Security Baseline on Azure - Microsoft Cloud Workshop

Microsoft Cloud Workshop Microsoft Cloud Workshop on Mar 01, 2019

In this hands-on lab, you will implement many of the Azure Security Center features to secure their cloud-based Azure infrastructure (IaaS) and applications (PaaS). Specifically, you will ensure that any internet exposed resources have been properly secured and any non-required internet access disabled. Additionally, you will implement a “jump machine” for admins with Application Security enabled to prevent admins from installing non-approved software and potentially exposing cloud resources. You will then utilize custom alerts to monitor for TCP/IP Port Scans and then fire alerts and run books based on those attacks.
At the end of this hands-on lab, you will be better able to design and build secure cloud-based architectures, and to improve the security of existing applications hosted within Azure.

Before the Hands-on Lab

Security baseline on Azure
Before the hands-on lab setup guide
March 2019

Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

The names of manufacturers, products, or URLs are provided for informational purposes only and Microsoft makes no representations and warranties, either expressed, implied, or statutory, regarding these manufacturers or the use of the products with any Microsoft technologies. The inclusion of a manufacturer or product does not imply endorsement of Microsoft of the manufacturer or product. Links may be provided to third party sites. Such sites are not under the control of Microsoft and Microsoft is not responsible for the contents of any linked site or any link contained in a linked site, or any changes or updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission received from any linked site. Microsoft is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement of Microsoft of the site or the products contained therein.

© 2019 Microsoft Corporation. All rights reserved.

Microsoft and the trademarks listed at https://www.microsoft.com/en-us/legal/intellectualproperty/Trademarks/Usage/General.aspx are trademarks of the Microsoft group of companies. All other trademarks are property of their respective owners.

Contents

Security baseline on Azure before the hands-on lab setup guide

Requirements

  1. Microsoft Azure subscription must be pay-as-you-go or MSDN.

    • Trial subscriptions will not work.
  2. A machine with the following software installed:

    • Visual Studio 2017
    • SQL Management Studio 2017
    • Power BI Desktop
  3. An Office 365 email account or other email-based account

Before the hands-on lab

Duration: 30 minutes

Synopsis: In this exercise, you will set up your environment for use in the rest of the hands-on lab. You should follow all the steps provided in the Before the Hands-on Lab section to prepare your environment before attending the workshop.

Task 1: Download GitHub resources

  1. Open a browser window to the cloud workshop GitHub repository (https://github.com/Microsoft/MCW-Azure-Security-Privacy-and-Compliance).

  2. Select Clone or download, then select Download Zip.

    Clone or download and Download ZIP are highlighted in this screenshot of the cloud workshop GitHub repository.

  3. Extract the zip file to your local machine, be sure to keep note of where you have extracted the files. You should now see a set of folders:

    A set of extracted folders and files are visible in File Explorer: .vs, AzureTemplate, Database, Scripts, WebApp, README.md.

Task 2: Deploy resources to Azure

  1. Open your Azure Portal.

  2. Select Resource groups.

  3. Select +Add.

  4. Type a resource group name, such as azsecurity-[your initials or first name].

  5. Select Review + Create, then select Create.

  6. Select Refresh to see your new resource group displayed and select it.

  7. Select Export template, and then select Deploy.

    Automation script is highlighted under Settings on the left side of the Azure portal, and Deploy is highlighted on the top-right side.

  8. Select Build your own template in the editor.

  9. In the extracted folder, open the \Hands-on lab\Scripts\template.json.

  10. Copy and paste it into the window.

  11. Select Save, you will see the dialog with the input parameters. Fill out the form:

    • Subscription: Select your subscription.

    • Resource group: Use an existing Resource group, or create a new one by entering a unique name, such as azsecurity-[your initials or first name].

    • Location: Select a location for the Resource group. Recommend using East US, East US 2, West Central US, or West US 2.

    • Modify the sqlservername to be something unique such as "azsecurity-[your initials or first name]".

    • Fill in the remaining parameters, but if you change anything, be sure to note it for future reference throughout the lab.

    • The userObjectId can be retrieved by navigating to Azure Active Directory blade and searching for your user account. On the user account page, you will find your object id which you can copy and paste into the field.

    • Check the I agree to the terms and conditions stated above checkbox.

    • Select Purchase.

    The above information is entered in the form, and I agree to the terms and conditions stated above and Purchase are selected and highlighted at the bottom.

  12. The deployment will take 15-30 minutes to complete. To view the progress, select the Deployments link, then select the Microsoft.Template deployment.

    Deployments is highlighted under Settings on the left side of the Azure portal, and Microsoft.Template is highlighted under Deployment Name on the right side.

    • As part of the deployment, you will see the following items created:

      • One storage account.

      • Three virtual networks (dbVNet, webVnet, mainVnet).

      • Three network security groups.

      • Three virtual machines (db-1, web-1, paw-1).

        • IIS is installed on web-1 via a DSC script from the GitHub repository.
      • One SQL Azure Server with sample database.

      • One Azure Key Vault.

    Created items list This screenshot is a list of the items that were created, including the items listed above.

  13. See Appendix A for detailed steps on creating these components without using an ARM template.

You should follow all steps provided before attending the hands-on lab.

Hands-on Lab Guide

Security baseline on Azure
Hands-on lab step-by-step
March 2019

Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

The names of manufacturers, products, or URLs are provided for informational purposes only, and Microsoft makes no representations and warranties, either expressed, implied, or statutory, regarding these manufacturers or the use of the products with any Microsoft technologies. The inclusion of a manufacturer or product does not imply endorsement of Microsoft of the manufacturer or product. Links may be provided to third-party sites. Such sites are not under the control of Microsoft and Microsoft is not responsible for the contents of any linked site or any link contained in a linked site, or any changes or updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission received from any linked site. Microsoft is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement of Microsoft of the site or the products contained therein.

© 2019 Microsoft Corporation. All rights reserved.

Microsoft and the trademarks listed at https://www.microsoft.com/en-us/legal/intellectualproperty/Trademarks/Usage/General.aspx are trademarks of the Microsoft group of companies. All other trademarks are the property of their respective owners.

Contents

Security baseline on Azure hands-on lab step-by-step

Abstract and learning objectives

In this hands-on lab, you will implement many of the Azure Security Center features to secure their cloud-based Azure infrastructure (IaaS) and applications (PaaS). Specifically, you will ensure that any internet exposed resources have been properly secured and any non-required internet access disabled. Additionally, you will implement a “jump machine” for administrators with Application Security enabled to prevent those same administrators from installing non-approved software and potentially exposing cloud resources. You will then utilize custom alerts to monitor for TCP/IP Port Scans to fire alerts.

At the end of this hands-on lab, you will be better able to design and build secure cloud-based architectures, and to improve the security of existing applications hosted within Azure.

Overview

Contoso is a multinational corporation, headquartered in the United States that provides insurance solutions worldwide. Its products include accident and health insurance, life insurance, travel, home, and auto coverage. Contoso manages data collection services by sending mobile agents directly to the insured to gather information as part of the data collection process for claims from an insured individual. These mobile agents are based all over the world and are residents of the region in which they work. Mobile agents are managed remotely, and each regional corporate office has a support staff responsible for scheduling their time based on requests that arrive to the system.

They are migrating many of their applications via Lift and Shift to Azure and would like to ensure that they can implement the same type of security controls and mechanisms they currently have. They would like to be able to demonstrate their ability to meet compliance guidelines required in the various countries/regions they do business. They have already migrated a web application and database server to their Azure instance and would like to enable various logging and security best practices for administrator logins, SQL Databases, and virtual network design.

Solution architecture

Contoso administrators recently learned about the Azure Security Center and have decided to implement many of its features to secure their cloud-based Azure infrastructure (IaaS) and applications (PaaS). Specifically, they want to ensure that any internet exposed resources have been property secured and any non-required internet access disabled. They also decided that implementing a "jump machine" for admins with Application Security was also important as they have had instances of admins installing non-approved software on their machines and then accessing cloud resources. Additionally, they want the ability to be alerted when TCP/IP Port Scans are detected, and fire alerts based on those attacks.

This diagram shows external access to Azure resources where Just In Time is utilize to lock down the Jump Machine. Azure Log Analytics with Azure Sentinel is then used to monitor the deny events on the network security groups.

The solution begins by creating a jump machine. This jump machine is used to access the virtual machines and other resources in the resource group. All other access is disabled via multiple virtual networks. More than one virtual network is required as having a single virtual network would cause all resource to be accessible based on the default currently un-customizable security group rules. Resources are organized into these virtual networks. Azure Center Security is utilized to do Just-In-Time access to the jump machine. This ensures that all access is audited to the jump machine and that only authorized IP-addressed are allowed access, this prevents random attacks on the virtual machines from bad internet actors. Additionally, applications are not allowed to be installed on the jump machine to ensure that malware never becomes an issue. Each of the virtual network and corresponding network security groups have logging enabled to record deny events to Azure Logging. These events are then monitored by a custom alert rule in Azure Sentinel to fire custom alerts. Once the solution is in place, the Compliance Manager tool is utilized to ensure that all GDPR based technical and business controls are implemented and maintained to ensure GDPR compliance.

Requirements

  1. Microsoft Azure subscription must be pay-as-you-go or MSDN.

    • Trial subscriptions will not work.
  2. A machine with the following software installed:

    • Visual Studio 2017
    • SQL Management Studio 2017
    • Power BI Desktop

Exercise 1: Implementing Just-In-Time (JIT) access

Duration: 15 minutes

Synopsis: In this exercise, attendees will secure a Privileged Access Workstation (PAW) workstation using the Azure Security Center Just In Time Access feature.

Task 1: Setup virtual machine with JIT

  1. In a browser, navigate to your Azure portal (https://portal.azure.com).

  2. Select Security Center, then select Just in time VM access.

    Security Center is highlighted on the left side of the Azure portal, and Just in time VM access (Preview) is highlighted to the right.

Note: Your subscription may not be set up with the Standard tier; if that is the case then do the following:

  1. In the Security Center blade, select Security Policy.

  2. For your subscription, select Edit settings

  3. Select Pricing Tier

  4. Select Standard

  5. Click Save

  6. Navigate back to Security Center, select Just in time VM access.

  1. Select the Recommended tab, and then check the checkbox to select the lab vms (db-1, paw-1 and web-1), and then select the Enable JIT on 3 VMs link.

Note: It could take up to 10 minutes for new VMs to show up if you upgraded to standard tier security. Also note that it is possible new VMs display in the No recommendation tab until a backend process moves them to the Recommended tab.

  1. In the configuration window that opens, review the settings, then select Save.

    In the configuration window, port settings are listed, and Save is highlighted above them.

  2. You should now see the states change to Resolved.

Note: It could take a couple minute for this to revert to the resolved state.

On the Virtual machines screen, several virtual machines have their State listed as Resolved.

Task 2: Perform a JIT request

  1. Select the Configured tab. You should now see all the machines listed.

  2. Select the paw-1 virtual machine, and then select Request access.

    On the Virtual machines screen, the first listed virtual machine name is selected and highlighted (paw-1), as is Request access above it.

  3. For each of the ports, select the On toggle button, notice how the default IP settings is My IP.

    On is highlighted under Toggle for all four of the ports listed under paw-1.

  4. At the bottom of the dialog, select Open ports. After a few moments, you should now see the APPROVED requests have been incremented and the LAST ACCESS is set to Active now..

    On the Virtual machines screen, 1 Requests and Active now are highlighted under Aproved and Last Access next to the paw-1 virtual machine.

  5. Select the ellipses, then select Activity Log, you will be able to see a history of who requests access to the virtual machines.

    Activity Log is highlighted in the shortcut menu for the last user.

  6. In the Azure Portal main menu, select All Services, then type Network, then select Network Security Group:

Network security groups is highlighted on the left side of the Azure portal, and paw-1-nsg is highlighted to the right.

  1. Select the paw-1-nsg network security group.

  2. Select Inbound security rules. You should now see a set of inbound security rules set up by JIT Access.

    The first four listed items are highlighted under Inbound security rules.

Exercise 2: Securing the Web Application and database

Duration: 45 minutes

Synopsis: In this exercise, attendees will utilize Azure SQL features to data mask database data and utilize Azure Key Vault to encrypt sensitive columns for users and applications that query the database.

Task 1: Setup the database

  1. Switch to your Azure portal, select All Services then search for SQL Servers. Select SQL Servers:

    More services is highlighted on the left side of the Azure portal, and SQL servers is highlighted to the right.

  2. Select the Azure SQL database server you created using the Azure Manager template (Ex: AzureSecurity-INIT).

  3. Select SQL Databases, then select the SampleDB database.

    SQL databases is selected under Settings on the left, and at right, Insurance is selected.

  4. In the summary section, select the Show database connection strings.

    Connection strings: Show database connection strings is highlighted in the summary section.

  5. Take note of the connection string for later in this lab, specifically the Server parameter:

    The Server parameter is listed under ADO.NET (SQL authentication) on the ADO.NET tab.

  6. Open SQL Server Management Studio.

  7. Enter the database server name from above.

  8. Enter the username and password used from the Azure Template deployment (wsadmin - p@ssword1rocks).

    Note: If you changed the username and password in the ARM template deployment, use those values instead.

    The information above is entered in the Connect to Server dialog box, and Connect is highlighted at the bottom.

  9. Select Connect, in the New Firewall Rule dialog, select Sign In.

  10. Sign in with your resource group owner credentials.

  11. In the dialog, select OK, notice how your IP address will be added for connection.

    New Firewall Rule Dialog with your Internet IP Address

  12. Right-click Databases, and select Import Data-tier Application.

    Introduction is highlighted on the left side of the Import Data-tier Application dialog box, and Next is highlighted at the bottom.

  13. In the Introduction dialog, select Next.

  14. Select Browse, navigate to the extracted Database directory, and select the Insurance.bacpac file.

    Insurance.bacpac is selected in the Browse dialog box.

  15. Select Open.

  16. On the Import Settings dialog, select Next.

  17. On the Database Settings dialog, select Next.

Note: If you get an error, close and re-open SQL Management Studio try the import again. If that does not work, you may need to download the latest SQL Management Studio from here. In some instances, the latest version may not work, version 17.3 is known to deploy the package properly. You should also be aware that bacpac files exported from some SQL Server instances cannot be deployed to Azure SQL Servers. We have also included a .bak file of the Insurance database that you can use to restore from.

  1. Select Finish and the database will deploy to Azure.

  2. Once completed, select Close.

    Results is highlighted on the left side of the Import Data-tier Application dialog box, and at right, many items are listed under Operation Complete. Next is highlighted at the bottom.

  3. In SQL Management Studio, select File->Open->File.

    In SQL Management Studio, Open is selected in the File menu, and File is selected in the shortcut menu.

  4. Browse to the extracted GitHub folder, select the \Hands-on lab\Database\00_CreateLogin.ps1 file.

  5. Ensure that the master database is selected.

  6. Run the script to create a login called agent.

  7. Browse to the extracted folder, select the \Hands-on lab\Database\01_CreateUser.ps1 file.

  8. Ensure that the Insurance database is selected.

  9. Run the script to create a non-admin user called agent.

Task 2: Test the web application solution

  1. In the extracted directory, double-click the /WebApp/InsuranceAPI/InsuranceAPI.sln solution file, and Visual Studio will open.

  2. In the Solution Explorer, navigate to and double-click the web.config file to open it.

    Web.config is highlighted under InsuranceAPI in Solution Explorer.

  3. Update the web.config (line 72) to point to the Insurance database created in Task 2. You should only need to update the server name to point to your Azure SQL Server.

    Line 72 of the Insurance database is highlighted.

  4. Run the InsuranceAPI solution and press F5.

  5. In the browser window that opens, browse to http://localhost:portno/api/Users/E91019DA-26C8-B201-1385-0011F6C365E9 you should see a json response that shows an unmasked SSN column.

Note: Depending on your browser, you may need to download to view the json response.

The json response is displayed in a browser window.

Task 3: Utilize data masking

  1. Switch to the Azure Portal.

  2. Select SQL databases.

  3. Select the Insurance database.

  4. In the menu, select Dynamic Data Masking, then select +Add Mask.

    Dynamic Data Masking is highlighted on the left, and +Add mask is highlighted on the right.

  5. Select the User table.

  6. Select the SSN column.

  7. Select Add.

    Add is highlighted at the top of the SSN column, and the User table and SSN column are highlighted below.

  8. Select Save.

  9. Switch back to your InsuranceAPI solution, press F5 to refresh the page. You should see the SSN column is now masked with xxxx.

    The masked SSN column is highlighted in the InsuranceAPI solution.

  10. Close Visual Studio.

Task 4: Utilize column encryption with Azure Key Vault

  1. Switch to SQL Management Studio.

  2. In the extracted directory, navigate to the Database directory.

  3. Open the 02_PermissionSetup.sql file, copy and paste the TSQL to the Query Window.

  4. Switch to the Insurance database, and execute the SQL statement.

  5. In the Object Explorer, expand the Insurance node.

  6. Expand the Tables node.

  7. Expand the User table node.

  8. Expand the Columns node.

  9. Right-click the SSN column, and select Encrypt Column.

    Tables and dbo.User are highlighted in the Insurance database tree. Below that, the SSN column is selected and highlighted, and Encrypt Column is highlighted.

    Notice that the State of the column is such that you cannot add encryption (data masking):

    A slashed circle appears in the State column.

  10. Select Cancel.

  11. Switch back to the Azure Portal, and select the User.SSN data masking.

  12. Select Delete.

    The Delete icon is highlighted under Edit Masking Rule in the Azure portal.

  13. Select Save.

  14. Switch back to SQL Management Studio.

  15. Right-click the SSN column, and select Encrypt Column.

  16. Check the checkbox next to the SSN column.

  17. For the Encryption Type, and select Deterministic.

    The check box next to the SSN column is selected and highlighted, and Deterministic is highlighted under Encryption Type.

  18. Select Next.

  19. For the encryption select Azure Key Vault in the dialog.

    Azure Key Vault is selected and highlighted under Select the key store provider.

  20. Select SignIn.

  21. Sign in with your Azure Portal credentials.

  22. Select your Azure Key Vault.

  23. Select Next.

  24. On the Run Settings, select Next.

  25. Select Finish, and the configured will start.

    Note: You may receive a "wrapKey" error. If so, ensure that your account has been assigned those permissions in the Azure Key Vault.

    Generate new column master key CMK_Auto1 in Azure Key Vault paassecurity is highlighted with a green check mark at the top of the Task Summary list.

    1. Select Key vault.

    2. Select your key vault.

    3. Select Access policies.

    4. Select Add New.

    5. For the principal, select your account.

    6. Select Key permissions, and select Select all.

    Select all is selected and highlighted under Key permissions, and below that, Decrypt, Encrypt, Unwrap Key, Wrap Key, Verify, and Sign are selected and highlighted under Cryptographic Operations amid the other selected options.

    1. Select Secret permissions, and select Select all.

    2. Select Certificate permissions, and select Select all.

    3. Select OK.

    4. Select Save.

    5. Retry the operation.

    Note: If you are still getting errors (such as Access Denied), ensure that you have selected the correct subscription and Key Vault.

    Results is highlighted on the left side of the Always Encrypted dialog box, and at right, Performing encryption operations is selected under Summary: Task. Performing encryption operations has a green check mark and is listed as Passed under Details.

  1. Select Close.

  2. Right-click the User table, and select Select top 1000 rows.

    The User table is selected, and Select Top 1000 Rows is selected in the shortcut menu.

    You will notice the SSN column is encrypted based on the new Azure Key Vault key.

    The value under UserId is selected on the Results tab.

  3. Switch to the Azure Portal.

  4. Select Key Vaults.

  5. Select your Azure Key Vault, and then select Keys. You should see the key created from the SQL Management Studio displayed:

    CloudSecurityVault is selected on the left, Keys is selected and highlighted under Settings in the middle, and CMKAuto1 is selected and highlighted under Unmanaged on the right.

Exercise 3: Migrating to Azure Key Vault

Duration: 30 minutes

Synopsis: In this exercise, attendees will learn how to migrate web application to utilize Azure Key Vault rather than storing valuable credentials (such as connection strings) in application configuration files.

Task 1: Create an Azure Key Vault secret

  1. From the extracted GitHub directory, open the \Hands-on lab\WebApp\InsuranceAPI_KeyVault\InsuranceAPI.sln solution.

Note: Be sure you open the correct solution (there are two).

  1. Switch to your Azure Portal.

  2. Select Key Vaults, then select your Azure Key Vault.

    Key vaults is highlighted on the left side of the Azure portal, and CloudSecurityVault is highlighted on the right.

  3. Select Secrets, then select +Generate/Import.

    Secrets is highlighted on the left side of the Azure portal, and Generate/Import is highlighted on the right.

  4. For the Upload Options, select Manual.

  5. For the Name, enter InsuranceAPI.

  6. For the Value, copy the connection string information from the InsuranceAPI solution web.config file in Exercise 2.

  7. Select Create.

  8. Select Secrets.

  9. Select InsuranceAPI.

  10. Select the current version.

    The current version is selected with a status of Enabled under InsuranceAPI Versions.

  11. Copy and record the secret identifier URL for later use:

    The Secret Identifier URL is highlighted under Properties.

Task 2: Create an Azure Active Directory application

  1. In the Azure Portal, select Azure Active Directory, then select App Registrations.

    Azure Active Directory is highlighted on the left side of the Azure portal, and App registrations is highlighted on the right.

  2. Select + New application registration.

  3. For the name, type AzureKeyVaultTest.

  4. For the Sign-on URL, type http://localhost:12345.

    AzureKeyVaultTest is entered in the Name box, and http://localhost:12345 is entered in the Sign-on URL box under Create.

  5. Select Create.

  6. Select the new AzureKeyVaultTest application.

  7. Copy and record the Application ID for later use.

    The Application ID and Object ID are highlighted under Essentials for the AzureKeyVaultTest application, and All settings is selected at the bottom.

  8. Select Settings.

  9. Select Keys.

  10. For the description, enter InsuranceAPI.

  11. For the Expires, select In 1 year.

  12. Select Save.

  13. Copy and record the key value for later use.

Task 3: Assign Azure Active Directory application permissions

  1. Switch back to Azure Portal and select your Azure Key Vault.

  2. Select Access Policies.

  3. Select + Add New.

    Access policies is selected and highlighted under Settings on the left side of your Azure Key Vault, and is +Add New is highlighted on the right.

  4. Select Select principal, type AzureKeyVaultTest.

  5. Select the application service principal, select Select.

  6. Select the Secret permissions drop-down, check the Get and List permissions.

    The information above is entered in the Select principal dialog box.

  7. Select OK.

  8. Select Save.

Task 4: Install or verify NuGet Package

  1. Switch to Visual Studio.

  2. In the menu, select View->Other Windows->Package Manager Console.

  3. In the new window that opens, run the following commands:

    1. Install-Package Microsoft.CodeDom.Providers.DotNetCompilerPlatform

    2. Install-Package Microsoft.IdentityModel.Clients.ActiveDirectory -Version 2.16.204221202

    3. Install-Package Microsoft.Azure.KeyVault

Note: These already exist in the project but are provided as a reference.

  1. From Solution Explorer, double-click the web.config file to open it.

    Notice the appSettings section has some token values:

    Some token values are highlighted in the appSettings section of the Web.config file.

  2. Replace the ClientId and ClientSecret with the values from Task 2.

  3. Replace the SecretUri with the Azure Key Vault secret key Uri from Task 1.

  4. Save the file.

Task 5: Test the solution

  1. Open the web.config, and comment out or delete the connectionString from the file at line 78.

  2. Open the global.asax.cs file, and place a break point at line 28.

Note: This code makes a call to get an accessToken as the application you set up above, then make a call to the Azure Key Vault using that accessToken.

  1. Run the solution, and press F5.

    You should see that you execute a call to Azure Key Vault and get back the secret (which in this case is the connection string to the Azure Database).

    The connection string to the Azure Database is visible.

  2. Press F5, and navigate to http://localhost:portno/api/Users, you should get an error. Because you encrypted the column in the previous exercise, EntityFramework is not able to retrieve the value. You would need to add the AzureKeyVaultProvider for Entity Framework reference to the project and then register the provider code in order for .NET to handle the encrypted column and add the "Column Encryption Setting=Enabled" to the connection string.

Exercise 4: Securing the network

Duration: 45 minutes

Synopsis: In this exercise, attendees will utilize Network Security Groups to ensure that virtual machines are segregated from other Azure hosted services and then explore the usage of the Network Packet Capture feature of Azure to actively monitor traffic between networks.

Task 1: Test network security group rules #1

  1. In the Azure Portal, select Virtual Machines.

  2. Select paw-1, then select Connect. In the dialog, select Download RDP file Anyway. Open the downloaded RDP file and connect to the Virtual Machine.

    Note: Default username is wsadmin with p@ssword1rocks as password and you may need to request JIT Access if you have taken a break between exercises.

  3. In the PAW-1 virtual machine, open PowerShell ISE as administrator.

  4. Run the following command:

Set-ExecutionPolicy -ExecutionPolicy Unrestricted
  1. In the popup, click Yes.

  2. Select File->Open, browse to the extracted GitHub directory and open the \Hands-on lab\Scripts \PortScanner.ps1.

    Note: You would have downloaded the GitHub repo and extracted this in the setup steps. If you did not perform those steps, perform them now. You can also choose to copy the file from your desktop to the VM.

  3. Review the script. It does the following:

    1. Installs NotePad++

    2. Adds hosts entries for DNS

    Note: When using multiple virtual networks, you must setup a DNS server in the Azure tenant.

    1. Executes port scans
  4. Run the script, and press F5. You should see the following (the Azure ARM Template created a default rule to block all traffic):

    1. Port scan for port 3389 (RDP) to DB-1 and WEB-1 is unsuccessful from the PAW-1 machine.

    2. The information above for port 3389 (RDP) is visible after running the script and pressing F5.

    The information above for port 3389 (RDP) is visible after running the script and pressing F5.

    1. Port scan for port 1433 (SQL) to DB-1 and WEB-1 is unsuccessful from the PAW-1 machine. DB-1 is running SQL Server but traffic is blocked at NSG and via the Windows Firewall.

    The information above for port 1433 (SQL) is visible after running the script and pressing F5.

    1. Port scan for port 80 (HTTP) to DB-1 and WEB-1 is unsuccessful from the PAW-1 machine, if traffic was allowed, it would always fail to DB-1 because it is not running IIS or any other web server.

    The information above for port 80 (HTTP) is visible after running the script and pressing F5.

Task 2: Configure network security groups

  1. Switch to the Azure Portal.

  2. Configure the database server to only allow SQL Connections from the web server:

    1. Select Network Security Groups.

    2. Select DbTrafficOnly.

    3. Select Inbound Security Rules.

    4. Select +Add.

    5. For the Source, select IP Addresses.

    6. For the Source IP address, enter 10.2.0.4.

    7. For the Destination port range, enter 1433.

    8. For the Priority, enter 100.

    9. For the Name, enter Port_1433.

    10. Select Add.

  3. Configure the web server to allow all HTTP and HTTPS connections:

    1. Select Network Security Groups.

    2. Select WebTrafficOnly.

    3. Select Inbound Security Rules.

    4. Select +Add.

    5. For the Destination port range, enter 80,443.

    6. For the Priority, enter 100.

    7. Change the Name to Port_80_443.

    8. Select Add.

    Note: In some rare cases it may take up to 15 minutes for your Network Security Group to change is status from Updating. You won't be able to add any other rules until it completes.

  4. Configure both the database and web server to only allow RDP connections from the PAW machine:

    1. Select Network Security Groups. For both the DbTrafficOnly and WebTrafficOnly, do the following:
    • Select Inbound Security Rules.

    • Select +Add.

    • For the Source, select IP Addresses.

    • For the Source IP address, enter 10.0.0.4.

    • For the Destination port range, enter 3389.

    • For the Priority, enter 101.

    • For the Name, enter Port_3389.

    • Select Add.

  5. Configure all NSGs to have Diagnostic logs enabled.

    1. Select Network security groups. For each NSG (DBTrafficOnly and WebTrafficOnly), do the following:
    • In the content menu, select Diagnostic logs, and then select Turn on diagnostics.

    Diagnostics logs is selected and highlighted under Monitoring on the left side, and Turn on diagnostics is highlighted on the right.

    • For the name, enter the NSG name and then add Logging to the end.

    • Check the Send to Log Analytics checkbox, in the Log Analytics box, select Configure.

    • Select the azsecuritylogging workspace.

    • Select both LOG checkboxes.

    • Select Save.

    Save is highlighted at the top, and two log items are selected and highlighted below.

    • Repeat for all remaining Network Security Groups

Task 3: Test network security group rules #2

  1. Switch back to the PAW-1 virtual machine.

  2. Run the script, press F5, and you should see the following:

    1. Port scan for port 3389 (RDP) to DB-1 and WEB-1 is successful from the PAW-1 machine.

    The information above for port 3389 (RDP) is visible after running the script and pressing F5.

    1. Port scan for port 1433 (SQL) to DB-1 is successful, and WEB-1 is unsuccessful from the PAW-1 machine.

Note: You may need to disable the windows firewall on the DB-1 server to achieve this result.

The information above for port 1433 (SQL) is visible after running the script and pressing F5.

  1. If IIS has been setup on WEB-1, the port scan for port 80 (HTTP) to DB-1 is unsuccessful and WEB-1 is successful from the PAW-1 machine

The information above for port 80 (HTTP) is visible after running the script and pressing F5.

Task 4: Install network watcher VM extension

  1. Switch to the Azure Portal.

  2. Select Virtual Machines.

  3. Select db-1.

  4. In the blade menu, select Extensions, then select +Add.

    Extensions is selected and highlighted on the left under Settings, and + Add is highlighted at the top right.

  5. Browse to the Network Watcher Agent for Windows, and select it.

  6. Select Create.

    Network Watcher Agent for Windows is highlighted on the left, and Create is highlighted on the right.

  7. In the next Install extension dialog window (note that it could be blank) select OK. You should see a toast notification about the script extension being installed into the Virtual Machine.

    The toast notification states:

Task 5: Setup network packet capture

  1. In the main Azure Portal menu, select Monitor.

  2. In the context menu, select Network.

    Monitor is selected on the left side of the Azure portal, and Network watcher is highlighted on the right.

  3. Select the Overview link.

  4. Expand the subscription region item.

  5. For the East US region (or whatever region you deployed your VMs too), select the ellipses, then select Enable Network Watcher.

    The East US row is highlighted under Region, and Enable network watcher is selected in the submenu.

  6. In the new context menu, select Packet capture.

  7. Select +Add.

    Packet capture is selected and highlighted on the left under Network Diagnostic Tools, and + Add is highlighted at the top right.

  8. For the target virtual machine, ensure that db-1 is selected.

  9. For the capture name, enter databasetraffic.

  10. Notice the ability to save the capture file to the local machine or an Azure storage account. Ensure that the resource group storage account is selected.

    In this screenshot, databasetraffic is entered in the Packet capture name box, and the Storage account check box is selected.

  11. For the values, enter the following:

  • Maximum bytes per packet: 0
  • Maximum bytes per session: 1073741824
  • Time limit: 600
  1. Select OK.

Task 6: Execute a port scan

  1. Switch your Remote Desktop connection to the PAW-1 virtual machine.

  2. Uncomment the last line of the script, and press F5.

Note: You should see the basic ports scanned, and then a port scan from 80 to 443. This will generate many security center logs for the Network Security Group which will be used in the Custom Alert in the next exercise.

Exercise 5: Azure Sentinel Logging and Reporting

Duration: 20 minutes

Synopsis: In this exercise, you will setup Azure Sentinel to point to a logging workspace and then create custom alerts that execute Azure Runbooks.

Task 1: Create a dashboard

  1. Open the Azure Portal.

  2. Click All services, then type Sentinel, select Azure Sentinel

In this screenshot, All Services is selected, and then a search for Sentinel is displayed.

  1. In the blade, click +Add, select the Log Analytics resource for your resource group, then click Add Azure Sentinel

  2. In the blade, select Dashboards

  3. In the list of dashboards, select Azure AD Audit logs, select Install

In this screenshot, Dashboards has been selected and the Azure AD Audit Logs dashboard has also been selected.

  1. In the list of dashboards, select Azure Network Watcher, select Install

  2. Click View Dashboard, take a moment to review your new dashboard

Task 2: Create an Analytics alert

  1. Navigate back to the Azure Sentinel workspace, in the Configuration blade section, select Analytics then select +Add.

In this screenshot, Analytics is highlighted and so is the Add button.

  1. For the name, enter PortScans.

  2. For the description, enter A custom rule to detect port scans.

  3. In the Set alert query text box, type:

 AzureDiagnostics | where Type != 'AzureMetric' and OperationName == 'NetworkSecurityGroupCounters' and type_s == 'block' and direction_s == 'In' and Resource == 'WEBTRAFFICONLY'

In this screenshot, the alert simulation shows data after the query has been entered.

Note: If you were quick going through the labs, then you may not have log data in the Log Analytics workspace just yet that corresponds to "AzureMetric". You may need to wait 15-30 minutes before a query will execute.

  1. For the operator value, enter 50.

  2. For the frequency, select 30 and Minutes.

  3. For the period, select 30 and Minutes.

Note: This is so that our lab will run quickly and may not be appropriate for real world.

  1. For the suppress alerts for, enter 30 and Minutes.

    The above information is entered in the dialog box for the new custom analytics rule.

  2. Click Create.

Note: It may take a few minutes for the alert to fire. You may need to run the PortScan script a few times from paw-1

Task 3: Investigate a custom alert Case

  1. In the main menu, select Azure Sentinel.

  2. Select Cases.

  3. Select the new PortScans case.

    This is a screenshot of the new PortScans security alert, which has a Medium Severity of 1.

Note: It may take 15-20 minutes for the alert to fire. You can continue to execute the port scan script to cause log events or you can lower the threshold for the custom alert.

  1. In the dialog, click Investigate

    This is a screenshot of the case dialog, with the button Investigate highlighted.

  2. In future versions, you will get to see insights about the alerts and the resources related to what caused it to fire:

    This is a screen shot of an alert instance.

Task 4: Create and run a playbook

  1. In the Azure Sentinel blade, select Playbooks.

  2. In the new window, select Add Playbook.

    Screen shot of the playbooks blade with the Playbooks and Add Playbook links highlighted.

  3. The Create logic app blade will display:

    1. For the name, enter Email.

    2. Select your existing resource group.

    3. Toggle the Log Analytics to On and then select your azuresecurity Log Analytics workspace.

The information above is entered in the Create logic app dialog box.

  1. Select Create, the Logic Apps Designer will load.

  2. Select the Send notification email template.

    Send notification email is selected on the right side under Choose a template below to create your Logic App.

  3. Select Use this template.

    The Use this template button is selected under Send notification email with alert details from Azure Security Center.

  4. Select Sign In, and then type your Azure/O365 credentials.

    The Sign in button is highlighted next to Office 365 Outlook under This logic app will connect to.

Note: This would need to be a valid Office 365 account, if you do not have a valid Office 365 account, then utilize a basic email template for Outlook.com

  1. Select Continue.

  2. For the email address, enter your email.

  3. Select Save. You now have an email alert action based on LogicApps for your custom security alert to use.

    Save is highlighted in Logic Apps Designer, and information about the custom security alert appears below.

  4. Lastly, after you have created the new Playbook, ensure that the status is Enabled. If not, then click Enable in the menu.

Task 5: Execute Jupyter Notebooks

  1. In the Azure Sentinel blade, select Notebooks.

  2. Scroll to the bottom of the page and select Clone Azure Sentinel Notebooks.

Notebooks and Clone Azure Sentinel Notebooks is highlighted

  1. The Azure Notebooks page will open, on the page, select Import.

Import button is highlighted

  1. In your notebook, browse to /Azure Sentinel/Notebooks, then select Get Started.ipynb.

  2. On the page, select Run on Free Azure.

The Run on Free Azure is button is highlighted

  1. In the menu, select Kernel->Change kernel, then select Python 3.6.

The page menu is expanded to the Kernel menu item and the change kernel with Python 3.6 is selected

  1. Click the Run button until you execute the entire Notebook, note that some steps will required your input.

Note: You can find the open source GitHub notebooks at https://github.com/Azure/Azure-Sentinel.

Task 6: Creating Reports with Power BI

  1. Navigate back to your Azure Sentinel browser window. Select Logs.

  2. Expand the LogManagement node, notice the various options available.

  3. In the query window, type AzureDiagnostics, then click the eye icon.

  4. In the top right, select Export, then select the Export to Power BI (M Query) link.

    All the above button clicks are displayed with red highlighting.

  5. Select Open, a text document with the Power Query M Language will be displayed.

  6. Follow the instructions in the document to execute the query in Power BI.

    The instructions at the top of the PowerBIQuery.txt file are highlighted.

  7. Close Power BI.

Exercise 6: Using Compliance Tools (Azure Policy, Secure Score and Compliance Manager)

Duration: 15 minutes

Synopsis: In this exercise, attendees will learn to navigate the Azure Policy and Secure Score features of Azure. You will also explore the Compliance Manager portal that will provide you helpful tasks that you should consider when attempting to achieve specific compliance policies.

Task 1: Review a basic Azure Policy

  1. Open the Azure Portal. Select All Services, then type Policy. Select Policy in the list of items.

    The links above are all highlighted to get to the Azure Policy blade.

  2. In the blade menu, click Compliance, review your Overall resource compliance percentage.

    The links above are all highlighted to get to the Azure Policy blade.

  3. For the scope, ensure the proper subscription is selected, then select ASC Default.

  4. In the Initiative compliance blade, review your compliance metrics.

  5. Scroll to the results area and select the Non-compliant resources tab.

    The non-compliant resources tab is highlighted.

  6. In the filter search box, type PAW-1 and select it when displayed.

  7. With the Policies tab selected, review the policies that the resource is non-complying against.

    The Resource compliance blade for PAW-1 is displayed with the non-compliant items highlighted

  8. Click one of the policies. Review the Definition JSON of the policy definition, notice how it is based on ARM Template format and is looking for specific properties to be set of the non-compliant resources.

    The policy definition is displayed

Note: You can use these out of box templates to build your own policies and apply them as blueprints.

Task 2: Review and create Azure Blueprints

  1. In the Policy blade, select Definitions. These are a list of all defined policies which can be selected to be assigned to your subscription resources.

    A listing of policy definitions on the Policy Blade Definitions

  2. In the Policy blade, select Blueprints.

  3. In the Blueprints blade, select Blueprint definitions.

  4. Select +Create blueprint.

    All the buttons above are highlighted

  5. Review some of the sample blueprints, then select Start with blank blueprint.

    Page displayed with the blueprint templates and the Start with a blank blueprint highlighted

  6. For the name, type gdprblueprint.

  7. For the location, select the ellipses, then select your subscription in the drop down.

  8. Click Select.

    New blue print dialog with name and location filled in

  9. Select Next: Artifacts.

  10. Click +Add artifact.

  11. For the Artifact Type, select Policy Assignment, review all the policies available to you (at the time of this writing you would see 151 policies).

  12. In the search box, type unrestricted, browse for the Audit unrestricted network access to storage accounts.

    Screen shot showing steps 9-12 highlighted

  13. Click Add

  14. Click Save Draft

  15. For the new blueprint, click the ellipses, then select Publish Blueprint

    Screen shot showing the Publish blueprint dialog

  16. For the version type 1.0.0.

  17. Click Publish.

  18. For the new blueprint, click the ellipses, then select Assign Blueprint.

    Screen shot showing the Assign blueprint dialog

  19. Review the page, then click Assign. This policy will now be audited across all your storage accounts in the specific subscription.

Task 3: Secure Score

  1. In the Azure Portal, select All Services, then type Security, select Security Center.

  2. In the Security Center blade, select Secure score.

  3. Review your overall secure score values and then notice the category values.

    Screen shot showing Secure score blade and the score and categories highlighted

  4. Select your subscription, you will be presented with the items that have failed resource validation sorted by the score value that is assigned to that particular recommendation item.

  5. Select the Provision an Azure AD administrator for SQL Server, on the recommendation blade, you will be presented with information about how to remediate the recommendation to gain the impact value to your score.

    Screen shot with the Probision an Azure AD Administrator for SQL Server highlighted

Task 4: Use Compliance Manager for Azure

  1. In a browser, go to the Service Trust/Compliance Manager portal (https://servicetrust.microsoft.com).

  2. In the top corner, select Sign in, you will be redirected to the Azure AD login page.

    Sign in is highlighted at the top of the Service Trust/Compliance Manager portal.

  3. If prompted, select or sign in with your Azure AD\Office 365 credentials.

  4. In the menu, select Compliance Manager->Compliance Manager Classic.

    Compliance Manager Classic is highlight in the menu navigation.

  5. Select on the +Add Assessment link.

  6. Select Create a new Group, for the name type AzureSecurity, select Next, set the Would you like to copy the data from an existing group toggle to No, select Next.

  7. For the product dropdown, select Azure.

  8. For the certification dropdown, select GDPR.

    Add a Standard Assessment dialog with Azure and GDPR selected.

  9. Select Add to Dashboard. You will now see a new assessment for Azure and GDPR in progress:

    Azure GDPR assessment status that shows in progress

  10. Select Azure GDPR.

  11. Review the various controls that you can implement:

Several categories of controls are listed on the page.

  1. Scroll to the top of the web page and in the top navigation, select Service Trust Portal, then scroll to the bottom of the page. Notice the two other sections of the trust center called:

  2. Select Audit Reports.

    Four icons appear towards the bottom of the Service Trust Portal webpage, representing Track Compliance, Audit Reports, Data Protection and Privacy. VIEW REPORTS AND RESOURES is highlighted below the Audit Reports icon.

  3. Notice the various tabs that you can select from, select FedRAMP Reports.

  4. These are all the FedRAMP reports sorted by date that have been performed and publicly posted for Azure customer review. Select the item displayed and briefly review the document.

    The FedRAMP Reports report type is highlighted on the Data Protection Standards and Regulatory Compliance Reports page, and Azure - FedRAMP Moderate System Security Plan v3.02 is highlighted at the bottom.

After the hands-on lab

Duration: 10 minutes

In this exercise, attendees will deprovision any Azure resources that were created in support of the lab.

Task 1: Delete resource group

  1. Using the Azure portal, navigate to the Resource group you used throughout this hands-on lab by selecting Resource groups in the menu.

  2. Search for the name of your research group, and select it from the list.

  3. Select Delete in the command bar, and confirm the deletion by re-typing the Resource group name and selecting Delete.

  4. Don't forget to delete the Azure Key Vault application you created in Exercise 3, Task 3.

Task 2: Remove Standard Tier Pricing

  1. Be sure to set your Azure Security pricing back to Free.

Task 3: Delete lab environment (optional)

  1. If you are using a hosted platform, make sure you shut it down or delete it.

You should follow all steps provided after attending the Hands-on lab.

Appendix A

Appendix A outlines the detailed steps involved in manually creating the resources provisioned by the Lab ARM template. The ARM template creates virtual networks, virtual machine, storage accounts, and a SQL Azure database.

Task 1: Create storage account

  • Create a single storage account for VMs and other resource to utilize.

Task 2: Create virtual networks

  • Create the following Virtual Networks:

    • dbVnet -- subnet of 10.1.0.0

    • mainVnet-- subnet of 10.0.0.0

    • webVnet-- subnet of 10.2.0.0

  • Ensure that virtual network peerings exist:

    • Db<->Main

    • Web<->Main

Task 3: Create virtual machines

  • Create the following Virtual Machines:

    • PAW-1 -- A2 instance, Windows Server

    • DB-1 -- A2 instance, Windows Server with SQL Server -- be sure to open the windows firewall for port 1433 traffic

    • WEB-1-- A2 instance, Windows Server -- Install IIS

Task 4: Create network security groups

  • Create the following NSGs:

    • DbTrafficOnly -- assigned to the DB-1 nic

    • Paw-1-nsg -- assigned to the PAW-1 nic

    • WebTrafficOnly -- assigned to the WEB-1 nic

  • For the DBTrafficOnly and WebTrafficOnly, add an incoming rule with priority 1000 that denies all traffic.

Task 5: Azure SQL server

  • Create an instance of Azure SQL Server.

Task 6: Create an Azure Key Vault

  • Create an instance of Azure Key Vault.

Attribution

This content was originally posted here:
https://github.com/Microsoft/MCW-Security-baseline-on-Azure

License

This content is licensed with the MIT License license.

MIT License

Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE