In a previous blog, I discussed securing AWS management configurations by combating six common threats with a focus on using both the Center for Internet Security (CIS) Amazon Web Services Foundations benchmark policy along with general security best practices.

Now I’d like to do the same thing for Microsoft Azure. I had the privilege of being involved in the development of the CIS Microsoft Foundations Benchmark, which was published in early 2018.  During that process, I learned a great deal about the security aspects of Azure. Many of the same cloud security fundamentals we discussed previously also apply to other cloud environments, so we’re going to use that best practice cloud security knowledge we learned in the last blog and apply it to Microsoft Azure.

1. Identity Management with Azure Active Directory

Like before, it’s crucial that multi-factor authentication is being used wherever possible in order to combat attacks from phishing and lost or compromised credentials. At a minimum, any Azure Active Directory user with an administrative role or the ability to create and alter resources should have multi-factor authentication enabled.  Enable password policy settings to ensure complex passwords.

It’s easy to lose track of which permissions exist within custom roles. Audit any custom role definitions to ensure that none contain unnecessary administrative permissions that could be instead assigned via default roles.

Ensure that no unneeded guest users are created in the Azure Active Directory. For any that are necessary, ensure that the user setting for limiting guest permissions is set as well as the setting to not allow guests to invite additional users.

If you are using Active Directory Federation Services in order to allow a user to sign into Azure-AD based services with their on-premises password, it is critical that you are also auditing your on-premises Active Directory (Read more...)