Best practices for securing Azure subscriptions: Difference between revisions

From PUBLIC-WIKI
Jump to navigation Jump to search
(Created page with "== Configure MFA (Multi-Factor Authentication) for any account with owner privileges == In-order to avoid potential compromise of credentials, it is recommended to configure m...")
 
No edit summary
Line 12: Line 12:
* You'll be asked to approve a notification through the Microsoft Authenticator app, to verify your information.
* You'll be asked to approve a notification through the Microsoft Authenticator app, to verify your information.
* Select Save
* Select Save
== Limit number of inbound ports ==
Allowing large number of inbound ports access Azure resources increase the chance of network breach.
Limit the number of inbound ports to required ports only and to specific resources or specific subnets.
* Login to the Azure Portal:
: https://portal.azure.com
* From the upper search pane, write "Network Security Groups"
* From the main pane, select an existing Network Security Group
* From the main pane, click on Inbound security rules
* Review all inbound rules
: Note: It is highly recommended that inbound access on SSH (port 22TCP) or RDP (port 3389TCP) will be limited to specific IP address or IP range from known source location.
* Update the Network Security Group as needed
* Save the Network Security Group
* Log off the Azure portal
== SQL Server Access Restricted ==
Allowing unnecessary inbound access to Azure SQL Server increase the chance of network breach.
Limit the inbound access to your Azure SQL servers to required sources only.
* Login to the Azure Portal:
: https://portal.azure.com
* From the upper search pane, write "Azure SQL"
* For each SQL server
* Click on Firewall / Virtual Networks
* Ensure that the firewall rules exist, and no rule has Start IP of 0.0.0.0 and End IP of 0.0.0.0 or other combinations which allows access to wider public IP ranges
* Configure the source CIDR/IP to the required subnet or required IP address.
* Log off the Azure portal

Revision as of 19:32, 13 April 2020

Configure MFA (Multi-Factor Authentication) for any account with owner privileges

In-order to avoid potential compromise of credentials, it is recommended to configure multi-factor authentication for any account with owner privilege.

  • Install Microsoft Authenticator app on your mobile device, as instructed:
https://docs.microsoft.com/en-us/azure/active-directory/user-help/multi-factor-authentication-end-user-manage-settings#add-or-change-your-phone-number
  • Login to the Azure Portal:
https://portal.azure.com/
  • From the top right pane, click on your username
  • Click on View account
  • Under "Manage account", click on "Additional security verification"
  • Under "How would you like to respond", click on "Set up Authenticator app"
  • Follow the on-screen instructions, including using your mobile device to scan the QR code, and then select Next
  • You'll be asked to approve a notification through the Microsoft Authenticator app, to verify your information.
  • Select Save

Limit number of inbound ports

Allowing large number of inbound ports access Azure resources increase the chance of network breach. Limit the number of inbound ports to required ports only and to specific resources or specific subnets.

  • Login to the Azure Portal:
https://portal.azure.com
  • From the upper search pane, write "Network Security Groups"
  • From the main pane, select an existing Network Security Group
  • From the main pane, click on Inbound security rules
  • Review all inbound rules
Note: It is highly recommended that inbound access on SSH (port 22TCP) or RDP (port 3389TCP) will be limited to specific IP address or IP range from known source location.
  • Update the Network Security Group as needed
  • Save the Network Security Group
  • Log off the Azure portal

SQL Server Access Restricted

Allowing unnecessary inbound access to Azure SQL Server increase the chance of network breach. Limit the inbound access to your Azure SQL servers to required sources only.

  • Login to the Azure Portal:
https://portal.azure.com
  • From the upper search pane, write "Azure SQL"
  • For each SQL server
  • Click on Firewall / Virtual Networks
  • Ensure that the firewall rules exist, and no rule has Start IP of 0.0.0.0 and End IP of 0.0.0.0 or other combinations which allows access to wider public IP ranges
  • Configure the source CIDR/IP to the required subnet or required IP address.
  • Log off the Azure portal