Best practices for securing Azure subscriptions: Difference between revisions

From PUBLIC-WIKI
Jump to navigation Jump to search
Eyales (talk | contribs)
No edit summary
Eyales (talk | contribs)
No edit summary
 
Line 37: Line 37:
* Ensure that the firewall rules exist, and no rule has Start IP of 0.0.0.0 and End IP of 0.0.0.0 or other combinations which allows access to wider public IP ranges
* Ensure that the firewall rules exist, and no rule has Start IP of 0.0.0.0 and End IP of 0.0.0.0 or other combinations which allows access to wider public IP ranges
* Configure the source CIDR/IP to the required subnet or required IP address.
* Configure the source CIDR/IP to the required subnet or required IP address.
* Log off the Azure portal
== Storage Blob Container Public Access ==
Allowing public access to storage blob containers increase the chance of data breach.
Make sure no storage blob container is publicly accessible.
* Login to the Azure Portal:
: https://portal.azure.com
* From the upper search pane, write "Storage accounts"
* From the main pane, select a storage account from the list
* For each storage account, go to Containers under BLOB SERVICE
* For each container, click Access policy
* Ensure that Public access level is set to Private (no anonymous access)
* Log off the Azure portal
* Log off the Azure portal

Latest revision as of 16:35, 13 April 2020

Configure MFA (Multi-Factor Authentication) for any account with owner privileges

In-order to avoid potential compromise of credentials, it is recommended to configure multi-factor authentication for any account with owner privilege.

  • Install Microsoft Authenticator app on your mobile device, as instructed:
https://docs.microsoft.com/en-us/azure/active-directory/user-help/multi-factor-authentication-end-user-manage-settings#add-or-change-your-phone-number
  • Login to the Azure Portal:
https://portal.azure.com/
  • From the top right pane, click on your username
  • Click on View account
  • Under "Manage account", click on "Additional security verification"
  • Under "How would you like to respond", click on "Set up Authenticator app"
  • Follow the on-screen instructions, including using your mobile device to scan the QR code, and then select Next
  • You'll be asked to approve a notification through the Microsoft Authenticator app, to verify your information.
  • Select Save

Limit number of inbound ports

Allowing large number of inbound ports access Azure resources increase the chance of network breach. Limit the number of inbound ports to required ports only and to specific resources or specific subnets.

  • Login to the Azure Portal:
https://portal.azure.com
  • From the upper search pane, write "Network Security Groups"
  • From the main pane, select an existing Network Security Group
  • From the main pane, click on Inbound security rules
  • Review all inbound rules
Note: It is highly recommended that inbound access on SSH (port 22TCP) or RDP (port 3389TCP) will be limited to specific IP address or IP range from known source location.
  • Update the Network Security Group as needed
  • Save the Network Security Group
  • Log off the Azure portal

SQL Server Access Restricted

Allowing unnecessary inbound access to Azure SQL Server increase the chance of network breach. Limit the inbound access to your Azure SQL servers to required sources only.

  • Login to the Azure Portal:
https://portal.azure.com
  • From the upper search pane, write "Azure SQL"
  • For each SQL server
  • Click on Firewall / Virtual Networks
  • Ensure that the firewall rules exist, and no rule has Start IP of 0.0.0.0 and End IP of 0.0.0.0 or other combinations which allows access to wider public IP ranges
  • Configure the source CIDR/IP to the required subnet or required IP address.
  • Log off the Azure portal

Storage Blob Container Public Access

Allowing public access to storage blob containers increase the chance of data breach. Make sure no storage blob container is publicly accessible.

  • Login to the Azure Portal:
https://portal.azure.com
  • From the upper search pane, write "Storage accounts"
  • From the main pane, select a storage account from the list
  • For each storage account, go to Containers under BLOB SERVICE
  • For each container, click Access policy
  • Ensure that Public access level is set to Private (no anonymous access)
  • Log off the Azure portal