I have a corporate network with several services, each of which stores some settings (including connection strings, logins and passwords). I want to use one common service (or application with API) to securely store all settings in one place.
Are there any ready solutions (open source or paid) for this?
Related
I've got a rather unwieldy legacy intranet app that does a lot of file manipulations across multiple network shares (file reads, moves, deletes, creates directories, etc) and I want to set up a preproduction instance. Currently the app pool is running under a domain account that has been granted access to all these scattered directories. I'm wondering if running a second instance of the site (different server) using the same domain account would be an issue.
This doesn't seem to be an easy question to formulate in a way to get a useful answer out of google. Anyone have any experience doing this? I would rather not have to create more accounts and track down all the locations that would require added permissions if I don't have to.
The aim to set different application pool identity for different application pools is to restrict the limit for application pool. Independent application pool will isolation NTFS permission from accessing the files that the web app shouldn't reach. Just in case the server are under vulnerability attack.
Of course, if you are hosting your web apps in a isolated network environment, you could share your domain account for multiple application pools.
As Lex said, consult your network administrator would get more practical answer.
My company developed a business suite which is not a SaaS platform now. We're in beta mode now and will launch V2 within next 2 months. Currently we are creating instance for interested clients (free for a year) but getting questions that their data is secured. Now, my question is, since we are creating their instances on our Azure platform,is there a way to make sure that we won't be able to access their data anyway?
Thanks in advance!
Some of the security setup you can configure and present are -
Configure firewall rules to restrict access to db based on the originating IP address of each request. You can share the firewall settings that only specific Virtual Machines/Computers have access to the client's database.
Authentication to the database. We can remove any SQL authentication(username/password based) and configure only Azure Integrated security for the applications accessing the database. Best practice would be using service accounts to access the db. You can showcase this too.
I work in a small startup that is only hosted in Azure and I was wondering the best way to secure everything.
I use the below services
Web Apps (public facing)
Virtual machines - Running apps and services
Sql Sever
Service Bus
Storage Account.
The web apps and the Vms need to communicate with the other three services.
Below is what we are currently doing. Is this correct and if not can you provide any resources to work from?
Service bus - This is currently accessed using the connection string and is stored in the app settings of the web app and VM.
Storage Account - This is currently accessed using the connection string and is stored in the app settings of the web app and VM.
Sql server - This is currently using the firewall to Allow access to Azure Services plus restricting it to client machines that need to access the DB's through SSMS
VM - this is restricted using Network Security Groups to only allow client machines to RDP on.
I would appreciate any help that can be provided.
Edit
Things that i am worried about are:
Sql Server allow access to azure. I can turn this off but then the website will need to be added to the firewall and as i understand it the ip address is not static. Is it a security concern to leave this on?
Storage accounts, the connection string allows unlimited access to the account. You can lock this down with SAS to ip addresses but it has the same issues as the sqlsvr when connecting from the website. Also the SAS is time based how is it renewed?
Sql Server allow access to azure. I can turn this off but then the website will need to be added to the firewall and as i understand it the ip address is not static. Is it a security concern to leave this on?
By default, “Allow access to Azure services” is turned on, enabling this feature would allow any traffic from resources/services hosted in Azure to access the database.
Storage accounts, the connection string allows unlimited access to the account. You can lock this down with SAS to ip addresses but it has the same issues as the sqlsvr when connecting from the website. Also the SAS is time based how is it renewed?
A shared access signature can take one of two forms: Ad hoc SAS and SAS with stored access policy. We could re-specify the start time, expiry time, and permissions to get a new ad hoc SAS. When we associate a SAS with a stored access policy, the SAS inherits the constraints - the start time, expiry time, and permissions - defined for the stored access policy, we could modify the stored access policy to revoke the SAS or get a new SAS based on new stored access policy.
For more information about Shared Access Signatures (SAS), you could read this article.
Regarding access to the SQL server from your web apps:
They are using up to four outbound IP addresses when connecting to external services. You could limit the SQL server access to those.
Read this article to find them.
That won't completely close down foreign access to the SQL server, other people's web apps are using the same four outbound IP addresses.
We have created mutiple API Apps for our application. However these API Apps are connected to the internet so we need to protect them. We have chosen for an API Key, but we would like to have the API disconnected from the Internet, such that only our own applications can access them. Is there a way to disconnect them from internet access?
Each API App is automatically connected to the Internet and this can not be disabled. If you want to have an isolated environment you will have to create an App Service Environment. This will create an environment for with mutiple zone that can contain mutiple App Service Providers. It also create a virtual network that protect the resources in the ASE. You can configure the virtual network using access rules to only allow a certain IP address or none at all.
For more information about Azure Service Environment see: https://azure.microsoft.com/en-us/documentation/articles/app-service-app-service-environment-intro/
To who it may concern,
I am looking to move more of our applications that the company uses to azure. I have found that Remote App will allow people to us the apps I have allowed via the Remote App. The application which will be used is linked to a database which is on site, I am just worried about people being able to access this database as it will contain important data which cant be leaked. I am trying to work out what are some security precautions which could be taken to prevent the data from being viewed by the wrong people. I have seen app locker to stop applications on the virtual machine from being accessed. Any other security suggestions would be greatly appreciated.
You should be fine. Remote app is running remotely - meaning that theres no way of getting to the connection string (reverse engineering). Access to the app is also ensured by AAD login. The database should be protected as well with AD credentials. Also, adding a service tier that fronts the database would provide a facade.