Security Best Practices for Windows Azure
Security is an very important aspect when it comes to computers and it should be at the top of everyone’s mind. When building environments, machines that are connected to internet, security becomes job one. One must take deliberate steps to protect the machines running in the cloud. Below are some of the well-known threats /attacks that are applicable to all types of computer environments:
Password cracking. As soon as an attacker knows a valid administrator username and password combination they own your machine. If you use default account names, you are giving the attacker a head start. Then the attacker only has to crack the account’s password. The use of blank or weak passwords makes the attacker’s job even easier. The two main methods used to crack passwords are brute force and dictionary attacks.
Brute force attacks: An attacker guesses identity and/or credentials through the use of brute force.
Attacks that use the raw computer processing power to try different permutations of any variable that could expose a security hole. For example, if an attacker knew that access required an 8-character username and a 10-character password, the attacker could iterate through every possible permutation (256 multiplied by itself 18 times) in order to attempt to gain access to the machine. Scripts make this even easier so no programming knowledge is required.
Dictionary attacks: An attacker guesses identity and/or credentials through the use of common terms in a dictionary designed for that purpose.
The Confiker.B worm used a dictionary of weak passwords in order to compromise machines. Use of a list of likely credentials (usernames, passwords, coding methods) make gaining access relatively easy especially when delivered by a script. This approach is more socially focused than the "brute force" attack method, which increases the likelihood of success in a shorter amount of time.
Spoofing. An attempt to gain access to a system by using a false identity. This can be accomplished by using stolen user credentials or a false IP address. After the attacker successfully gains access as a legitimate user or host, elevation of privileges or abuse using authorization can begin.
Credential theft. An attacker gains access to credentials through data theft; for instance, phishing or social engineering.
-
- Using weak passwords.
- Storing clear text credentials in configuration files.
- Passing clear text credentials over the network.
Network eavesdropping. An attacker steals identity and/or credentials off the network by reading network traffic not intended for them.
Virtual Machines
Following are the best practices to be followed while working with Windows Azure Virtual Machines to protect from some of the threats, attacks mentioned above.
1) While setting up password, use a pass phrase to create a strongpasswords:
Note: Complex passwords like p@assword1, password@1, are very easy to guess for hackers. You may find more examples of strong passwords that can be easy to remember here
Update: In the interest of security, portal does not allow using few common passwords. However there may be few common passwords it allows and we recommend you to avoid using any common passwords.
2) While creating a virtual machine, choose the random name that is not common. i.e. Administrator.
Note: 1) Choose the name that is easy to remember for you. i.e. Administrator-CompanyName, ADMSQLVM. Avoid using common user names mentioned here
2) In the interest of security, portal does not allow using common names like Administrator while provisioning the VM.
3) Change the default public RDP port(if the public port is 3389) to an unused, non-standard port or if the VM is part of Virtual Network with site-site connectivity to your on-premise environments, remove the endpoint completely and connect to the VM via VPN connectivity.
Update : As of now, Portal generates random port instead of assigning default 3389 for RemoteDesktop. We recommend not to change this public port to 3389.
4) Allow RDP connections only from specific IPs to ensure RDP connectivity from specific machines. (If you do not have control over the IPs you are configuring here, it can potentially lead you to lose connectivity to VM, Please thoroughly discuss this with your network administrators before you attempt to configure this)
Additionally, Create a virtual network with IP/Subnet range and add that range to the whitelist here so that if you lose connectivity from your on-premise environments for any reason, you can spin up a new VM as part of the virtual network and connect to VM with in the virtual network.
For more details: Firewall Rule Properties Page: Scope Tab
5) Configure auditing events and monitor the failed logon attempts and block the IPs
- Configure auditing for failed logon events like 4625,4648 and configure alerts or schedule tasks to run a batch file which will extract the IP from event log entry and block it by adding a firewall rule.
- There seems to be many 3rd party tools available to block these IPs automatically. One I came across is RDPGuard. https://rdpguard.com/
Security and Protection in Windows Server 2008 , R2
Security and Protection in Windows Server 2012
6) Don’t use the same password for all virtual machines, change the passwords frequently.
7) Use established password management policies. Password policies are established to lessen the vulnerability to dictionary or brute-force attacks against authentication. These policies include:
- Require strong passwords. Strong password policies should encompass minimum password length, and use of alpha-numeric and special characters.
- Enforce requirements when using a passphrase. Passphrases should also have minimum requirements for number of characters, and potentially special characters too.
- Enforce password complexity requirement by requiring long passwords with a combination of upper case, lower case, numeric and special (for example punctuation) characters. This helps mitigate the threat posed by dictionary attacks.
- Enforce password expiration periods.
- Use account lockout policies for end-user accounts.
- Support administrative disabling of accounts.
- Maintain a password history, but do not store the actual password as described above.
- Be aware of using email to distribute passwords or as part of your password reset procedures. Instead of passing the user credentials in email, consider an alternate approach allowing users to use alternate means to identify themselves (such as secrets) in the UI and reset the password.
8) Run best practices analyzer and take appropriate action to fix security issues reported by the tool
9) Do NOT disable automatic updates or ensure VMs are up-to-date from patches perspective.
10) Evaluate best suitable anti virus software / Intrusion detection software available in the market for the use in Windows Azure Virtual Machines
Cloud Services
When setting up remote desktop for a cloud service in Windows Azure the same care must be taken to secure the machine.
1) When deploying in Visual Studio or with the PowerShell Enable-AzureServiceProjectRemoteDesktopcommand, choose a random User name account which is easy to remember for you. i.e. ADMSQLVM. Choose a password, use a pass phrase to create a strongpasswords.
2) Change your password frequently.
3) When not using the Remote Desktop Connection, you can disable it using the Disable-AzureServiceProjectRemoteDesktop command. This will substantially reduce your risk surface.
4) With Windows Azure diagnostics, you can monitor the event logs for failed logon events 4625, and 4648.
I’ve obtained some of the content (especially related to attacks) of this article from J.D.Meier’s blog . He has posted a great blog related to cloud security and covers various security aspects . It has tons of great information that will help windows azure virtual machines users to understand various security issues.
Many thanks to Corey Sanders, Flavio Muratore, Julian Gonzalez, Neil Carpenter, Steve Espinosa, William Bellamy for their review, valuable inputs.
Keywords: Security, Best Practices, IaaS, VM, Windows Azure Virtual Machines.
Comments
- Anonymous
June 23, 2013
I came across another great one - Anti DDoS guardian, which stops RDP brute force attacks with a built-in firewall. www.beethink.com/antiddos.htm