Is there a way to restrict Azure Data Factory to be only accessible through Azure bastion host? To elaborate, I want anyone reaching the ADF URL to go through a Browser running in an azure bastion host?
As per the current Azure Security Baseline for data factory Documentation, it is suggested to Use privileged access workstations for Secured, isolated workstations are critical for the security of sensitive roles like administrators, developers, and critical service operators. Use highly secured user workstations and Azure Bastion for administrative tasks.
Use Azure AD, Microsoft Defender ATP, or Microsoft Intune to deploy a secure and managed user workstation for administrative tasks. You can centrally manage secured workstations to enforce a security configuration that includes:
Strong authentication
Software and hardware baselines
Restricted logical and network access
Related
We have a couple of VMs in Azure, and want to use one of them as an RDS session host for user workstations. This requires us to buy CALs and setup the appropriate RDS services.
No problem there, but it also requires the VM to be joined to an Active Directory domain, which we don't have.
Azure offers AD Domain Services, but at USD$100 per month, it seems pricey, for not much return.
Since Active Directory is a standard Windows service, is there anything stopping us from simply installing this role on one of our existing VMs and running our own domain controller?
If not, why would anyone be paying monthly for Azure AD DS?
Any advantages to either approach? We're a small enterprise, and will not be using AD for managing resources, only for identity management.
How do I restrict remote AAD (Work/School) connected personal machines with Group Policy enforced from the AADDS VM?
This client's company is fully remote and is looking for a cloud group policy solution.
Is there anyway to use AADDS to accomplish this task?
Thanks,
To manages machines/computers with group policy the machine should be joined with domain(on prem domain controller or azure adds) Once the machine is joined to domain you can apply group policies.
If you are looking to use azure ad ds managed instance . it gives the ability to join computers on a domain without any need to manage or deploy a Domain Controller. The users can sign-in by using their existing corporate credentials.
If you want to manage group policy with adds managed instance, you need to create an additional vm with sevrer OS and you need to install required server roles to preform additional operations.
https://learn.microsoft.com/en-us/azure/active-directory-domain-services/tutorial-create-instance
Or else you can use Azure AD registered devices, The goal of Azure AD registered devices is to provide your users with support for the bring your own device (BYOD) or mobile device scenarios.
You can find more information Here about device management in azure Azure AD.
I don't have on premises users and computers I have all my users and computers in Azure AD and I have created an Azure Virtual machine to manage my users through group policy, but when I applied a group policy its not working with users. I have also applied gpupdate /force command on relevant computer.
Use Azure Active Directory Domain Services to join Azure virtual machines to a domain, without having to deploy domain controllers. Use Group Policy to more securely administer domain-joined virtual machines—a familiar way to apply and enforce security baselines on all of your Azure virtual machines.
Kindly check this link and see if it helps. If you have any further queries kindly let me know.
I work in a small startup that is only hosted in Azure and I was wondering the best way to secure everything.
I use the below services
Web Apps (public facing)
Virtual machines - Running apps and services
Sql Sever
Service Bus
Storage Account.
The web apps and the Vms need to communicate with the other three services.
Below is what we are currently doing. Is this correct and if not can you provide any resources to work from?
Service bus - This is currently accessed using the connection string and is stored in the app settings of the web app and VM.
Storage Account - This is currently accessed using the connection string and is stored in the app settings of the web app and VM.
Sql server - This is currently using the firewall to Allow access to Azure Services plus restricting it to client machines that need to access the DB's through SSMS
VM - this is restricted using Network Security Groups to only allow client machines to RDP on.
I would appreciate any help that can be provided.
Edit
Things that i am worried about are:
Sql Server allow access to azure. I can turn this off but then the website will need to be added to the firewall and as i understand it the ip address is not static. Is it a security concern to leave this on?
Storage accounts, the connection string allows unlimited access to the account. You can lock this down with SAS to ip addresses but it has the same issues as the sqlsvr when connecting from the website. Also the SAS is time based how is it renewed?
Sql Server allow access to azure. I can turn this off but then the website will need to be added to the firewall and as i understand it the ip address is not static. Is it a security concern to leave this on?
By default, “Allow access to Azure services” is turned on, enabling this feature would allow any traffic from resources/services hosted in Azure to access the database.
Storage accounts, the connection string allows unlimited access to the account. You can lock this down with SAS to ip addresses but it has the same issues as the sqlsvr when connecting from the website. Also the SAS is time based how is it renewed?
A shared access signature can take one of two forms: Ad hoc SAS and SAS with stored access policy. We could re-specify the start time, expiry time, and permissions to get a new ad hoc SAS. When we associate a SAS with a stored access policy, the SAS inherits the constraints - the start time, expiry time, and permissions - defined for the stored access policy, we could modify the stored access policy to revoke the SAS or get a new SAS based on new stored access policy.
For more information about Shared Access Signatures (SAS), you could read this article.
Regarding access to the SQL server from your web apps:
They are using up to four outbound IP addresses when connecting to external services. You could limit the SQL server access to those.
Read this article to find them.
That won't completely close down foreign access to the SQL server, other people's web apps are using the same four outbound IP addresses.
My client wants 2FA when accessing VMs in Azure. Is this possible at all? I was thinking about Azure Directory Domain Services, but couldn't find anything related.
You can make use of Azure Application Proxy to surface RDP functionality of Azure VMs to the internet. Application proxy is protected by Azure Active Directory, and thus, you can use 2 factor authentication (if you have the premium SKU) to protect the initial login.
You can use a service such as Duo Security for Windows VMs.
For ssh 2FA to Linux VM, you can use Google Authenticator PAM module library