The ‘How to’ to Azure Security, Part 2

10 min readJan 16, 2021

This is the second installment in a two-part series about Azure Security best practices. Be sure to read part one for understanding the full article:

The ‘How to’ to Azure Security Part 1

5. Virtual Machines

a) Ensure that disks are encrypted

Encrypting the IaaS VM’s OS disk (boot volume), Data disks (non-boot volume) and, Unattached disks ensure that its entire content is fully unrecoverable without a key and thus protects the volume from unwarranted reads. Performing encryption at rest on disks using a customer-managed key (CMK) is recommended though it can also be done using a platform-managed key (PMK). By default, disks are not encrypted.

Azure Console:
1) Go to ‘Virtual machines’ and for each virtual machine, go to ‘Disks’.
2) Ensure that ‘Encryption’ is either set with CMK or PMK.

b) Ensure that only approved extensions are installed

Azure virtual machine extensions are small applications that provide post-deployment configuration and automation tasks on Azure virtual machines. These extensions run with administrative privileges and could potentially access anything on a virtual machine. The Azure Portal and community provide several such extensions. Each organization should carefully evaluate these extensions and ensure that only those that are approved for use are implemented. By default, no extensions are added to the virtual machines.

Azure Console:
1) Go to ‘Virtual machines’ and for each virtual machine, go to ‘Extensions’.
2) Ensure that the listed extensions, if any, are approved for use.

c) Ensure that an NSG is assigned and only required ports are enabled

Azure Network Security Group (NSG) is used to filter network traffic to and from Azure resources in an Azure virtual network. An NSG acts as a firewall where you can create inbound and outbound security rules. Azure virtual machines (VM) or VM scale sets must be assigned to an NSG so that the access to a virtual machine is properly managed and controlled. Ensure that only required ports are accessible on a virtual machine through NSG.

Azure Console:
1) Go to ‘Virtual machines’ and for each virtual machine, go to ‘Networking’.
2) Ensure that an NSG is attached to the virtual machine and unnecessary ports are not allowed.

d) Ensure that the latest OS Patches for all Virtual Machines are applied

The Azure Security Center (ASC) retrieves a list of available security and critical updates from Windows Update or Windows Server Update Services (WSUS), depending on which service is configured on a Windows VM. The ASC also checks for the latest updates in Linux systems. If a VM is missing a system update, the ASC will recommend system updates be applied. By default, patches are not automatically deployed.

Azure Console:
1) Go to the ‘Security Center’ -> ‘Recommendations’.
2) Ensure that there are no recommendations for ‘Apply system updates’.

6. Logging and Monitoring

a) Ensure that a Log Profile is set and configured

A log profile controls how an activity log is exported. By default, activity logs are retained only for 90 days. Log profiles should be defined so that logs can be exported and stored for a longer duration to analyze security activities within an Azure subscription. Ensure activity log retention is set for 365 days or more to have time to respond to any incidents. The log profile should be configured to export all activities from the control/management plane. Also, ensure that the storage account container containing the activity log export is not publicly accessible. By default, the log profile is not set.

Azure Console:
1) Go to ‘Activity log’ and ensure that a Log Profile is set.
2) Under ‘Diagnostic settings’, go to ‘Export activity log’ and configure the logs settings.

b) Ensure that Activity Log alerts are configured

Enabling monitoring for the following events gives insight into changes done and may reduce the time it takes to detect unsolicited changes.

Create Policy Assignment
Create/Update/Delete NSG or NSG Rule
Create/Update/Delete Security Solution
Create/Update/Delete SQL Server Firewall Rule
Update Security Policy

By default, no monitoring alerts are created.

Azure Console:
1) Navigate to ‘Monitor’ then ‘Alerts’ and select ‘Manage alert rules’.
2) Ensure that monitoring on required events is enabled.

7. Key Vaults

a) Ensure that the expiration date is set on all Keys and Secrets

Ensure that keys and secrets are stored inside a Key vault and not in the source code. Azure Key Vault enables users to store and use Keys/Secrets/Certificates within the Microsoft Azure environment thus controlling access to Key Vault is paramount. The expiration time attribute identifies the expiration time on or after which the key must not be used for a cryptographic operation. It is recommended that keys be rotated in the key vault and an explicit expiration time for all keys is set. By default, Keys and Secrets never expire.

Azure Console:
1) Go to ‘Key vaults’ and for each key vault, go to ‘Keys’ and ‘Secrets’ individually.
2) Ensure that the ‘Status’ is ‘Enabled’ and ‘Expiration Date’ is set as appropriate.

b) Ensure the key vault is recoverable

At the time of creating a Key Vault, it is recommended that the key vault be made recoverable by enabling the “Do Not Purge” and “Soft Delete” functions, as those cannot be changed afterwards. The key vault contains object keys, secrets, and certificates. Accidental unavailability of a key vault can cause immediate data loss or loss of security functions (authentication, validation, verification, non-repudiation, etc.) supported by the key vault objects. This is to prevent loss of encrypted data as it may happen in the case of accidental deletion by a user or from disruptive activity by a malicious user.

c) Ensure that logging for Azure Key Vault is enabled

Monitoring how and when key vaults are accessed, and by whom enables an audit trail of interactions with confidential information, keys, and certificates managed by Azure Key Vault. Enabling logging for Key Vault saves information in an Azure storage account that the user provides. By default, logging is disabled.

Azure Console:
1) Go to ‘Key vaults’ and for each key vault, go to ‘Diagnostic Settings’ and click on ‘Add diagnostic setting’ or ‘Edit Settings’ if already present.
2) Ensure that ‘Archive to a storage account’ is checked.
3) Ensure that ‘AuditEvent’ is checked and the ‘Retention(days)’ is set to 180 days or as appropriate.

8. Security Policy

a) Ensure that Standard pricing tier is selected

The Standard pricing tier enables threat detection for networks and virtual machines, providing threat intelligence, anomaly detection, and behavior analytics in the Azure Security Center (ASC). Enabling the Standard pricing tier allows for greater defense-in-depth, with threat detection provided by the Microsoft Security Response Center (MSRC). Standard tier incurs costs, hence plan accordingly. By default, the ‘Free’ pricing tier is selected.

Azure Console:
1) Go to ‘Security Center’ -> ‘Pricing & Settings’.
2) Ensure ‘Standard’ is selected under the Pricing tier.

b) Ensure monitoring OS vulnerabilities and Endpoint Protection is enabled

When ‘Vulnerabilities in security configuration on your machines should be remediated’ is enabled, it analyzes operating system configurations daily to determine issues that could make the virtual machine vulnerable to attack. The policy also recommends configuration changes to address these vulnerabilities. Enabling ‘Monitor missing Endpoint Protection’ recommends endpoint protection be provisioned for all Windows virtual machines to help identify and remove viruses, spyware, and other malicious software. By default, these settings are set to AuditIfNotExists (not disabled).

Azure Console:
1) Go to ‘Security Center’ -> ‘Security policy’ and for each subscription go to ‘View Effective Policy’.
2) Expand ‘Compute And Apps’ and ensure these settings are not set to ‘Disabled’.

c) Ensure Network Security Groups protection and JIT Network access control is enabled

Network security groups (NSG) needs to be configured to control inbound and outbound traffic to VMs. Enabling ‘Internet-facing virtual machines should be protected with NSG’, checks and reports all public-facing VMs that do not have an associated NSG. When ‘JIT(Just In Time) network access control’ is enabled, ASC locks down inbound traffic to the Azure VMs by creating an NSG rule. The user can select the ports on the VM where inbound traffic should be locked down. JIT virtual machine access can be used to lock down inbound traffic to the Azure VMs, reducing exposure to attacks while providing easy access to connect to VMs when needed. By default, these settings are set to AuditIfNotExists (not disabled).

Azure Console:
1) Go to ‘Security Center’ -> ‘Security policy’ and for each subscription go to ‘View Effective Policy’.
2) Expand ‘Network’ and ensure these settings are not set to ‘Disabled’.

d) Ensure monitoring SQL Auditing, SQL Encryption, and Disk encryption is enabled

Enabling ‘Monitor unaudited SQL servers’, monitors and audits the access to SQL Servers. It recommends that access auditing for the Azure Database be enabled for compliance, advanced threat detection, and investigation purposes. When ‘Transparent Data Encryption on SQL databases’ is enabled, it recommends that encryption at rest be enabled for the Azure SQL Database, associated backups, and transaction log files. And when ‘Disk Encryption should be applied on VM’ is enabled, it enhances data protection at rest. In the event of a data breach, data will not be readable. By default, these settings are set to AuditIfNotExists (not disabled).

Azure Console:
1) Go to ‘Security Center’ -> ‘Security policy’ and for each subscription go to ‘View Effective Policy’.
2) Expand ‘Data’ and ‘Compute and Apps’ accordingly to ensure these settings are not set to ‘Disabled’.

e) Ensure that Security contact email is set

Microsoft reaches out to the designated security contact in case its security team finds that the organization’s resources are compromised. This ensures that the proper people are aware of any potential compromise to mitigate the risk in a timely fashion. By default, these settings are not set.

Azure Console:
1) Go to ‘Security Center’ -> ‘Pricing and Settings’ and for each subscription go to ‘Email notifications’.
2) Ensure that a valid security contact email address is set.

9. AppService

a) Ensure App Service Authentication is set on Azure App Service

Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the API app, or authenticate those that have tokens before they reach the API app. If an anonymous request is received from a browser, App Service will redirect to a login page. To handle the login process, a choice from a set of identity providers can be made, or a custom authentication mechanism can be implemented. By default, App Service Authentication is disabled.

Azure Console:
1) Go to ‘App Services’ and for each app go to ‘Authentication / Authorization’.
2) Ensure that ‘App Service Authentication’ is set to ‘On’

b) Ensure web app redirects all HTTP traffic to HTTPS in Azure App

Azure Web Apps allows sites to run under both HTTP and HTTPS by default. Web apps can be accessed by anyone using non-secure HTTP links by default. Non-secure HTTP requests can be restricted and all HTTP requests redirected to the secure HTTPS port. It is recommended to enforce HTTPS-only traffic and not use any SSL/TLS version less than TLS 1.2.

Azure Console:
1) Go to ‘App Services’ and for each app go to ‘TLS/SSL settings’.
2) Ensure that ‘HTTPS Only’ is set to ‘On’.

c) Ensure that the latest versions are used for the web app

For softwares that may be used in a web app like .NET Framework, PHP, Python, Java, HTTP, and so on, ensure that it’s up-to-date. Newer versions may contain security enhancements and additional functionality. It is recommended to use the latest software version to take advantage of enhancements and new capabilities. With each software installation, organizations need to determine if a given update meets their requirements and also verify the compatibility and support provided for any additional software against the update revision that is selected.

Azure Console:
1) Go to ‘App Services’ and for each app go to ‘Configuration’.
2) Under ‘General settings’, ensure that the softwares used are set to the latest version available.

Note that in order to enable some security settings mentioned above, extra cost must be incurred, hence, plan your cloud budget accordingly. There are certain security checks which are not included in this article either because of the prioritization, less importance, or their default values are already secured.

Hope this 2-part series on Security of Azure, focusing on 9 critical areas, have helped you learn some security settings and where those can be found in the Azure portal.

Thank you for spending time reading this and Happy Learning!