azure. For example, a policy could be something simple as, ‘Enforce all users to go through MFA in order to gain access to the Azure portal“. Or, “Only users connected to the On-Premises network can gain access to the Azure portal.”

Conditional Access is one of the many layers of implementing a Zero-trust network/environment. More on that in another post…

Implementing Conditional Access policies introduces a lot of challenges to end-users as sometimes it is difficult to determine the level of impact to the end-user(s). Report-Only mode allows for a Conditional Access administrators and the policy to determine the level of impact to users before actually enforcing the policy.

In the example below, I have created a Conditional Access policy with the following conditions and controls before a user can gain access to an Azure application. In this example, that application is Azure Portal.

Overview:

All Guest Users, must go through MFA in order to be granted access to Azure Management Portal. — pretty simple. Let’s see how this is setup, and the effects of Report-Only mode.

To begin, navigate to the Azure Active Directory service within the Azure Portal. Some base requirements, you need to have an Azure AD P1 or P2 license, and you the administrator must have Conditional Access Administrator (Azure AD role) as a minimum.

Create a policy, and give it some name followed by providing various requirements/conditions/controls.

Next we need to specify the user/users/group that this policy will be applicable to (or not, see the Exclude function).

Next, we need to specify the application this policy will be applicable to. Here I have selected the Azure Management Portal (Microsoft Azure Management) as the Cloud app.

Next, we need to either block or grant access to the users and the application once they pass the controls. In this case, the user must go through MFA in order to gain access to the Cloud app.

Finally we will save our configuration and leave the policy as Report-Only.

Now we can navigate to the Sign-In logs, and audit and validate our policy. Again, since this is a Report-Only policy, we can see the level of impact it would have caused to our end-users.

For more on Azure AD Conditional Access, please feel free to visit the following Microsoft URL, https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/.

Get Azure Global Administrators

November 7, 2019March 30, 2020 · Leave a comment ·

Recently a customer asked me to retrieve all users that have Global Administrator access to their Azure environment. The PowerShell code below will allow you to query the Azure environment against Azure Active Directory (AAD). Nothing new here or unique here, but this quick two-liner should do the trick. 😉

$role = Get-AzureADDirectoryRole | Where-Object {$_.displayName -eq 'Company Administrator'}
Get-AzureADDirectoryRoleMember -ObjectId $role.ObjectId | Sort-Object DisplayName | Select-Object DisplayName, UserPrincipalName, ObjectId

Hope this was helpful!

Azure Bastion – What is it?

October 18, 2019March 30, 2020 · Leave a comment ·

A little late to the party but nevertheless, I wanted to quickly show what is and how to use Azure Bastion. Azure Bastion is still in “public preview” but the solution is mature enough to start implementing now. Azure Bastion reduces the risk significantly in comparison to your traditional jumpbox approach, as it forces users to authenticate over SSL/443.

So what is Azure Bastion? Azure Bastion is a fully managed service by Azure/Microsoft that allows you to RDP and/or SSH into any Azure VM. Azure Bastion allows you to connect to your Azure VMs over HTML5-based browsers and using SSL.

Key Benefits:

Protection against 0-Day exploits:
- Because Bastion sits at the perimeter of your VNet, you do not need to worry about hardening each of your VMs (although you should harden everything!!) The Azure platform will protect you keeping Azure Bastion hardened and is always up-to-date.
No Public IP(s) required for your Azure VMs:
- By using Bastion, you can remove PIPs from your Azure VMs and can force your users to go through the Bastion host to connect to your VMs in your Azure environment.
Remote Sessions over SSL:
- Since Azure Bastion uses HTML5 modern browsers, users can RDP/SSH over SSL (443) enabling you traverse corporate firewalls securely.
Simplified Management of NSGs:
- Since Bastion is fully managed PaaS service by Azure, you no longer need to apply Network Security Groups (NSGs) on your Bastion subnet. Since Bastion connects to your VMs over a Private IP, you can configure your NSGs to allow RDP/SSH from Azure Bastion only.

Architecture:

**Source**: Microsoft, https://docs.microsoft.com/en-us/azure/bastion/bastion-overview

The architecture diagram above shows use the workflow how Azure Bastion works.

The Bastion host is deployed within a VNet and with its own dedicated subnet
Users can connect with any modern HTML5 browser
No Public IPs on Azure VMs

Base Requirements:

Before getting setup with Azure Bastion there are some key things to know for example.

You must have a Virtual Network
The VNet must have a subnet dedicated for Bastion and its name must be “AzureBastionSubnet”
It is always recommended to have the subnet with a /27 CIDR. It is easy to grow your subnet as needed, much more difficult to shrink. Always start small and grow as needed.
No User Defined Routing (UDR) or Network Security Groups (NSG) can be applied to the subnet.

Next step, how to deploy and configure Azure Bastion. If you want to get started with Azure Bastion, you can enroll with the Public Preview here, https://aka.ms/BastionHost.

Azure Policy – Audit for Network UDR Changes

October 11, 2019October 11, 2019 · Leave a comment ·

Azure Policy has been available for some time now, but for folks getting start with Cloud Governance, Azure Policy is a service in Azure that allows you to manage, assign, and create custom policies. These policies can be used to enforce a global set of rules or specific set of controls for a specific environments, ie. less control and governance in a “development” environment. This allows resources to stay compliant with you enterprise standards. Azure policies can enforce different rules, from Denying specific services, for example, ensuring only resources are built within a specific region, ie. resources can only be built within the Canadian regions. Conversely, rather than enforcing, policies can also be configured to Audit, where resources will be marked if they are not compliant, for example, a Storage Account is not configured with secure transfer.

Before diving into the policy itself, I want to quick go over the types of conditions that are available, and that can be used to enforce different compliance rules. The following table shows how different policy effects work with the condition evaluation for the resulting compliance state. Although you don’t see the evaluation logic in the Azure portal, the compliance state results are shown. The compliance state result is either compliant or non-compliant.

Resource State	Effect	Policy Evaluation	Compliance State
Exists	Deny, Audit, Append, DeployIfNotExist, AuditIfNotExist*	True	Non-Compliant
Exists	Deny, Audit, Append, DeployIfNotExist, AuditIfNotExist*	False	Compliant
New	Audit, AuditIfNotExist*	True	Non-Compliant
New	Audit, AuditIfNotExist*	False	Compliant

*The Append, DeployIfNotExist, and AuditIfNotExist effects require the IF statement to be TRUE. The effects also require the existence condition to be FALSE to be non-compliant. When TRUE, the IF condition triggers evaluation of the existence condition for the related resources.

Source: https://docs.microsoft.com/en-us/azure/governance/policy/assign-policy-portal

In this example today, I want to show a real world example, where a customer recently asked to monitor any changes being made to their UDRs (User Defined Routes/Routing).

The following will continuously monitor all UDRs in the environment. If any changes are made to a single UDR table, it will be audited and its changes will be tracked. Once the policy is enabled, you can see it in action by creating/modifying a UDR.

“policyRule”: {
“if”: {
“anyOf”: [
{
“source”: “action”,
“like”: “Microsoft.Network/routeTables/*”
}
]
},
“then”: {
“effect”: “audit”
}
}

See below for the compliance once a change has been made to a UDR. Once you drill down to the event, the user, the activity log, you can then see the exact changes that were made to the UDR.

I hope this was helpful!

Forcefully Revoke Azure AD User Session Access – Immediately

August 27, 2019 · 2 Comments ·

Sometimes it is critical to revoke a user’s Azure AD session for whatever reason it may be. You can always delete the user from Azure AD, however if the user is connected via PowerShell, the user’s token may not expire for a few more minutes, or maybe hours, depending on the token TTLs settings… So what can you do? You can forcefully revoke a user’s token session by using the following PowerShell cmdlet, “Revoke-AzureADUserAllRefreshToken“. Due to Microsoft’s ever changing Azure modules, I have tested this solution within the Azure Cloud Shell, and not on a local machine with PowerShell ISE with the AZ or RM modules.

First we need to identify which user will have its access revoked. Based off of the Revoke cmdlet, you will need to specify the “ObjectID” parameter, and the user’s ObjectID can be found within the Azure AD blade as seen below:

For additional information you can view the user’s access by executing the following cmdlet, “Get-AzRoleAssignment -ObjectId <>”

Once we have identified the user and its ObjectID, we first need to connect to Azure AD, this is done by running the following cmdlet, “Connect-AzureAD -TenantId <>“. With my experience you need to specify the TenantID. Once you have connected, and verified your device, you can now run the Revoke cmdlet, as seen below, the following cmdlet needs to be executed, “Revoke-AzureADUserAllRefreshToken -ObjectId <>“. The Revoke cmdlet will not provide any details if the operation was successful, however it will throw an error if something did not go right — yes, very helpful, right? 🙂

By running this Revoke cmdlet, the user has now lost all access to its Azure AD account and any active sessions, either via the Azure Portal UI, or PowerShell will be immediately revoked. 🙂

SCOM & Other Geeky Stuff

A series of blog posts around Microsoft Cloud and Datacenter technologies, specifically Azure Cloud, System Center and other various Microsoft technologies.