Tag: Security

Azure Service Endpoints versus Azure Private Links

June 22, 2020July 22, 2020 · 1 Comment ·

Recently a lot of folks have been asking about Azure Service Endpoints and Azure Private Links — what’s the difference? when to use which? and why?

For starters, let’s review what is a Service Endpoint, and what is a Private Link? Followed by which solution is better to use, and why….

Azure Service Endpoints

With any Azure Virtual Network (VNet) you can leverage a ‘service endpoint’ that provides a secure connection and a direct connection to Microsoft Azure’s service over Microsoft’s backbone network infrastructure. The service endpoints allow you to run services/resources over the VNet and enables private IP Address within the VNet to communicate with the Azure service without the requirement of having a public IP on the VNet. Service Endpoints work by enabling your VNet or subnet(s) to support the Service Endpoint, and once enabled, you can configure which PaaS resource(s) can accept traffic from those subnet(s)/VNets. There is no requirement to do any IP filtering and/or NAT translation, all you need to tell is the PaaS resource(s) which VNet/Subnet to allow traffic from. When Service Endpoints are enabled, the PaaS resource sees traffic coming from your VNet private IP, not the public IP.

Azure Private Link

Azure Private Link allows you to access Azure (PaaS) services, like Key Vault, Storage, Log Analytics, etc., over a private endpoint within your Azure VNet. The communication between the Private Link (endpoint) and your VNet continue to travel over the Microsoft’s backbone network, however your service is no longer exposed over the Internet. One drawback with Private Link is that to support resolution of the PaaS resources using the same name, you do need to implement DNS to resolve the private link zone for that resource. There is integration with Azure Private DNS to set this up for you, but this can be problematic if you have your DNS service already running, or do not want to use Azure Private DNS with your VNet. Once enabled, you have now granted access to a specific PaaS resource within your VNet. Meaning, you can control the egress to the PaaS resource. Unlike Service Endpoints, Private Link allows access from your on-premises infrastructure to Azure resources over an ExpressRoute circuit, or Site to Site VPN tunnel, or via its peered VNets.

What’s the difference, and when to use?

The biggest difference between Private Links and Service Endpoints, is Public IPs. With Private Link, there is never any Public IP created and traffic can never go through the Internet, whereas with Service Endpoints, you have the option to limit access.
Second key difference with Private Link is, once enabled, you have now granted access to a specific PaaS resource within your VNet. Meaning, you can control the egress to the PaaS resource.
Service Endpoints are much simpler to implement and significantly reduce the complexity of your VNet/Architecture design.
Private Link will always ensure traffic stays within your VNet.
Another key difference between Private Links and Service Endpoints, is cost. There is a $0 cost to implement Service Endpoints, as the cost is already integrated within the VNet cost itself. Whereas Private Links costs can quickly grow depending on the total ingress and egress traffic and the runtime of the link. For example, within Azure Canada Central, to have a Private Link that is available for 730 hours in a given month, and that allows 100TB of ingress and egress (for both) can run over $2,000 monthly.
- This is something to factor when designing or implementing either solution, as Private Links will quickly add to your monthly spend.
Another consideration is, availability, meaning Service Endpoints and Private Links are not generally available for all services, for example. There is no Service Endpoint as of writing this post, for Azure Log Analytics. However, there is a solution for Private Links for Log Analytics. Both services are available but not for all resources/services. For the complete list you can visit the links below, Service Endpoints: HERE ; Private Link: HERE.

Ultimately, if you are considering either solution, Private Link versus Service Endpoint, then you are probably concerned with security and with that said, Private Link is superior to Service Endpoints. The services available to Private Link will continue to grow like Service Endpoints, but based on my observation, it appears Private Link has a much deeper portfolio with Azure services integration.

Azure Security Center – Continuous Export via Azure Policy

April 2, 2020April 2, 2020 · Leave a comment ·

Earlier this week, I highlighted how you can use Azure Security Center (ASC) and its Continuous Export feature to send Security Alerts and Recommendations to Event Hubs (and/or Log Analytics) — you can find that post HERE. Today I want to show you how to can use Governance best practices, and leverage Azure Policy to ensure ASC is configured to forward to either Event Hubs and/or Log Analytics.

As a quick intro, Azure Security Center (ASC) is a holistic solution provided by Microsoft to not only assess your Azure resources, but can also be extended to your On-Premises infrastructure as well. ASC is a security management solution that improves your overall security posture within your Azure environment and on-premises infrastructure. I work with a lot of customers where they require an “agnostic” SIEM solution. ASC generates detailed security recommendations and alerts that can be viewed through the ASC portal. However when customers have a requirement to send this telemetry to some third party SIEM, such as QRadar, Splunk, etc. In short, your Azure resources can send their security events directly to Event Hubs (via Diagnostic Agents) or can be configured (the easier approach) with ASC.

To get these policies, go HERE to the Azure GitHub repo. Next post, I will walk you through the setup and all the necessary parameters that are required to get this policy up and ‘governing’.

Azure Security Center – Continuous Export

March 30, 2020 · Leave a comment ·

Azure Security Center (ASC) is a great holistic solution provided by Microsoft to not only assess your Azure resources, but can also be extended to your On-Premises infrastructure as well. ASC is a security management solution that improves your overall security posture within your Azure environment and on-premises infrastructure. I work with a lot of customers where they require an “agnostic” SIEM solution, so they don’t have all of their eggs in one basket (sort of speak) with a single vendor. Azure Sentinel is a great solution, but still lacks maturity in comparison to other products like IBM’s QRadar, Splunk and some others.

ASC also generates detailed security recommendations and alerts that can be viewed through the ASC portal. However when customers have a requirement to send this telemetry to some third party SIEM, Azure’s Event Hubs is a great middleman solution.

In short, your Azure resources can send their security events directly to Event Hubs (via Diagnostic Agents) or can be configured (the easier approach) with ASC. Choosing the latter, we can also configure ASC to Continuously Export the data being collected in ASC to be forwarded to Event Hubs. Which in turn will allow the third party SIEM to ingest the data within Event Hubs.

Once you have enabled ASC, enrolled your resources, (assuming you have already configured Event Hubs and a third party SIEM) you can then setup Continuous Export within the ASC console as shown below.

Setting up ASC Continuous Export is pretty straightforward, provided you have already configured Event Hubs, and your SIEM to ingest from Event Hubs. Within ASC, select Continuous Export. Enable which workspace to send the data to, either Event Hubs, or Log Analytics (Sentinel). Select the type of alerts and recommendations (All, Low, Medium, High). Specify the Subscription where Event Hubs lives, the Event Hub Namespace, Name, and Policy Name. Hit Save, and that is it!

That is, pretty simple. Definitely a much easier solution than deploying Linux and Windows Agent Diagnostic (LAD/WAD) — another post for another day 🙂

Azure Policy – Restrict Storage Accounts to Internet Access

January 28, 2020January 28, 2020 · Leave a comment ·

The other day I had a customer request where they needed to ensure no Azure Storage Accounts to be exposed to the Internet. Restricting already provisioned Storage Accounts to the Internet is a pain in the a$$, however with Azure Policy we can ensure no future Storage Accounts will ever be exposed to the Internet. As an FYI, by default, most Azure services, like Storage Accounts, Key Vaults, and many other services are exposed to the Internet. Not too sure why Microsoft elected to go this route… For example, in AWS, services like Storage Accounts (S3) are not accessible by the Internet by default, you have to intentionally expose them. I almost prefer this method. I regress. In Azure to ensure Cloud Administrators are not creating storage accounts and leaving them exposed to the Internet, we can either manually restrict the storage account by enforcing VNet access only — which is tedious and very time consuming, especially if you have 100’s. Or, better yet, we can deploy an Azure Policy to ensure no future Storage Account will ever be exposed to the Internet.

Below is a simple Azure Policy (JSON format) that you can deploy and ensure at least your future Azure storage accounts will never be accessible by the Internet at creation time.


{
"type": "Microsoft.Authorization/policyDefinitions",
"name": "restrict-public-storageAccounts-policyDef",
"properties": {
  "displayName": "Restrict Internet access for Storage Accounts",
  "description": "This policy restricts Storage Accounts from being exposed to the Internet.",
  "metadata": {
   "category": "Storage"
  },
  "parameters": {},
  "policyRule": {
   "if": {
    "allOf": [
    {
     "field": "type",
     "equals": "Microsoft.Storage/storageAccounts"
    },
    {
     "field": "Microsoft.Storage/storageAccounts/networkAcls.defaultAction",
     "notequals": "Deny"
    }
    ]
   },
   "then": {
    "effect": "deny"
   }
  }
 }
}

Once you have this Policy applied and enabled, go ahead and test it out by creating a Storage Account that is not VNet restricted. You should get something like this!

I hope this was helpful, Cheers!

Azure Conditional Access – Report-Only Mode

November 13, 2019March 30, 2020 · Leave a comment ·

What is Conditional Access Report-Only mode?

Not too long ago, Azure Conditional Access introduced a new feature that allows Azure Active Directory administrators to test conditional access policies and its impact without actually enforcing the policy — ie. Report-Only mode.

For starters, Azure Conditional Access allows Azure Active Directory (Azure AD) administrators to enforce a specific set of conditions to be satisfied before a user (or group) can access specific resources within Azure. For example, a policy could be something simple as, ‘Enforce all users to go through MFA in order to gain access to the Azure portal“. Or, “Only users connected to the On-Premises network can gain access to the Azure portal.”

Conditional Access is one of the many layers of implementing a Zero-trust network/environment. More on that in another post…

Implementing Conditional Access policies introduces a lot of challenges to end-users as sometimes it is difficult to determine the level of impact to the end-user(s). Report-Only mode allows for a Conditional Access administrators and the policy to determine the level of impact to users before actually enforcing the policy.

In the example below, I have created a Conditional Access policy with the following conditions and controls before a user can gain access to an Azure application. In this example, that application is Azure Portal.

Overview:

All Guest Users, must go through MFA in order to be granted access to Azure Management Portal. — pretty simple. Let’s see how this is setup, and the effects of Report-Only mode.

To begin, navigate to the Azure Active Directory service within the Azure Portal. Some base requirements, you need to have an Azure AD P1 or P2 license, and you the administrator must have Conditional Access Administrator (Azure AD role) as a minimum.

Create a policy, and give it some name followed by providing various requirements/conditions/controls.

Next we need to specify the user/users/group that this policy will be applicable to (or not, see the Exclude function).

Next, we need to specify the application this policy will be applicable to. Here I have selected the Azure Management Portal (Microsoft Azure Management) as the Cloud app.

Next, we need to either block or grant access to the users and the application once they pass the controls. In this case, the user must go through MFA in order to gain access to the Cloud app.

Finally we will save our configuration and leave the policy as Report-Only.

Now we can navigate to the Sign-In logs, and audit and validate our policy. Again, since this is a Report-Only policy, we can see the level of impact it would have caused to our end-users.

For more on Azure AD Conditional Access, please feel free to visit the following Microsoft URL, https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/.

Forcefully Revoke Azure AD User Session Access – Immediately

August 27, 2019 · 2 Comments ·

Sometimes it is critical to revoke a user’s Azure AD session for whatever reason it may be. You can always delete the user from Azure AD, however if the user is connected via PowerShell, the user’s token may not expire for a few more minutes, or maybe hours, depending on the token TTLs settings… So what can you do? You can forcefully revoke a user’s token session by using the following PowerShell cmdlet, “Revoke-AzureADUserAllRefreshToken“. Due to Microsoft’s ever changing Azure modules, I have tested this solution within the Azure Cloud Shell, and not on a local machine with PowerShell ISE with the AZ or RM modules.

First we need to identify which user will have its access revoked. Based off of the Revoke cmdlet, you will need to specify the “ObjectID” parameter, and the user’s ObjectID can be found within the Azure AD blade as seen below:

For additional information you can view the user’s access by executing the following cmdlet, “Get-AzRoleAssignment -ObjectId <>”

Once we have identified the user and its ObjectID, we first need to connect to Azure AD, this is done by running the following cmdlet, “Connect-AzureAD -TenantId <>“. With my experience you need to specify the TenantID. Once you have connected, and verified your device, you can now run the Revoke cmdlet, as seen below, the following cmdlet needs to be executed, “Revoke-AzureADUserAllRefreshToken -ObjectId <>“. The Revoke cmdlet will not provide any details if the operation was successful, however it will throw an error if something did not go right — yes, very helpful, right? 🙂

By running this Revoke cmdlet, the user has now lost all access to its Azure AD account and any active sessions, either via the Azure Portal UI, or PowerShell will be immediately revoked. 🙂

What’s an Azure Service Principal and Managed Service Identity?

August 15, 2019May 19, 2020 · 1 Comment ·

One of the general recommendations I always suggest to customers and their environments it leverage Azure Managed Service Identities (or MSI) over the traditional Service Principal (SP). Of course, the question then becomes, well what is the difference? When should I use a Service Principal and when should I use a Managed Service Identity?

In short, the difference is pretty clear. However, let’s make sure we understand what a Service Principal is, and what are they intended for…

What is a Service Principal (SP)?

In Azure, and many cloud environments, Service Principals carry the most weight with regards to access to the environment. Service Principals are an identity created for the use of applications, hosted services and automated tools to access Azure resources. This access is and can be restricted by assigning roles to the service principal(s).

What is a Managed Service Identity (MSI)?

With Managed Identities, there are two types of identities, system-assigned managed identity and user-assigned managed identity.

System-assigned Managed Identity: is created and enabled directly on an Azure service. When enabled, Azure will automatically create the identity for the instance within Azure AD and will ensure it is trusted by the subscription where the instance resides. After the Azure resource/instance is created, the system-assigned managed identity credentials are provisioned onto the instance. The lifecycle is also directly attached to the Azure instance/resource and cannot be shared with other resources. In other words, the managed identity is created within Azure AD when the resource is created, and similarly the managed identity is deleted from Azure AD when the associated resource is deleted.

User-assigned Managed Identity: is created as a standalone Azure resource, where the managed identity is created by the Azure AD administrator. The managed identity is trusted within the subscription and can also be assigned and shared with multiple Azure resources. The lifecycle is not dependent on the Azure resource, in other words, when the Azure resource is deleted, the managed identity is not deleted until the Azure AD administrator manually deletes the identity.

With MSI’s Azure automatically rotates/rolls the credentials every 46 days, Microsoft provides a workflow diagram on how MSIs work with Azure VM’s and other various Azure resources. See the diagram below to understand the credential rotation workflow.

Source: https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview

What is the difference?

In short, when considering to use an MSI (Managed Service Identity) or a SP (Service Principal), also consider using a MSI for the reasons below.

MSI’s, managed the creation and automatically roll over the service principal for you. This is done by Azure in the background and requires no human/customer intervention. These credentials are rotated/rolled over every 46 days, this is a default behaviour/policy.

Use an MSI when and where available. Azure continues to grow their list of MSI’s and which resources can work with MSI’s, you can find the list HERE.

For a complete overview on MSI’s please visit Microsoft’s documentation HERE.

Configuring RSA Authentication Agent for ADFS 3.0 + Office 365

November 27, 2017 · 1 Comment ·

Security/Multi-Factor (MFA) are some of the big buzz words this year (2017) and when deploying Office 365, MFA (Multi-Factor Authentication) is almost a no-brainer. In the following post, I will demonstrate how to configure RSA Authentication Agent for ADFS 3.0. There has been some configuration done prior to the agent deployment, ie. TCP/UDP ports, RSA Auto-Registration, sdconf.rec export, etc. For the full documentation, please see the footnotes from RSA and Microsoft for ADFS 3.0 for implementation requirements guidelines.

Let’s get started. Please note, the following is for a Windows Server 2012 R2 (ADFS 3.0) and RSA Authentication Agent 1.0.2.

You will need this, “sdconf.rec” file from your RSA Administrator(s).

Next, within the ~\RSA\RSA Authentication Agent\AD FS Adapter\ folder, copy the “ADFSRegistrationSample.ps1” script to the “SampleRegistrationScripts” folder. This is a known bug in RSA Authentication Agent 1.0.2, as the file should be within the folder by default, but it is not.

Execute the PowerShell script as Local Administrator…

Now you should be able to see the RSA configurations within the AD FS management console.

If we go into the to Authentication Policies > Per Relying Party Trust > we can now edit the MFA settings for Office 365.

For this demo, we will enable both, Extranet, and Intranet.

Enable the RSA SecurID Authentication. Now if all was configured correctly, users within the Office 365 portal will be prompted for an RSA token once they supply valid Office 365/AD credentials!

Step-by-Step – SCOM 2012 R2 Update Rollup 11 (UR11) Install Procedure

September 22, 2016 · 5 Comments ·

My personal notes, SCOM 2012 R2 Update Rollup 11 (UR11) has a lot of networking monitoring fixes, Linux/UNIX support and security fixes, along with more OMS integration. What is OMS, please go HERE. It is highly recommended to upgrade your lab/Dev environments first before upgrading your Production environment(s). The step by step procedures below are the steps I took and in no way shape or form do I accept responsibility for any data loss, and/or issues within your environment. It is advised to always take a backup of your SQL databases and/or snapshots of your SCOM environment(s). Please take these notes as suggestions. Always refer to Microsoft’s KB (posted above) for full documentation steps.

Here are the key updates for UR11 (source Microsoft):

Issues that are fixed in this update rollup can be found here, https://support.microsoft.com/en-us/kb/3183990

Once you are ready to begin your upgrade, it is recommend you do the following server/roles in the order below:

Install the update rollup package on the following server infrastructure:

Management server or servers
Audit Collection Services
Gateway servers
Web console server role computers
Operations console role computers

Apply SQL scripts.
Manually import the management packs.
Apply the agent update to manually installed agents, or push the installation from the Pending view in the Operations console.

Once you have downloaded the rollup files, I like to extract and only keep the language I need, in this case, ENU (English). You will need to install these with Administrative rights, I like to use PowerShell as Local Administrator. It really does frustrate me, as there is no indication that the rollup installed correctly, (other than looking at the file version number change via File Explorer).

Personally, I prefer to execute the MSP files via PowerShell (RunAs Administrator) console.

Again, the order needs to be:

Management Servers
Audit Collection Services
Gateway Servers
Web Console Role Servers
Operations Console Role Servers

Once the rollups are installed, you will now need to apply the SQL scripts. First update the Data Warehouse, then followed by the OpsMgr DB.

The scripts can be found here, “%SystemDrive%\Program Files\System Center 2012 R2\Operations Manager\Server\SQL Script for Update Rollups”

Please note, the user executing these scripts needs to have read and write permissions to the database(s).

Once you have successfully executed the SQL scripts, you will now need to import the updated Management Packs (MP). These MPs can be found here, “%SystemDrive%\Program Files\System Center 2012 R2\Operations Manager\Server\Management Packs for Update Rollups“.

You will need to import the following MPs, please see below:

Once the MPs have been imported, you should now go back to your Pending Management view, under the Administrations pane, and update all servers.

And that is that! You are now on the latest and greatest System Center release for SCOM 2012 R2.

(more…)

SCOM & Other Geeky Stuff

A series of blog posts around Microsoft Cloud and Datacenter technologies, specifically Azure Cloud, System Center and other various Microsoft technologies.