Implementing Host Security
Configuring Container Security
The course is part of these learning paths
This course focuses on implementing security controls, maintaining the security posture of an Azure environment, and protecting data, applications, and networks, showing you how to configure security for your containers and virtual machines.
The content of this course is ideally suited to those looking to become certified Azure security engineers.
For any feedback, queries, or suggestions relating to this course, please contact us at email@example.com.
- Understand how to configure VM security including VM endpoints and system updates
- Configure baselines
- Understand key Azure networking components
- Configure AKS security
- Obtain a basic understanding of Azure Container Registry and how to create registries in Azure
- Manage vulnerabilities in Azure
This course is intended for people who want to become Microsoft certified Azure security engineers, or those who are tasked with implementing security controls, maintaining the security posture of an Azure environment, or protecting data, applications, and networks.
To get the most from this course, you should have a moderate understanding of Microsoft Azure and of basic security principles.
Hi there. Welcome to Configuring Baselines. Before we get started, I want to mention that this section alone could probably be its own entire course if we wanted to go down the rabbit hole of every type of baseline. However, what we're going to do instead is touch on each of the types of baselines that are available so you know where to go when you need to configure a specific baseline.
Before we do that, let's talk a little bit about the best practices that Microsoft's cybersecurity group and the Center for Internet Security or CIS have developed.
Microsoft initially partnered with the Center for Internet Security to develop an off-the-shelf-hardened Azure VM. This soon turned into an initiative to use CIS benchmarks, along with Azure security services and tools to provide security and compliance for applications that run on Azure.
The CIS Microsoft Azure Foundations Security Benchmark guide provides organizations with guidelines for establishing a secure baseline configuration for Azure. Throughout the rest of this lecture, we're going to look at the recommended technology groupings that can help you create secure cloud-enabled workloads.
There are two different implementation levels that CIS bases their recommendations on. There are also several different categories of recommendations that are made. The two levels are called Level 1 and Level 2. I know, very original.
Level 1 recommendations are the minimum recommended security settings that should be configured on all systems. Level 1 recommendations typically cause little or no interruption of services, nor do they usually result in reduced functionality. Level 2 recommendations are designed for highly secure environments. That being the case, they can sometimes result in reduced functionality of the systems they're implemented on.
On the screen is a table that shows you each technology group that we're going to touch on, along with an overall description of the recommendations for each group. Also included in this table are the total number of recommendations for each technology group. As you can see, there are lots, which is why we're not going to get down into the weeds on these.
Let's start by taking a quick look at identity and access management. Identity management is critical to the security of corporate assets. To ensure security and control of your assets, you need to manage identity and access for the Azure administrators in your organization, the application developers in your organization and for the application users as well. An identity and access management baseline is a big part of this.
Some of the key recommendations when configuring an identity and access management baseline include: Level 1 actions like restricting access to the Azure AD administration portal, ensuring that no unnecessary guest users exist, notifying users on password resets and requiring two methods to reset passwords.
Some key Level 2 actions that you should be taking include things like: enabling Azure MFA, blocking the ability to remember MFA on trusted devices, notifying all admins when other admins reset passwords and establishing an interval for reconfirming user authentication methods.
Some other recommended Level 2 actions include: not allowing members and guests to invite external users, not allowing users to create and manage security groups, disabling self-service group management and disabling the ability for users to register apps.
The Azure Security Center offering provides security management and threat protection for on-prem workloads, Azure workloads and workloads in other clouds.
The Security Center recommendations that you see on your screen will set various security policies on your Azure subscription. By implementing these recommendations on your own Azure subscription, you can further secure your environment.
These recommendations include: enabling the standard pricing tier, enabling the automatic provisioning of a monitoring agent and enabling system updates. Other key recommendations include: enabling security configurations enabling endpoint protection and enabling disk encryption.
- Enabling Network Security Groups (Level 1)
- Enabling Web Application Firewall (Level 1)
- Enabling Vulnerability Assessment (Level 1)
- Enabling Storage Encryption (Level 1)
- Enabling JIT Network Access (Level 1)
- Enabling Adaptive Application Controls (Level 1)
- Enabling SQL Auditing & Threat Detection (Level 1)
- Enabling SQL Encryption (Level 1)
- Setting a Security Contact Email and Phone Number (Level 1)
- Enabling the Send me emails about alerts option (Level 1)
- Enabling the Send email also to subscription owners option (Level 1)
As you can see on your screen, there are also several other recommendations to follow when creating an Azure Security Center baseline.
Azure storage accounts provide namespaces that you can use to store and access Azure Storage data objects. The seven key recommendations that you see on your screen are those that you should implement to validate your storage security.
- Requiring security-enhanced transfers (Level 1)
- Enabling blob encryption (Level 1)
- Periodically regenerating access keys (Level 1)
- Requiring Shared Access Signature (SAS) tokens to expire within an hour (Level 1)
- Requiring SAS tokens to be shared only via HTTPS (Level 1)
- Enabling Azure Files encryption (Level 1)
- Requiring only private access to blob containers (Level 1)
By implementing these recommendations as part of a storage account baseline, you can vastly improve your security position.
Azure SQL Server is Microsoft's cloud-based relational database server offering. It supports many of the same features as the on-prem version of Microsoft SQL Server and it's a good way to transition from an on-prem database into a cloud-based database.
The security recommendations that you see on your screen are those that you should implement when creating an Azure SQL Database security baseline. They include:
- Enabling auditing (Level 1)
- Enabling a threat detection service (Level 1)
- Enabling all threat detection types (Level 1)
- Enabling the option to send security alerts (Level 1)
- Enabling the email service and co-administrators (Level 1)
- Configuring audit retention for more than 90 days (Level 1)
- Configuring threat detection retention for more than 90 days (Level 1)
Implementing these recommendations improves the security posture of your Azure SQL Server environment.
When it comes time to identify and mitigate security threats, if you aren't performing any sort of logging and monitoring, you're going to be in for a world of hurt. Properly configured logging policies will not only help you determine when a security violation has occurred, but it will also help identify the culprit responsible as your activity logs can provide information about external access to resources and it can also provide diagnostic logs that provide information about the operation of those resources.
Follow these Level 1 recommendations that you see on your screen to set logging and monitoring policies on your Azure subscriptions:
- Ensure that a log profile exists
- Ensure that activity log retention is set to 365 days or more
- Create an activity log alert for “Creating a policy assignment”
- Create an activity log alert for “Creating, updating, or deleting a Network Security Group”
- Create an activity log alert for “Creating or updating an SQL Server firewall rule”
Azure networking service are designed to maximize flexibility, availability and security. These services provide connectivity between resources in Azure, on-prem resources and the Internet. The key security recommendations you see on your screen can be used to set Azure networking policies in your Azure subscriptions. These recommendations include:
- Restricting RDP and SSH access from the Internet (Level 1)
- Restricting SQL Server access from the Internet (Level 1)
- Configuring the NSG flow log retention period for more than 90 days (Level 2)
- Enabling Network Watcher (Level 1)
Aside from configuring the NSG flow log retention period, which is a Level 2 recommendation, all listed recommendations are Level 1 recommendations.
When it comes to security recommendations for virtual machines, the ones you see on your screen should be followed to set virtual machine policies on your Azure subscription. These recommendations include:
- Installing a VM agent on all VMs and enabling the agents for data collection for Azure Security Center (Level 1)
- Ensuring that OS disks are encrypted (Level 1)
- Ensuring only approved extensions are installed (Level 1)
- Ensuring that the OS patches for the VMs are applied (Level 1)
- Ensuring that VMs have an installed and running endpoint protection solution (Level 1)
Performing these steps will allow you to validate the security for VMs in your environment. In addition to the recommendations we've already introduced, there are some other security recommendations that should be followed.
These additional recommendations include:
- Setting an expiration date on all keys in Azure Key Vault (Level 1)
- Setting an expiration date on all secrets in Azure Key Vault (Level 1)
- Setting resource locks for mission-critical Azure resources (Level 2)
These additional recommendations that you see on your screen can be followed to set general security and operational controls on an Azure subscription.
To download the complete CIS Microsoft Azure Foundations Security Benchmark document, which includes over 200 pages of baseline and benchmark information, visit the URL that you see on your screen (https://azure.microsoft.com/en-gb/resources/cis-microsoft-azure-foundations-security-benchmark/).
Introduction - Configuring Endpoint Security within VMs - Configuring and Monitoring Antimalmare for VMs - Configuring Virtual Machine Security - Hardening Virtual Machines - Configuring System Updates for Virtual Machines - Starting a Runbook from the Azure Portal - Azure Networking - Configuring Authentication - Container Isolation - AKS Security - Azure Container Registry - Creating a Container Registry - Implementing Vulnerability Management - Conclusion
About the Author
Tom is a 25+ year veteran of the IT industry, having worked in environments as large as 40k seats and as small as 50 seats. Throughout the course of a long an interesting career, he has built an in-depth skillset that spans numerous IT disciplines. Tom has designed and architected small, large, and global IT solutions.
In addition to the Cloud Platform and Infrastructure MCSE certification, Tom also carries several other Microsoft certifications. His ability to see things from a strategic perspective allows Tom to architect solutions that closely align with business needs.
In his spare time, Tom enjoys camping, fishing, and playing poker.