Microsoft Azure Security Technologies (AZ-500): Host Security
- Privileged Access Device Strategy
There are different levels of security that an enterprise can apply based on the business needs.
Now, Privileged Access Strategy emphasizes on the importance of providing secure workstation for sensitive users throughout the device’s lifecycle, starting from device procurement.
This can be achieved using the Windows AutoPilot technology with one condition: The device must be purchased through an authorized OEM that supports AutoPilot. With AutoPilot, we can deploy a “business-ready” or “company-image” machine to the user through cloud. [1]
2. Privileged Access Workstations (PAW)
PAW is a hardened and locked down workstation. Microsoft strongly recommends Windows 10 Enterprise for PAW workstation as it includes several security features not available in other editions such as Credential Guard and Device Guard.
3. Virtual Machine Templates
By using virtual machine templates, we could:
- Improves consistency
- Promotes reuse
4. Remote Access Management
- If you do not wan to expose RDP and SSH from the internet, use bastion host:
5. Update Management
It is a service included as part of your Azure subscription.
With Update Management, you can access your update status across your environment and manage your Windows Server and Linux Servers updates from a single location — for both your on-premises and Azure environments.
Update Management is available at no additional cost (you pay only for the log data that Azure Log Analytics stores).
To enable it,
- Navigate to your VM tab → Enable Update Management for one or more of your VMs.
- Enable Update Management for VMs directly from Azure Automation Account.
Computers that Update Management management use the following configuration to update deployments and collect logs:
- Desired State Configuration (DSC) in Windows PowerShell for Linux / Windows Server Update Services (WSUS) for Windows computers for applicating updates .
- Microsoft Monitoring Agent (NMA) for Windows or Linux to collect logs.
6. Disk Encryption
Azure Disk Encryption uses BitLocker feature of Windows to provide OS and disks encryption, and is integrated with Azure Key Vault to help you control and manage the disk encryption keys and secrets.
If you use Azure Security Center, you’re be alerted if you have VMs that aren’t encrypted. The alerts show as High Severity and the recommendation is to encrypt these VMs.
Azure Disk Encryption is not available for all VMs. Visit Azure link [2] for more details.
7. Windows Defender
- Windows Defender Credential Guard [3]
Credential Guard provides virtualization-based security to secure secrets on Windows 10 Enterprise and Windows Server 2019 machines. Using this method, only privileged system software can access them.
It does this by isolating these features virtually using Hyper-V running on the local system. For example,
i. LSA on the device will talk to a new component called the isolated LSA process.
ii. The isolated process is not accessible by the operating system other than the local LSA.
iii. The isolated LSA process will only host a small subset of operating system binaries that it needs to be functional.
iv. Binaries are signed using a certificate that will be trusted by the virtualization-bases security.
- Windows Defender Application Control
Application Control restricts the applications that users can run and the code that runs in the system core, or kernel.
For example, policies in Application Control are set to block unsigned scripts ad MSIs or Windows PowerShell that runs in Constrained language mode.
8. Security Center Recommendations
You have to subscribe to have Security Center Recommendations enabled to help you gain visibility into the security posture of your Azure resources:
References
[1] (159) Microsoft Windows Autopilot deployment scenarios — YouTube
[2] Enable Azure Disk Encryption for Windows VMs — Azure Virtual Machines | Microsoft Docs
[3] How to implement Windows Defender Credential Guard — Bjorn Peters
