This is a new series of Azure Security Lab and share about how to securing your infrastructure with Microsoft Azure Security Center. This series of Azure Security Lab contains Labs, I will share every Saturday (Singapore Time).
Let start with Prerequisites & Introduction.
To complete this workshop, the following will be required:
- A valid subscription to Azure. If you don’t currently have a subscription, consider setting up a free trial. If this workshop is being hosted by a Microsoft Cloud Solution Architect, Azure passes should be provided.
- Multiple browser windows will be required to log in as different users simultaneously.
- A mobile phone, used to respond to multi-factor authentication challenges.
Contoso have recently migrated several of their on-premises resources to Microsoft Azure. These resources include virtual machines (both Windows 2016 and Ubuntu Linux), virtual networks and storage accounts. Unfortunately, as this is the first migration carried out, Contoso are somewhat unfamiliar with Azure (and public cloud platforms in general) – as a result, they have failed to consider the security implications of the infrastructure.
The Contoso security team have requested your help to secure the infrastructure resources that they have migrated to Azure.
The environment deployed by Contoso is shown in figure 1.
Figure 1: Contoso Environment
The migrated Contoso environment has the following issues:
- The storage account / container used has open, public access.
- There is no access control in place for the virtual network / subnet.
- Virtual Machines are not encrypted.
- No Role Based Access Control (RBAC) is in place to determine which users have access to which resources. Contoso would like only the minimum amount of access to be given to users, including time limited access.
- The Azure SQL Database has no firewall rules configured.