Azure Security Cookbook E-Book

Azure Security Cookbook

Practical recipes for securing Azure resources and operations

Steve Miles

BIRMINGHAM—MUMBAI

Azure Security Cookbook

Copyright © 2023 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

Associate Group Product Manager: Mohd Riyan Khan

Senior Editor: Divya Vijayan

Technical Editor: Nithik Cheruvakodan

Copy Editor: Safis Editing

Project Coordinator: Ashwin Kharwa

Proofreader: Safis Editing

Indexer: Rekha Nair

Production Designer: Joshua Misquitta

Marketing Coordinator: Marylou De Mello

First published: March 2023

Production reference: 1230223

Published by Packt Publishing Ltd.

Livery Place

35 Livery Street

Birmingham

B3 2PB, UK.

ISBN 978-1-80461-796-0

www.packtpub.com

This book is my contribution to the worldwide technical learning community, and I would like to thank all of you who are investing your valuable time in learning new skills and committing to reading this book.

Contributors

About the author

Steve Miles, aka SMiles or Mr. Analogy, is a Microsoft Azure MVP, MCT, multi-cloud, and hybrid technologies author and technical reviewer with over 20 years of experience in security, networking, data center infrastructure, managed hosting, and cloud solutions. His experience comes from working in end user, reseller channel, and vendor spaces, with global networks, data and app security vendors, global telco hosters, and colocation and data center services providers, as well as in managed hosting and hardware distribution.

His roles have included network security architect, global solutions architect, public cloud security solutions architect, and Azure practice technical lead. He currently works for a leading multi-cloud distributor based in the UK and Dublin in a cloud and hybrid technology leadership role.

Most happy in front of a whiteboard, he prefers to speak using illustrations. He is renowned for his analogies for breaking down complex technologies and concepts into everyday, real-world scenarios.

His first Microsoft certification was on Windows NT. He is an MCP, MCITP, MCSA, and MCSE for Windows Server and many other Microsoft products. He also holds multiple Microsoft Fundamentals, Associate, Expert, and Specialty certifications in Azure Security, Identity, Network, M365, and D365. He also holds multiple security and networking vendor certifications, including PRINCE2 and ITIL, and is associated with industry bodies such as the CIF, ISCA, and IISP. Finally, as part of the multi-cloud aspect, he has experience with GCP and AWS, is Alibaba-Cloud-certified, and is a nominated Alibaba Cloud MVP.

About the reviewer

Peter De Tender has over 25 years of experience in architecting and deploying Microsoft solutions, starting with Windows NT4/Exchange 5.5 in 1996. Since early 2012, he started shifting to cloud technologies and quickly embraced Azure, working as a cloud architect and trainer. In September 2019, he joined Microsoft’s prestigious Microsoft Technical Trainer team, providing Azure readiness workshops to its top customers and partners across the globe. Recently having relocated to Redmond, WA, he continues in this role. Given his past Azure MVP and community passion, he is still actively involved in public speaking, technical writing, and mentoring/coaching.

You can follow Peter on Twitter at pdtit and check out his technical blog at 007ffflearning.com.

Thanks to Steve, for trusting in my love for Azure. Also, a big thanks to my wife for supporting me in realizing my dreams.

Patrick Lownds is a master-level solution architect working for Pointnext Advisory & Professional Services, in the Hybrid IT COE, for Hewlett Packard Enterprise (HPE), and is based in London, UK. He currently works with the most recent versions of Windows Server and System Center and has participated in the Windows Server, System Center, and Microsoft Azure Stack Early Adoption Program. He is a community blogger for HPE and tweets in his spare time. He can be found on Twitter at patricklownds.

Table of Contents

Preface

Part 1: Azure Security Features

1

Securing Azure AD Identities

Introduction to Azure Identity Services

What is AD?

Technical requirements

Reviewing Azure AD Identity Secure Score

Getting ready

How to do it…

How it works…

See also

Implementing Azure AD tenant Identity and Access Management

Getting ready

How to do it…

How it works…

There’s more…

See also

Implementing Azure AD Password Protection

Getting ready

How to do it…

How it works…

See also

Implementing a Self-Service Password Reset

Getting ready

How to do it…

How it works…

See also

Implementing Azure AD security defaults

Getting ready

How to do it….

How it works…

See also

Implementing Azure AD multi-factor authentication

Getting ready

How to do it…

How it works…

See also

Implementing Conditional Access policies

Getting ready

How to do it…

How it works…

See also

Implementing the Azure AD Identity Protection service

Getting ready

How to do it…

How it works…

See also

Implementing Azure AD Privileged Identity Management

Getting ready

How to do it…

How it works…

See also

2

Securing Azure Networks

Technical requirements

Implementing network security groups

Getting ready

How to do it…

How it works…

See also

Implementing Azure Firewall

Getting ready

How to do it…

How it works…

See also

Implementing Azure Web Application Firewall

Getting ready

How to do it…

How it works…

There’s more…

See also

Implementing Azure DDoS

Getting ready

How to do it…

How it works…

There’s more…

See also

3

Securing Remote Access

Technical requirements

Implementing Azure Network Adapter

Getting ready

How to do it…

How it works…

There’s more…

See also

Implementing the Azure Bastion service

Getting ready

How to do it…

How it works…

There’s more…

See also

Implementing JIT VM access

Getting ready

How to do it…

How it works…

There’s more…

See also

4

Securing Virtual Machines

Technical requirements

Implementing VM Update Management

Getting ready

How to do it…

How it works…

There’s more…

See also

Implementing VM Microsoft Antimalware

Getting ready

How to do it…

How it works…

See also

Implementing VM Azure Disk Encryption

Getting ready

How to do it…

How it works…

There’s more…

See also

5

Securing Azure SQL Databases

Technical requirements

Implementing a service-level IP firewall

Getting ready

How to do it…

How it works…

See also

Implementing a private endpoint

Getting ready

How to do it…

How it works….

There’s more…

See also

Implementing Azure AD authentication and authorization

Getting ready

How to do it…

How it works…

See also

6

Securing Azure Storage

Technical requirements

Implementing security settings on storage accounts

Getting ready

How to do it…

How it works…

See also

Implementing network security

How to do it…

How it works…

There’s more…

See also

Implementing encryption

Getting ready

How to do it…

How it works…

See also

Part 2: Azure Security Tools

7

Using Advisor

Technical requirements

Reviewing the security recommendations

Getting ready

How to do it…

How it works…

See also

Implementing the security recommendations

Getting ready

How to do it…

How it works…

See also

8

Using Microsoft Defender for Cloud

Technical requirements

Terminology reference

Review Defender for Cloud components

Getting ready

How to do it…

How it works…

See also

Enable enhanced security features of Defender for Cloud

Getting ready

How to do it…

How it works…

See also

Add a standard to the Regulatory compliance dashboard

Getting ready

How to do it…

How it works…

Assess your regulatory compliance

Getting ready

How to do it…

How it works…

See also

9

Using Microsoft Sentinel

Technical requirements

Terminology reference

Enabling Microsoft Sentinel

Getting ready

How to do it…

How it works…

See also

Reviewing Microsoft Sentinel components

Getting ready

How to do it…

How it works…

See also

Creating automation

Getting ready

How to do it…

How it works…

See also

Set up data connectors

Getting ready

How to do it…

How it works…

See also

10

Using Traffic Analytics

Technical requirements

Terminology reference

Implementing traffic analytics

Getting ready

How to do it…

How it works…

See also

Index

Other Books You May Enjoy

Preface

With the increase in usage of cloud platforms and with many companies embracing a hybrid workforce, new threat vectors are emerging and cyber-attacks are increasing.

A new security model mindset is required more than ever, a model that thinks beyond traditional device-based and network-perimeter-based security. We need to adopt a holistic approach to security, starting with insights and highlighting identity as the new control and security pane.

This book is a recipe-based guide to help you become well versed with Azure security features and tools.

You will start with learning important Azure security features such as identities, virtual machines, networks, storage, databases, and remote access. Then, you will dive into Defender for Cloud, Microsoft Sentinel, and other related tools to safeguard your identities, infrastructure, apps, and data.

Every chapter is independent, takes up important problems, and provides solutions, including those related to implementing and operating security features and tools.

By the end of the book, you will have learned to secure Azure cloud platform resources and have a guide you can use to solve specific day-to-day challenges.

Who is this book for

This book targets security-focused professionals looking to protect Azure resources using the native Azure platform security features and tools.

A solid understanding of the fundamental security concepts and prior exposure to Azure will help you understand the key concepts covered in the book more effectively.

This book also benefits those aiming to take the Microsoft certification exam with a security element or focus.

What this book covers

Chapter 1, Securing Azure AD Identities, teaches users how to secure and protect Azure AD identities. We will break down the chapter into sections on reviewing Azure AD identity secure scores, implementing Identity and Access Management on Azure AD tenants, implementing Azure AD Password Protection, implementing Self-Service Password Reset, implementing the Azure AD security defaults, implementing Azure AD Multi-Factor Authentication, implementing Conditional Access policies, implementing Azure AD Identity Protection, and implementing Azure AD Privileged Identity Management.

Chapter 2, Securing Azure Networks, explains how to secure and protect Azure networks. We will break down the chapter into sections covering implementing Network Security Groups, implementing Azure Firewall, implementing Azure Web Application Firewall, and implementing Azure DDoS.

Chapter 3, Securing Remote Access, focuses on how to secure and protect remote access. We will break down the chapter into sections covering implementing the Azure Bastion service, implementing Azure Network Adapter, and implementing Just-in-Time (JIT) VM access.

Chapter 4, Securing Virtual Machines, takes securing and protecting Azure VMs as its subject. We will break down the chapter into sections on implementing VM Update Management, implementing VM Microsoft antimalware, and implementing Disk Encryption for Azure VMs.

Chapter 5, Securing Azure SQL Databases, discusses how to secure and protect Azure databases. We will break down the chapter into sections on implementing a service-level IP firewall, implementing a private endpoint, and implementing Azure AD authentication and authorization.

Chapter 6, Securing Azure Storage, breaks down how to secure and protect Azure storage. We will break down the chapter into sections covering implementing security settings on storage accounts, implementing network security, and implementing encryption.

Chapter 7, Using Advisor, explores how to secure and protect Azure environments using the Advisor recommendations engine. We will break down the chapter into sections on the security recommendations and secure scores and perform the implementation of recommendations.

Chapter 8, Using Microsoft Defender for Cloud, demonstrates the components of Defender for Cloud, as well as how to enable the enhanced security features of Defender for Cloud, add a regulatory standard to the regulatory compliance dashboard, and assess environment regulatory compliance against the added standard.

Chapter 9, Using Microsoft Sentinel, walks through enabling Microsoft Sentinel and how to review the components, create automation, set up a data connector, and create an analytics rule.

Chapter 10, Using Traffic Analytics, covers the implementation of Traffic Analytics.

To get the most out of this book

For this book, the following are required:

Download the color images

We also provide a PDF file that has color images of the screenshots and diagrams used in this book. You can download it here: https://packt.link/fPcIW.

Conventions used

There are a number of text conventions used throughout this book.

Code in text: Indicates code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles. Here is an example: A device with a browser, such as Edge or Chrome, to access the Azure portal: https://portal.azure.com

Any command-line input or output is written as follows:

Bold: Indicates a new term, an important word, or words that you see onscreen. For instance, words in menus or dialog boxes appear in bold. Here is an example: “We will start by looking at Active Directory (AD).”

Tips or important notes

Appear like this.

Get in touch

Feedback from our readers is always welcome.

General feedback: If you have questions about any aspect of this book, email us at [email protected] and mention the book title in the subject of your message.

Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packtpub.com/support/errata and fill in the form.

Piracy: If you come across any illegal copies of our works in any form on the internet, we would be grateful if you would provide us with the location address or website name. Please contact us at [email protected] with a link to the material.

If you are interested in becoming an author: If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, please visit authors.packtpub.com

Share your thoughts

Once you’ve read Functional Programming in Golang, we’d love to hear your thoughts! Please click here to go straight to the Amazon review page for this book and share your feedback.

Your review is important to us and the tech community and will help us make sure we’re delivering excellent quality content.

Download a free PDF copy of this book

Thanks for purchasing this book!

Do you like to read on the go but are unable to carry your print books everywhere?

Is your eBook purchase not compatible with the device of your choice?

Don’t worry, now with every Packt book you get a DRM-free PDF version of that book at no cost.

Read anywhere, any place, on any device. Search, copy, and paste code from your favorite technical books directly into your application.

The perks don’t stop there, you can get exclusive access to discounts, newsletters, and great free content in your inbox daily

Follow these simple steps to get the benefits:

https://packt.link/free-ebook/9781804617960

Part 1: Azure Security Features

In this part, we will go through recipes that provide complete coverage of the skills and knowledge required to implement and operate native Azure platform security features.

This part includes the following chapters:

1

Securing Azure AD Identities

Azure Active Directory (Azure AD) is a multi-tenant cloud-based identity and access management solution that is part of Microsoft’s Entra Identity platformproduct family.

You can read more about Entra and its integrated hybrid and multi-cloud identity and access solutions family at the following Microsoft site: https://www.microsoft.com/en-us/security/business/microsoft-entra.

In this chapter, you will learn how to secure and protect Azure AD identities.

We will break down this chapter into sections that cover how you can review your environments, including security posture, tenant-level identity and access management, password management and protection, security defaults, multi-factor authentication, and Conditional Access. We will then look at implementing Identity Protection and Identity Management services.

By the end of this chapter, you will have covered the following recipes to create secure Azure AD identities:

Introduction to Azure Identity Services

Before we look at any recipes, we will first introduce some concepts surrounding Microsoft Identity services. This will assist us in establishing a foundation of knowledge to build upon. We will start by looking at Active Directory (AD).

What is AD?

AD provides Identity and Access Management (IAM) and Information Protection services for traditional Windows Server environments. It was first included with Windows Server 2000 as an installable service.

AD provides different services in its portfolio and is used as a generic and umbrella term in many cases.

These individual services in Azure AD include the following:

In this next section, we will introduce Azure AD and look at its relationship with AD, a similar name but with different functions, capabilities, and use cases.

When is AD not AD? When it is Azure AD!

Before we go any further, we should clear one thing up: there is a common misconception that Azure AD must just be a cloud-based Software-as-a-Service (SaaS) version, but it is not!

It is easy enough why people (wrongly) think this may be the case; after all, Exchange Online and SharePoint Online are indeed exactly that, SaaS versions of their traditional infrastructure deployed platforms; if only it were that simple, though.

In many ways, Azure AD is like AD on the surface; they are both Identity Providers (IDPs) and provide IAM controls. Still, at the same time, they function differently and don’t yet provide a complete parity of capabilities, although quite close.

It is worth noting that Azure AD is constantly evolving to meet the requirements and demands of authentication and authorization of workloads and services to bring capabilities in line with those available in AD, such as Kerberos realms within Azure AD.

At the time of publishing this book, you cannot use Azure AD to 100% replace the provided capabilities of AD.

Depending on the scenario, it may be the case that your environments will never be 100% cloud-based for identity services. You may remain with Hybrid identity services – that is, both AD and Azure AD coexist in a connected and synchronized state.

What is Azure AD?

Azure AD is a SaaS identity management solution that is fully managed and provides functions such as an IDP and IAM for managing and securing access to resources based on Role-Based Access Control (RBAC).

As Azure AD is provided as a fully managed service, there is no installable component such as Windows Servers and Domain Controllers (DC); zero infrastructure needs to be deployed by you.

The primary cloud authentication protocol used by Azure AD is based around using OpenID, OAuth, and Graph, whereas AD uses Kerberosand NTLM.

What is Hybrid Identity?

The hybrid identity approach allows you to synchronize objects, such as user objects and their passwords, between AD and Azure AD directories.

The main driver for hybrid identity within an organization is legacy AD-integrated applications that do not support cloud identity authentication protocols.

This capability provides users access to AD authenticated, and Azure AD authenticated using a single Common Identityand password.

The password synced to Azure AD is a hash of the stored hashed password; passwords are never stored in Azure AD, only the password hash. This capability is referred to as same sign-on, meaning you will be prompted each time to enter the same credentials when you wish to authenticate to resources.

This capability should not be confused with single sign-on (SSO), which does not prompt you again when accessing resources. The following diagram shows the relationship between AD and Azure AD:

Figure 1.1 – AD and Azure as a relationship

Azure AD Connect is a free downloadable tool that synchronizes objects between AD and Azure AD’s IDP directories; this establishes hybrid identities. Azure AD Connect provides additional functionality and capabilities and allows for Self-Service Password Reset (SSPR) through additional configuration.

You can continue learning more, should you wish, about hybrid identities and Azure AD Connect, by going to https://learn.microsoft.com/en-us/azure/active-directory/hybrid/whatis-azure-ad-connect.

Technical requirements

For this chapter, the following are required for the recipes:

Figure 1.2 – Azure AD Premium P2 free trial activation

Reviewing Azure AD Identity Secure Score

Azure AD Identity Secure Score enables you to make informed decision-making to protect your Azure AD tenancy.

This recipe will teach you how to monitor and improve your Azure AD Identity Secure Score.

We will take you through reviewing the Azure AD Identity Secure Score dashboard for your Azure AD tenancy environments and look at the actionable insights available to improve your secure score and security posture.

Getting ready

This recipe requires the following:

How to do it…

This recipe consists of the following tasks:

Task – Reviewing Identity Secure Score

Perform the following steps:

Alternatively, in the search bar, type azure ad identity secure score; click on Azure AD Identity Secure Score from the list of services shown.

Figure 1.3 – Secure Score screen

This area of the screen shows three aspects to review:

Each recommended improvement action has a Score Impact, User Impact, Implementation Cost, Max Score possible, and Current Score:

Figure 1.4 – The Improvement actions screen

Figure 1.5 – Improvement actions download

Figure 1.6 – Improvement actions information

With that, you have reviewed Identity Secure Score. In the next task, we will update the status of improvement actions.

Task – Updating the improvement actions status

Perform thefollowing steps:

Figure 1.7 – Improvement actions status options

With that, you have updated the status of improvement actions. This concludes the hands-on tasks for this recipe.

How it works…

In this recipe, we reviewed the information presented in the Azure AD identities Secure Score and took action from available insights.

You can also see actionable improvement insights on how your score can be improved and each improvement’s impact on the secure score.

The dashboard and a score history timeline show a comparison of your environment’s Azure AD tenancy to a tenancy of the same size and industry average.

Your environment’s Azure AD tenancy identity settings are compared with best practice recommendations once a day (approx 1:00 A.M. PST); changes made to an improvement action may not be reflected in the score for up to 48 hours.

See also

Should you require further information, you can refer to the following Microsoft Learn articles:

Implementing Azure AD tenant Identity and Access Management

Account compromise is one of the biggest threat vectors to protect against, and those with privileged access roleswill be the focus of attacks. There are often too many users assigned privileged accounts, with more access than is required for a user to carry out their role. There is often insufficient RBAC in place, and the principle of least privilege should be adopted for these privileged administrator roles.

While we need to limit the number of user accounts that have the Global Administrator role, there should also not be a single point of compromise for the Global Administrator role. Having more than one account with the Global Administrator role is important. It is crucial to have an emergency account in case of a breach or conditional access lockout of a Global Administrator role assigned. Global Administrator role accounts can use a buddy system to monitor each other’s accounts for signs of a breach.