[ Featured Image Source: Pixabay ]
Microsoft Azure is a popular cloud vendor providing various cloud services, such as computing resources, analytics services, networking, storage, and more. Azure services can help develop and scale new applications as well as run existing applications in the cloud. Azure provides a pay-per-use pricing model that allows you to pay only for the cloud resources you actually use.
In this article, we will cover how to protect your organization’s valuable workloads by hardening Azure VMs.
Table of Contents
What is Azure VMs?
Azure virtual machines (VMs) compute instances can run on demand. You can use them just like servers deployed on-premises, deploying operating systems and applications, or containerized workloads.
Operating system hardening for Azure VMs is one of the core elements of an Azure security strategy. Read on to see how you can improve the security posture of your Azure VMs.
Azure Virtual Machines Security Overview
Let’s look at Azure virtual machines’ security options:
Azure lets you use anti-malware software from various vendors, including Microsoft, Trend Micro, Kaspersky, and Symantec. Antimalware software helps protect VMs from adware, malicious files, and other threats.
Microsoft provides Antimalware for Azure, which provides real-time protection against malicious software on VMs. This capability can help identify and remove various threats, such as spyware and viruses. It also offers configurable alerts pushed when unwanted or known malicious software attempts to run or install itself on Azure systems.
Microsoft Antimalware for Azure is designed as a single-agent solution for applications as well as tenant environments. The solution runs in the background and does not require human intervention. You can use it with basic secure-by-default. Alternatively, you can set up your own advanced custom configuration, including anti-malware monitoring.
Virtual Machine Disk Encryption
Azure Disk Encryption can encrypt Windows-based and Linux-based VM disks. This feature uses BitLocker for Windows and dm-crypt for Linux to provide volume encryption for your operating system and data disks.
Azure Disk Encryption lets you use Azure Key Vault to manage and control your secrets and disk encryption keys when encrypting data at rest in Azure Storage.
Virtual Machine Backup
Azure Backup can protect application data without any capital investment and helps you maintain minimal operating costs. The service backs up your Windows and Linux VMs, helping you protect data against various threats. For example, application errors that may corrupt your data or human errors that introduce bugs into the applications.
Azure Site Recovery
The goal of data recovery is to help enterprises keep their workloads and applications running even when planned or unplanned outages occur.
Azure Site Recovery enables you to orchestrate the failover, replication, and recovery of your workloads and applications, ensuring that your assets are available in a secondary location when your primary location goes down.
Azure provides secure networking through the concept of Virtual Networks. These are a logical overlay on the physical networking infrastructure in Azure datacenters.
An Azure Virtual Network is completely isolated from other networks, creating a private, secure environment in which you can operate your workloads. You can create secure connectivity between your on-premises network and your Virtual Networks in Azure.
Hardened Images on Azure
Hardened virtual machines images provide security beyond what’s offered in base virtual machine images. They are preconfigured to the security recommendations either by Microsoft or by the Center for Internet Security (CIS) Benchmarks, trusted configuration guidelines developed and used by a global community of IT experts.
You have two options as follows:
The first one is, you can build your own Windows and Linux hardened images by applying the following security baseline published by Microsoft:
Next, you can use the Azure Image Builder, and Azure PowerShell, to create an image version in an Azure Compute Gallery (formerly known as Shared Image Gallery), then distribute the image globally by following these guidelines:
All CIS Hardened Images that are available in the Microsoft Azure Marketplace is certified to run on Microsoft Azure. They have been pre-tested for readiness and compatibility with the Microsoft Azure public cloud. This testing process helps deliver the highest-quality experience.
You can search for all hardened images by CIS in the Azure Marketplace by running the following PowerShell command:
# Set the desired Azure region $locName="westeurope" # Publisher Name CIS $pubName="center-for-internet-security-inc" Get-AzVMImageOffer -Location $locName -PublisherName $pubName | Select Offer
Image Builder lets you start with Windows or Linux images, from the Azure Marketplace or existing custom images, and add your own customizations. You can also specify where you would like your resulting images hosted in the Azure Compute Gallery, as a managed image, or as a VHD.
Best Practices for Hardening Azure VMs
Let’s look now at the 5 critical best practices for hardening Azure virtual machines (VMs):
1) Control VM Access
Azure Policies can help you establish conventions for your organization’s resources and create customized policies. You can apply your policies to resources, including resource groups. Any VM that belongs to a resource group inherits its policies.
Azure also lets you efficiently manage policies, compliance, and access for all subscriptions by using management groups. This feature provides enterprise-grade management at a large scale for all subscriptions.
Azure management groups let you organize subscriptions into containers (management groups) and apply governance conditions to your groups. Any subscription added into a management group automatically inherits all conditions applied to this group.
2) Secure Privileged Access
The least privilege approach promotes restricting the privileges of each user to only the minimum needed to perform their job.
Azure offers built-in roles that define VMs access and privileges. Here are key roles:
> Virtual Machine Contributor — this user role can manage virtual machines but cannot manage the storage account or virtual network connected with the VMs.
> Classic Virtual Machine Contributor — this user role can manage any virtual machines created through the classic deployment model. They cannot manage the storage account or virtual network connected with the VMs.
> Security Admin — this role is valid only in Microsoft Defender for Cloud (MDC). The security admin role can view security policies, security states, and alerts and recommendations. The role can also edit security policies and dismiss alerts and recommendations.
> DevTest Labs User — this user role can view all information. A DevTesLabs user can perform many actions, including starting, connecting, restarting, and shutting down VMs.
Subscription admins or co-admins can change the settings of built-in user roles. These users are administrators of all VMs within a subscription, so make sure these roles are trustworthy.
3) Manage your VM Security Posture
Azure provides a security solution called Microsoft Defender For Cloud (MDC), which helps you monitor Azure virtual machines. The solution lets you apply operating system security settings that include recommended configuration rules. It also lets you deploy endpoint anti-malware protection recommendations.
MDC helps you identify important updates and automatically deploy them on your VMs. You can use the solution to validate disk encryption, assess and remediate vulnerabilities, and detect threats.
The solution actively monitors threats and issues security alerts. It correlates multiple threats into a single entity, viewed in the MDC interface as a security incident. MDC can collect data from multiple tools, including Azure Monitor, agents installed on cloud-based or local VMs, and management solutions. It aggregates and stores all log data in Azure Monitor, which provides advanced analytics and a flexible query language.
4) Block Bad IP Addresses
Azure provides the following capabilities that can help you block egress and ingress traffic between your Azure VMs and known malicious IPs. Some of these capabilities are offered by MDC:
> DDoS Standard protection — enable this feature to add a layer of protection to Virtual Networks (VNets).
> Threat intelligence — helps identify and monitor bad IPs.
> Azure Firewall for Virtual Network segments — you can configure Azure Firewall for each network segment. If you have already enabled Threat Intelligence, you can also configure it to “Alert and deny” malicious network traffic.
> Just in Time (JIT) network access — JIT restricts communication with VMs to an allowlist of approved IPs for a limited time. Learn more about Just-In-Time VM Access for Azure virtual machines.
> Adaptive Network Hardening — this feature can recommend changes to security groups to restrict ports and IPs. It provides smart suggestions based on an analysis of historical traffic.
5) Create an Incident Response Plan
An incident response plan outlines all activities, roles, and responsibilities related to incident response in your organization. Your plan should define all roles and phases involved in the incident response process, including all phases from detection to post-incident review.
You can leverage MDC to create your incident response plan. This solution can assign a severity level to each alert, helping you prioritize and decide which alerts to investigate first. It leverages machine learning algorithms to assign a confidence level to each incident – this confidence level indicates how likely it is that a malicious party is involved.
The solution can help you mark subscriptions by using tags. It can also assist you in creating a naming system that identifies and categorizes your Azure resources in general, particularly resources that process sensitive data. Remember that you are responsible for prioritizing remediation of alerts.
In this article, we covered the basics of hardening Azure virtual machines and provided a few critical best practices you can use to ensure VMs are secure:
> Control VM access — use Azure policies to determine who can access a VM.
> Secure privileged access — use built-in roles within Azure to control access, including virtual machine contributor, security admin, and DevTest user.
> Manage VM security posture — use Microsoft Defender for Cloud (MDC) to apply the appropriate OS security settings, download critical updates, encrypt the local disk, and remediate vulnerabilities.
> Block known-malicious IP addresses — use Just-in-Time VM Network access, a feature of MDC, to reduce exposure to malicious traffic sources.
> Create an incident response plan — make sure you have a clear plan for identifying, triaging and responding to attacks against your VMs.
We hope this guide is useful as you secure and harden your Azure VMs to protect your organization’s valuable workloads.
Thank you for reading my blog.
If you have any questions or feedback, please leave a comment.