Best practices for securing Azure subscriptions
Configure MFA (Multi-Factor Authentication) for any account with owner privileges
In-order to avoid potential compromise of credentials, it is recommended to configure multi-factor authentication for any account with owner privilege.
- Install Microsoft Authenticator app on your mobile device, as instructed:
- Login to the Azure Portal:
- From the top right pane, click on your username
- Click on View account
- Under "Manage account", click on "Additional security verification"
- Under "How would you like to respond", click on "Set up Authenticator app"
- Follow the on-screen instructions, including using your mobile device to scan the QR code, and then select Next
- You'll be asked to approve a notification through the Microsoft Authenticator app, to verify your information.
- Select Save
Limit number of inbound ports
Allowing large number of inbound ports access Azure resources increase the chance of network breach. Limit the number of inbound ports to required ports only and to specific resources or specific subnets.
- Login to the Azure Portal:
- From the upper search pane, write "Network Security Groups"
- From the main pane, select an existing Network Security Group
- From the main pane, click on Inbound security rules
- Review all inbound rules
- Note: It is highly recommended that inbound access on SSH (port 22TCP) or RDP (port 3389TCP) will be limited to specific IP address or IP range from known source location.
- Update the Network Security Group as needed
- Save the Network Security Group
- Log off the Azure portal
SQL Server Access Restricted
Allowing unnecessary inbound access to Azure SQL Server increase the chance of network breach. Limit the inbound access to your Azure SQL servers to required sources only.
- Login to the Azure Portal:
- From the upper search pane, write "Azure SQL"
- For each SQL server
- Click on Firewall / Virtual Networks
- Ensure that the firewall rules exist, and no rule has Start IP of 0.0.0.0 and End IP of 0.0.0.0 or other combinations which allows access to wider public IP ranges
- Configure the source CIDR/IP to the required subnet or required IP address.
- Log off the Azure portal