Optimize Azure Infrastructure Security with Azure Security Center Recommendations

VIAcode recommends that Azure users implement Azure Security Center. Security Center provides a comprehensive security management service with advanced threat protection. It helps Azure users to secure their evolving infrastructure against the range of sophisticated attacks it is likely to face.

Among the most useful aspects of the Security Center are security recommendations. All Security Center tiers, including the free tiers, offer a continuous assessment with recommendations. The security recommendations are a guide to securing Azure personalized for the infrastructure your organization has deployed.

The recommendations will help you to target the most consequential security optimizations and improve your infrastructure’s security posture. In this article, we’re going to take a look at Security Center recommendations, what they mean, and why they matter.

Don’t have time to run through all these Azure Security Center checks yourself?

We recently released a free Azure Snapshot tool that will give you an instant assessment of your Azure environment’s security, monitoring, and cost optimization implementation. It’s completely free, takes two minutes, and covers many of the best practices in this guide.

Enable MFA

  • MFA should be enabled on accounts with owner permissions on your subscription
  • MFA should be enabled on accounts with write permissions on your subscription

MFA is multi-factor authentication. Research has shown that passwords alone are not an adequate authentication method. Users—even technical users—often choose easily guessed passwords or expose passwords to unauthorized users. 

Passwords are “something you know.” MFA adds “something you own,” often a trusted mobile device or “something you are,” which could be a fingerprint or other biometric factor. Azure Multi-Factor Authentication demands an extra factor of authentication so that Azure accounts stay secure even if passwords are exposed. 

It is particularly important to implement MFA for users with owner and write permissions. These users are most likely to be targeted by bad actors. Unauthorized access to their accounts can cause significant disruption and data loss.

Secure Management Ports

  • Just-In-Time network access control should be applied on virtual machines
  • Virtual machines should be associated with a Network Security Group
  • Management ports should be closed on your virtual machines

Azure VM users often need to log in via SSH or RDP to configure virtual machines. In traditional server environments, the ports that the SSH and RDP services use—the management ports—were left open, allowing unauthorized log-in attempts. Attackers use these open ports in brute force and dictionary attacks, attempting to “guess” the credentials. They may also carry out social engineering attacks to extract credentials from employees, using them to gain access via the open ports.

Azure offers Just-in-Time Access on Azure VMs, using network security group rules to close management ports with Azure Firewall. The ports are only opened when they are needed, and only users who have access permissions for the VM can re-open the ports, substantially reducing the risk of brute force and other attacks.

Apply System Updates

  • Monitoring agent health issues should be resolved on your machines
  • Monitoring agent should be installed on virtual machine scale sets
  • Monitoring agent should be installed on your machines
  • OS version should be updated for your cloud service roles
  • System updates on virtual machine scale sets should be installed
  • System updates should be installed on your machines
  • Your machines should be restarted to apply system updates
  • Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version
  • Monitoring agent should be installed on your virtual machines

Sixty percent of security breaches are caused by vulnerabilities for which a patch is already available. Patch management is notoriously complicated for large infrastructure deployments, but it is an essential aspect of server security and data privacy.

The Apply Security Updates recommendations have two stages. First, monitoring agents should be installed on VMs and other Azure components. Monitoring agents are software tools that collect monitoring data, including software versions. Without a monitoring agent, Azure Security Center and Monitor have no insight into the software versions running on your infrastructure.

Second, software including the operating system and services running on the server should be updated, and servers should be rebooted to ensure that secure versions are running.

Remediate Vulnerabilities

  • Advanced data security should be enabled on your SQL servers
  • Vulnerabilities in Azure Container Registry images should be remediated
  • Vulnerabilities on your SQL databases should be remediated
  • Vulnerabilities should be remediated by a Vulnerability Assessment solution
  • Vulnerability assessment should be enabled on your SQL managed instances
  • Vulnerability assessment should be enabled on your SQL servers
  • Vulnerability assessment solution should be installed on your virtual machines

Vulnerability identification is critical to risk management and security—users can’t fix vulnerabilities they don’t know about. Remediate Vulnerabilities amounts to a recommendation that Azure users install a security vulnerability assessment solution and then fix the weaknesses the tool finds.

Vulnerability assessment solutions give Azure users visibility into the security state of their infrastructure, particularly into misconfigurations that cause security vulnerabilities. They help Azure users to identify and remediate potential security problems.

For VMs, Microsoft offers the free Azure Security Center vulnerability scanner and a similar vulnerability assessment tool for Azure SQL Database. There are also third-party assessment extensions.

Enable Encryption at Rest

  • Disk encryption should be applied on virtual machines
  • Transparent Data Encryption on SQL databases should be enabled
  • Automation account variables should be encrypted
  • Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign
  • SQL Server TDE protector should be encrypted with your own key

In the past, infrastructure security focused on hardening network boundaries. We put up barriers such as firewalls to prevent attackers from accessing sensitive data on servers and storage devices. However, that approach is an inadequate response to the modern threat landscape. Today, we practice a layered approach to security, hardening the network boundary while encrypting data to ensure that it is useless even if an attacker breaches the network and gains access to servers.

Encryption at rest on Azure is free and simple to implement. Throughout Azure, users can take advantage of tools such as disk encryption so that all sensitive data is encrypted and therefore useless to bad actors even if it leaks.

Microsoft manages the encryption keys used when encrypting data at rest, but users may also choose to manage their own encryption keys with Azure Key Vault. Key Vault ensures that keys are stored and accessed securely and that they are stored apart from the infrastructure they secure.

Encrypt Data in Transit

  • API App should only be accessible over HTTPS
  • Function App should only be accessible over HTTPS
  • Only secure connections to your Redis Cache should be enabled
  • Secure transfer to storage accounts should be enabled
  • Web Application should only be accessible over HTTPS

Data encrypted in transit cannot be read or modified by attackers sitting between the source and destination. Data should be encrypted whenever it is transmitted between components of your infrastructure and between your infrastructure and endpoints. Unlike encryption at rest, encryption in transit isn’t free, and introducing encryption at rest can cause disruption unless it is carefully managed.

Azure automatically encrypts some aspects of data transit within Azure, but the user is responsible for implementing encryption within their applications and between their Azure infrastructure and both external infrastructure and end-users. Azure provides numerous services for implementing encryption in transit, including the Azure VPN Gateway. VIAcode can help your organization implement a comprehensive encryption in transit strategy while minimizing disruption.

Manage Access and Permissions

  • Deprecated accounts with owner permissions should be removed from your subscription
  • External accounts with owner permissions should be removed from your subscription
  • External accounts with write permissions should be removed from your subscription
  • There should be more than one owner assigned to your subscription
  • Role-Based Access Control (RBAC) should be used on Kubernetes Services (Preview)
  • Service Fabric clusters should only use Azure Active Directory for client authentication

When businesses begin to use Azure, they are often tempted to grant the widest possible access to employees. It’s difficult to predict the access a user might need. It’s more convenient to give wide-scale access than to carefully assess permissions case-by-case. While understandable, this approach can lead to disaster. Many security breaches are caused by careless employees with too much access and disgruntled employees whose access was never withdrawn.

Microsoft Azure encourages a least-privilege access model. Users should have the access they need but no more. Unused accounts should be deleted. Owner and write permissions should be strictly controlled. The recommendations in this section include a series of general access best practices and specific guidance access controls on permissions on Azure.

Remediate Security Configurations

  • Pod Security Policies should be defined on Kubernetes Services
  • Vulnerabilities in container security configurations should be remediated
  • Vulnerabilities in security configuration on your machines should be remediated
  • Vulnerabilities in security configuration on your virtual machine scale sets should be remediated
  • Monitoring agent should be installed on your virtual machines
  • Monitoring agent should be installed on your machines
  • Monitoring agent should be installed on virtual machine scale sets
  • Monitoring agent health issues should be resolved on your machines

A substantial proportion of security issues are caused not by vulnerabilities in the software, but by errors in how the software is configured. According to McAfee’s Cloud Adoption and Risk Report, the average organization operates at least 14 misconfigured IaaS instances, suffering an average of 2,300 misconfiguration incidents per month.

Azure Security Center monitors configurations, comparing them to best practices and standards. Monitoring requires the installation of a monitoring agent, a piece of software that gathers the data used for security recommendations. The recommendations in this section focus on the installation of monitoring agents on VMs and containers and the remediation of the security configuration errors the agents discover.

Restrict Unauthorized Network Access

  • IP forwarding on your virtual machine should be disabled
  • Authorized IP ranges should be defined on Kubernetes Services
  • Virtual machines should be associated with a Network Security Group
  • CORS should not allow every resource to access your API App
  • CORS should not allow every resource to access your Function App
  • CORS should not allow every resource to access your Web Application
  • Remote debugging should be turned off for API App
  • Remote debugging should be turned off for Function App
  • Remote debugging should be turned off for Web Application
  • Access should be restricted for permissive Network Security Groups with Internet-facing VMs
  • Network Security Group Rules for Internet-facing virtual machines should be hardened

As we mentioned above, Azure encourages a layered approach to security. The network is the first line of defense, and this set of recommendations is focused on managing how resources such as virtual machines communicate both within the network and with external endpoints.

The recommendations leverage a range of services and technologies, including both Azure features such as Network Security Groups and standard web technologies such as Cross-origin resource sharing (CORS), which restricts the resources a web page can load from external domains. Network Security Groups are a key component of Azure security, implementing rules to manage the inbound and outbound traffic allowed to specific resources.

Apply Adaptive Application Control (AAC)

  • Adaptive Application Controls should be enabled on virtual machines
  • Monitoring agent should be installed on your virtual machines
  • Monitoring agent should be installed on your machines
  • Monitoring agent health issues should be resolved on your machines

Adaptive security controls help organizations to control which software runs on their infrastructure. When attackers breach a server, they often install and run software that suits their purposes, including malware. Unauthorized software isn’t always malware, but it can cause security problems. Outdated software may contain security vulnerabilities. Employees may run unlicensed or forbidden software.

Adaptive application controls use a combination of user-defined rules and machine-learning analysis to identify unauthorized software. Security Center monitors Azure infrastructure with a monitoring agent installed, allowing authorized users to approve or disapprove software.

Apply Data Classification

  • Sensitive data in your SQL databases should be classified

Businesses need to know what data they store, where they store it, and how sensitive it is. It’s all too easy to mistakenly store and move sensitive data with inadequate security, leading to data leaks and regulatory breaches. By classifying the data in their databases, businesses have the opportunity to implement security hardening, monitoring, and alerts appropriate to the data’s sensitivity.

Azure SQL Database includes sophisticated data discovery and classification tools which can be found in the Advanced Data Security section of the SQL Database pane in the Azure portal.

Protect Applications Against DDoS Attacks

  • DDoS Protection Standard should be enabled

Distributed Denial of Service attacks are a constant threat to organizations that rely on the performance and availability of their cloud infrastructure. There were 8.4 million DDoS attacks in 2019, with the largest attacks peaking at 622 Gbps.

Azure provides several tiers of DDoS protection. Basic DDoS mitigation is automatically activated and includes attack monitoring and mitigation. It doesn’t include features such as application-level availability guarantees or metrics and alerts. DDoS Protection Standard does include these advanced features as well as expert support during an attack. The most important difference is the availability guarantee. With the basic plan, Microsoft guarantees availability for the region your apps are hosted in, but not the availability of individual applications. Organizations concerned about the risk of DDoS attacks against their organizations should consider upgrading to the paid Standard plan.

Enable Endpoint Protection

  • Endpoint protection health failures should be remediated on virtual machine scale sets
  • Endpoint protection health issues should be resolved on your machines
  • Endpoint protection solution should be installed on virtual machine scale sets
  • Install endpoint protection solution on virtual machines
  • Monitoring agent health issues should be resolved on your machines
  • Monitoring agent should be installed on virtual machine scale sets
  • Monitoring agent should be installed on your machines
  • Monitoring agent should be installed on your virtual machines
  • Install endpoint protection solution on your machines

Endpoint protection is Microsoft’s term for malware protection. These recommendations primarily focus on the installation of anti-malware solutions (endpoint protection solutions) that include Windows Defender, System Center Endpoint Protection, and a variety of third-party solutions. These tools are more sophisticated than traditional anti-malware software. They use machine learning, threat intelligence, and other sources to identify potential threats and generate security alerts.

This recommendation is among the simplest to satisfy. Microsoft’s endpoint protection solutions are free and can be installed without disruption on virtual machines.

Enable Auditing and Logging

  • Auditing on SQL server should be enabled
  • Diagnostic logs in App Services should be enabled
  • Diagnostic logs in Azure Data Lake Store should be enabled
  • Diagnostic logs in Azure Stream Analytics should be enabled
  • Diagnostic logs in Batch accounts should be enabled
  • Diagnostic logs in Data Lake Analytics should be enabled
  • Diagnostic logs in Event Hub should be enabled
  • Diagnostic logs in IoT Hub should be enabled
  • Diagnostic logs in Key Vault should be enabled
  • Diagnostic logs in Logic Apps should be enabled
  • Diagnostic logs in Search service should be enabled
  • Diagnostic logs in Service Bus should be enabled
  • Diagnostic logs in Virtual Machine Scale Sets should be enabled
  • Metric alert rules should be configured on Batch accounts
  • SQL Auditing settings should have Action-Groups configured to capture critical activities
  • SQL servers should be configured with auditing retention days greater than 90 days.

Diagnostic logs, which are also referred to as resource logs, help Azure users to identify and remediate performance, security, and other issues. Most Azure infrastructure services are capable of generating logs, and, at the very least, Azure users should activate logs for the services they depend on. Logs provide insight into the status of services and infrastructure. Without them, users are in the dark about how key aspects of their infrastructure changes over time, limiting the potential for auditing and root cause analysis.

Implement Security Best Practices

  • A maximum of 3 owners should be designated for your subscription
  • External accounts with read permissions should be removed from your subscription
  • MFA should be enabled on accounts with read permissions on your subscription
  • Access to storage accounts with firewall and virtual network configurations should be restricted
  • All authorization rules except RootManageSharedAccessKey should be removed from Event Hub namespace
  • An Azure Active Directory administrator should be provisioned for SQL servers
  • Authorization rules on the Event Hub instance should be defined
  • Storage accounts should be migrated to new Azure Resource Manager resources
  • Virtual machines should be migrated to new Azure Resource Manager resources
  • Advanced data security settings for SQL server should contain an email address to receive security alerts
  • Advanced data security should be enabled on your managed instances
  • All advanced threat protection types should be enabled in SQL managed instance advanced data security settings
  • Email notifications to admins and subscription owners should be enabled in SQL server advanced data security settings
  • Advanced Threat Protection types should be set to ‘All’ in SQL server Advanced Data Security settings
  • Subnets should be associated with a Network Security Group
  • All advanced threat protection types should be enabled in SQL server advanced data security settings
  • Windows exploit guard should be enabled
  • Guest configuration agent should be installed

This security control and the associated recommendations are largely focused on strengthening access and identity management and on ensuring security best practices are followed on key infrastructure. They are not the highest priority recommendations, but they have an impact on security and should be implemented once more critical security hardening is complete.

As we have emphasized at several points, the optimal approach to security on Azure is layered, implementing controls at all levels of infrastructure and software, from endpoints and applications to servers and storage. Identity and access management is vital to the layered security approach: there is little benefit to implementing encryption at rest and in transit if an attacker can exploit a user account with an easily guessed password.

Improving access control is the motivation for recommendations to implement MFA on accounts with read permissions, to remove external accounts, and to provision an Azure Active Directory Administrator on Azure SQL Servers. Using AAD with Azure SQL centralizes and simplifies identity and access management.

Secure Your Azure Infrastructure with VIAcode Managed Services

Cloud security is a journey. Microsoft continually improves and optimizes security on Azure, but Azure users share responsibility for the security of their infrastructure. Implementing Azure Security Center recommendations is your responsibility, but it doesn’t have to be your burden.

VIAcode’s Azure Managed Services can help your business to secure, monitor, and optimize its Azure infrastructure. Get started today with our free Azure Snapshot health check, or contact an Azure managed services consultant for a free initial consultation.

VIAcode provides services for migration, optimization and management for Azure.