I'm responding to Microsoft's Security Advisory ADV200005 | Microsoft Guidance for Disabling SMBv3 Compression. The advice is to Disable SMBv3 compression.
I'm running an Azure Web App which does not use SMBv3 or access files from other servers. So I would like to Disable SMBv3 completely (not just SMBv3 compression).
How would I be able to do that from Azure Portal? Am I even allowed to do that?
All Azure Web Apps (as well as Mobile App/Services, WebJobs and Functions) run in a secure environment called a sandbox. Each app runs inside its own sandbox, isolating its execution from other instances on the same machine as well as providing an additional degree of security and privacy which would otherwise not be available.
On Azure WebApps, regardless of address, applications cannot connect to anywhere using ports 445, 137, 138, and 139. In other words, even if connecting to a non-private IP address or the address of a virtual network, connections to ports 445, 137, 138, and 139 are not permitted.
As far as Azure App service WebApps - Update, security & patching is concerned - App Service is a Platform-as-a-Service, which means that the OS and application stack are managed for you by Azure; you only manage your application and its data.
You may wish to know about how and when OS updates are applied:
Azure manages OS patching on two levels, the physical servers and the guest virtual machines (VMs) that run the App Service resources. Both are updated monthly, which aligns to the monthly Patch Tuesday schedule. These updates are applied automatically, in a way that guarantees the high-availability SLA of Azure services.
Additionally, just to highlight - when severe vulnerabilities require immediate patching, such as zero-day vulnerabilities, the high-priority updates are handled on a case-by-case basis. Stay current with critical security announcements in Azure by visiting Azure Security Blog -https://azure.microsoft.com/blog/topics/security/
Kindly checkout this document -https://azure.github.io/AppService/2018/01/18/Demystifying-the-magic-behind-App-Service-OS-updates.html for more details on Azure App Service OS patching.
We recommend that you do not disable SMBv2 or SMBv3. Disable SMBv2 or SMBv3 only as a temporary troubleshooting measure. Do not leave SMBv2 or SMBv3 disabled.
Disable in windows:
Set-SmbServerConfiguration -EnableSMB3Protocol $false
For more details, you could refer to this article.
Related
We need to expose one of our Azure VMs located in a VNet to Internet. We are using F5 ADC for all inbound traffic both to on-premise and to Azure.
What is the best practice to expose an Azure VM to Internet if you have zero-trust approach in mind?
Appreciate all kinds of advice
If you are planning to expose Azure VM to the Internet considering Zero Trust strategy, you should check:
Workloads are monitored and alerted to abnormal behavior.
Every workload is assigned an app identity—and configured and deployed consistently.
Human access to resources requires Just-In-Time.
After above items are completed, check next:
Unauthorized deployments are blocked, and alert is triggered.
Granular visibility and access control are available across workloads.
User and resource access segmented for each workload.
https://learn.microsoft.com/en-us/security/zero-trust/infrastructure
https://learn.microsoft.com/en-us/security/zero-trust/
It depends what on the VM you want to expose to the Internet.
If it is a web site running on the VM you could use a web appication firewall https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/ag-overview
If it is RDP access to the VM you could use Azure Bastion
https://azure.microsoft.com/en-us/services/azure-bastion/
My Cloud Service (hosted in USEast) is pretty sluggish when used by customers who are not US based. I am looking for some quick win, that do not include deploying to multiple regions.
A quick google returned a document instructing I could Optimize network throughput for Azure virtual machines by using Accelerated Networking.
I would like to enable this option on my Cloud Service VMs, however I am not sure this is even possible as I do not really control the VMs, the network, or even the NICs.
Has anyone successfully enabled Accelerated Networking for their Cloud Service?
Yes it's possible.
Accelerated Networking (or Dynamic Network Acceleration) is essentially a CDN without the caching. It can be pointed at any web service, and it will provide the benefits of the Azure Network for all requests, not just requests suitable for caching.
Simply set the CDN origin to the Cloud Service's endpoint url.
I have multiple App Services hosted on a single App Service plan (Basic Small), which is basically a fully managed VM with all it's resources reserved for me. These are all Asp.Net apps.
As I have plenty of resources still available I'm considering moving my WordPress applications to Azure (each to a new App Service within the same App Service plan.
WordPress unfortunately, has a tendency to get infected every now and then. Also the infection can spread to other websites if they are not properly isolated (infected website may change files of the other websites).
So my question is:
If one of my WordPress websites gets infected are other websites from different App Services, but the same App Service plan also in danger?
The answer to this greatly depends on how you trust Microsoft and their claims.
All Azure Web Apps (as well as Mobile App/Services, WebJobs and
Functions) run in a secure environment called a sandbox. Each app runs
inside its own sandbox, isolating its execution from other instances
on the same machine as well as providing an additional degree of
security and privacy which would otherwise not be available. The
sandbox mechanism aims to ensure that each app running on a machine
will have a minimum guaranteed level of service; furthermore, the
runtime limits enforced by the sandbox protects apps from being
adversely affected by other resource-intensive apps which may be
running on the same machine.
So it should be secure.
https://github.com/projectkudu/kudu/wiki/Azure-Web-App-sandbox
What are the material differences between the new Azure Web Sites and the traditional Azure Web Roles for an ASP.NET MVC application? What reason would I choose a "web site" over a "web role" or vice versa?
Let's assume that I would need equal capacity in either case (e.g. 2 small instances). The prices seem comparable other than the fact that there is a 33% temporary discount for web sites while they are in their preview period.
Are there things that I can do with a "web site" that are difficulty or impossible with a web role? For example, does it become easy to put multiple web sites in a single set of VMs using "web sites"? Do I lose anything with a "web site" vs a "web role"? Ability to fine tune IIS? Ability to use the Cache service locally?
Web Roles give you several features beyond Web Apps (formerly Web Sites):
Ability to run elevated startup scripts to install apps, modify registry settings, install performance counters, fine-tune IIS, etc.
Ability to split an app up into tiers (maybe Web Role for front end, Worker Role for backend processing) and scale independently
Ability to RDP into your VM for debugging purposes
Network isolation
Dedicated virtual IP address, which allows web role instances in a cloud service to access IP-restricted Virtual Machines
ACL-restricted endpoints (added in Azure SDK 2.3, April 2014)
Support for any TCP/UDP ports (Web Sites are restricted to TCP 80/443)
Web Apps have advantages over Web Roles though:
Near-instant deployment with deployment history / rollbacks
Visual Studio Online, github, local git, ftp, CodePlex, DropBox, BitBucket deployment support
Ability to roll out one of numerous CMS's and frameworks, (like WordPress, Joomla, Django, MediaWiki, etc.)
Use of SQL Database or MySQL
Simple and fast to scale from free tier to shared tier to dedicated tier
Web Jobs
Backups of Web Site content
Built-in web-based debugging tools (simple cmd/powershell debug console, process explorer, diagnostic tools like log streaming, etc.)
With the April 2014 and September 2014 rollouts, there are now some features common to both Web Apps and Web Roles (and Worker Roles), including:
Staging+production slots
Wildcard DNS, SSL certificates
Visual Studio integration
Traffic Manager support
Virtual Network support
Here's a screengrab I took from the Web Sites gallery selection form:
I think Web Apps are a great way to get up and running quickly, where you can move from shared to reserved resources. Once you outgrow this, you can then move up to Web Roles and expand as you need.
EDIT 2014: For what it's worth, a lot of the info in this answer is no longer correct - see comments.
Add more to #David response:
With Windows Azure Websites, you don't have control over IIS or web Server because you are using a resources slice along with hundreds of other website on the same machine, you are sharing resources like any other so there is no control over IIS.
The big difference between a website shared and Azure web role is that a web-site is considered process bound while roles are VM bound.
Websites are stored on a content share which is accessible from all the "web servers" in the farm so there is no replication or anything like that required.
Windows Azure websites can not have their own host name instead they must use websitename.azurewebsites.net only and you sure can use CNAME setting in your DNS provider to route your request exactly same with previous Windows Azure Role only when they are running in reserved mode. CNAME setting is not supported for shared websites.
I've just posted a comprehensive blog post on this very subject at http://robdmoore.id.au/blog/2012/06/09/windows-azure-web-sites-vs-web-roles/.
An excerpt from my conclusion: If you need enormous scale, SSL, Asian or West US data centres, a non-standard configuration (of IIS, ports, diagnostics, security certs or start up scripts), RDP or cost-effective Worker Roles (combined with your Web Role) then you are going to have to stick to Web Roles for now.
Otherwise, Web Sites is a great option!
Azure Web Role is like a virtual private host. You get a VM that acts as your web server, and you own that VM instance.
Azure Web Sites are like an elastic shared hosting service. You deploy your app to a web server that is not controlled by you and which also servers other users' sites. You can scale your site up and down (at some extra charge) to make it more elastic as your resource needs shift.
There is one more scenario that is up the air: After these 500 exceptions are eliminated, they haven't said anything about the ability of Azure Websites to handle wildcard CNAME's. Several of us are using Nate's Web Role Accelerator in Cloud Services, becuase a one-line hack provided wildcard subdomain capability in Nate's software. We can't move these wildcard subdomain apps until we know that Azure Websites will be able to handle them. If it won't ever be able to do that, then it goes down as a positive on the Web Role side of the equation. Also of note is that with pricing being exactly the same (after the preview discount expires), I'm not sure I want to give up my access to RDC and Event Viewer (just to mention two things).
Azure Web Sites enables you to build highly scalable web sites quickly on Azure. You can use the Azure Portal or the command-line tools to set up a web site with popular languages such as .NET, PHP, Node.js, and Python. Supported frameworks are already deployed and do not require more installation steps. The Azure Web Sites gallery contains many third-party applications, such as Drupal and WordPress as well as development frameworks such as Django and CakePHP. After creating a site, you can either migrate an existing web site or build a completely new web site. Web Sites eliminates the need to manage the physical hardware, and it also provides several scaling options. You can move from a shared multi-tenant model to a standard mode where dedicated machines service incoming traffic. Web Sites also enable you to integrate with other Azure services, such as SQL Database, Service Bus, and Storage. Using the Azure WebJobs SDK preview, you can add background processing. In summary, Azure Web Sites make it easier to focus on application development by supporting a wide range of languages, open source applications, and deployment methodologies (FTP, Git, Web Deploy, or TFS). If you don’t have specialized requirements that require Cloud Services or Virtual Machines, an Azure Web Site is most likely the best choice.
Cloud Services enable you to create highly-available, scalable web applications in a rich Platform as a Service (PaaS) environment. Unlike Web Sites, a cloud service is created first in a development environment, such as Visual Studio, before being deployed to Azure. Frameworks, such as PHP, require custom deployment steps or tasks that install the framework on role startup. The main advantage of Cloud Services is the ability to support more complex multitier architectures. A single cloud service could consist of a frontend web role and one or more worker roles. Each tier can be scaled independently. There is also an increased level of control over your web application infrastructure. For example, you can remote desktop onto the machines that are running the role instances. You can also script more advanced IIS and machine configuration changes that run at role startup, including tasks that require administrator control.
Virtual Machines enable you to run web applications on virtual machines in Azure. This capability is also known as Infrastructure as a Service (IaaS). Create new Windows Server or Linux machines through the portal, or upload an existing virtual machine image. Virtual Machines give you the most control over the operating system, configuration, and installed software and services. This is a good option for quickly migrating complex on-premises web applications to the cloud, because the machines can be moved as a whole. With Virtual Networks, you can also connect these virtual machines to on-premises corporate networks. As with Cloud Services, you have remote access to these machines and the ability to perform configuration changes at the administrative level. However, unlike Web Sites and Cloud Services, you must manage your virtual machine images and application architecture completely at the infrastructure level. One basic example is that you have to apply your own patches to the operating system.
See updated and comprehensive comparison from this link: http://azure.microsoft.com/en-us/documentation/articles/choose-web-site-cloud-service-vm/
Azure Websites, Web Workers and Virtual Machines are three different computing approaches available on Windows Azure. They differ in the level of control and responsibilities:
Azure Website have lowest level of control, but you don't care about keeping in health virtual machine and IIS, because Azure stuff do this for you
Web Roles give you more control (traffic manager, remote desktop), but more administration is possible on your side which means that you can break something via remote desktop for example
Virtual Machines gives you full control of VM, so require the most administration efforts.
There is no one best choice, because it depends on what level of control you need, what features you need and what you want to leave Azure stuff to maintain. And it is big topic..
Please look at this articles for more information to make more informed choice:
http://www.windowsazure.com/en-us/documentation/articles/choose-web-site-cloud-service-vm/
http://davidpallmann.blogspot.com/2012/06/reintroducing-windows-azure-part-2.html
It boils down to tradeoff between ease of use and capabilities.
Two more things I found was cost of getting SSL for a custom domain site and Multi-tenant configurations.
For website you need to pay monthly on top of standard instance (Small instance is the cheapest option). This means in order to get custom domain https would cost you ~70/month for small instance plus ~41/ month for SSL that supports all browser.
For WebRole you can get XS instance and add your own SSL for free, which means ~$15 per month
and you have a custom domain with SSL.
For multi-tenant website check out
Multi-tenant Azure dynamic wildcard CName
A web role is a virtual machine that hosts multiple websites
This is a common question, and I would like to give out an excerpt from msdn.
Access to services like Caching, Service Bus, Storage, SQL Azure Database- WebSite:Yes WebRole:Yes
Support for ASP.NET, classic ASP, Node.js, PHP- WebSite: Yes WebRole:Yes
Shared content and configuration- WebSite:Yes WebRole:No
Deploy code with GIT, FTP- WebSite:Yes WebRole:No
Near-instant deployment-WebSite:Yes WebRole:No
Integrated MySQL-as-a-service support-WebSite:Yes WebRole:Yes
Multiple deployment environments (production and staging)-WebSite:No WebRole:Yes
Network isolation-WebSite:No WebRole:Yes
Remote desktop access to servers-WebSite:No WebRole:Yes
Ability to run programs with elevated permissions-WebSite:No WebRole:Yes
Ability to define/execute start-up tasks-WebSite:No WebRole:Yes
Ability to use unsupported frameworks or libraries-WebSite:No WebRole:Yes
Support for Windows Azure Connect/ Windows Azure Network-WebSite:No WebRole:Yes
To get a more in detail, visit this link: http://blogs.msdn.com/b/silverlining/archive/2012/06/27/windows-azure-websites-web-roles-and-vms-when-to-use-which.aspx
What are the material differences between the new Azure Web Sites and the traditional Azure Web Roles for an ASP.NET MVC application? What reason would I choose a "web site" over a "web role" or vice versa?
Let's assume that I would need equal capacity in either case (e.g. 2 small instances). The prices seem comparable other than the fact that there is a 33% temporary discount for web sites while they are in their preview period.
Are there things that I can do with a "web site" that are difficulty or impossible with a web role? For example, does it become easy to put multiple web sites in a single set of VMs using "web sites"? Do I lose anything with a "web site" vs a "web role"? Ability to fine tune IIS? Ability to use the Cache service locally?
Web Roles give you several features beyond Web Apps (formerly Web Sites):
Ability to run elevated startup scripts to install apps, modify registry settings, install performance counters, fine-tune IIS, etc.
Ability to split an app up into tiers (maybe Web Role for front end, Worker Role for backend processing) and scale independently
Ability to RDP into your VM for debugging purposes
Network isolation
Dedicated virtual IP address, which allows web role instances in a cloud service to access IP-restricted Virtual Machines
ACL-restricted endpoints (added in Azure SDK 2.3, April 2014)
Support for any TCP/UDP ports (Web Sites are restricted to TCP 80/443)
Web Apps have advantages over Web Roles though:
Near-instant deployment with deployment history / rollbacks
Visual Studio Online, github, local git, ftp, CodePlex, DropBox, BitBucket deployment support
Ability to roll out one of numerous CMS's and frameworks, (like WordPress, Joomla, Django, MediaWiki, etc.)
Use of SQL Database or MySQL
Simple and fast to scale from free tier to shared tier to dedicated tier
Web Jobs
Backups of Web Site content
Built-in web-based debugging tools (simple cmd/powershell debug console, process explorer, diagnostic tools like log streaming, etc.)
With the April 2014 and September 2014 rollouts, there are now some features common to both Web Apps and Web Roles (and Worker Roles), including:
Staging+production slots
Wildcard DNS, SSL certificates
Visual Studio integration
Traffic Manager support
Virtual Network support
Here's a screengrab I took from the Web Sites gallery selection form:
I think Web Apps are a great way to get up and running quickly, where you can move from shared to reserved resources. Once you outgrow this, you can then move up to Web Roles and expand as you need.
EDIT 2014: For what it's worth, a lot of the info in this answer is no longer correct - see comments.
Add more to #David response:
With Windows Azure Websites, you don't have control over IIS or web Server because you are using a resources slice along with hundreds of other website on the same machine, you are sharing resources like any other so there is no control over IIS.
The big difference between a website shared and Azure web role is that a web-site is considered process bound while roles are VM bound.
Websites are stored on a content share which is accessible from all the "web servers" in the farm so there is no replication or anything like that required.
Windows Azure websites can not have their own host name instead they must use websitename.azurewebsites.net only and you sure can use CNAME setting in your DNS provider to route your request exactly same with previous Windows Azure Role only when they are running in reserved mode. CNAME setting is not supported for shared websites.
I've just posted a comprehensive blog post on this very subject at http://robdmoore.id.au/blog/2012/06/09/windows-azure-web-sites-vs-web-roles/.
An excerpt from my conclusion: If you need enormous scale, SSL, Asian or West US data centres, a non-standard configuration (of IIS, ports, diagnostics, security certs or start up scripts), RDP or cost-effective Worker Roles (combined with your Web Role) then you are going to have to stick to Web Roles for now.
Otherwise, Web Sites is a great option!
Azure Web Role is like a virtual private host. You get a VM that acts as your web server, and you own that VM instance.
Azure Web Sites are like an elastic shared hosting service. You deploy your app to a web server that is not controlled by you and which also servers other users' sites. You can scale your site up and down (at some extra charge) to make it more elastic as your resource needs shift.
There is one more scenario that is up the air: After these 500 exceptions are eliminated, they haven't said anything about the ability of Azure Websites to handle wildcard CNAME's. Several of us are using Nate's Web Role Accelerator in Cloud Services, becuase a one-line hack provided wildcard subdomain capability in Nate's software. We can't move these wildcard subdomain apps until we know that Azure Websites will be able to handle them. If it won't ever be able to do that, then it goes down as a positive on the Web Role side of the equation. Also of note is that with pricing being exactly the same (after the preview discount expires), I'm not sure I want to give up my access to RDC and Event Viewer (just to mention two things).
Azure Web Sites enables you to build highly scalable web sites quickly on Azure. You can use the Azure Portal or the command-line tools to set up a web site with popular languages such as .NET, PHP, Node.js, and Python. Supported frameworks are already deployed and do not require more installation steps. The Azure Web Sites gallery contains many third-party applications, such as Drupal and WordPress as well as development frameworks such as Django and CakePHP. After creating a site, you can either migrate an existing web site or build a completely new web site. Web Sites eliminates the need to manage the physical hardware, and it also provides several scaling options. You can move from a shared multi-tenant model to a standard mode where dedicated machines service incoming traffic. Web Sites also enable you to integrate with other Azure services, such as SQL Database, Service Bus, and Storage. Using the Azure WebJobs SDK preview, you can add background processing. In summary, Azure Web Sites make it easier to focus on application development by supporting a wide range of languages, open source applications, and deployment methodologies (FTP, Git, Web Deploy, or TFS). If you don’t have specialized requirements that require Cloud Services or Virtual Machines, an Azure Web Site is most likely the best choice.
Cloud Services enable you to create highly-available, scalable web applications in a rich Platform as a Service (PaaS) environment. Unlike Web Sites, a cloud service is created first in a development environment, such as Visual Studio, before being deployed to Azure. Frameworks, such as PHP, require custom deployment steps or tasks that install the framework on role startup. The main advantage of Cloud Services is the ability to support more complex multitier architectures. A single cloud service could consist of a frontend web role and one or more worker roles. Each tier can be scaled independently. There is also an increased level of control over your web application infrastructure. For example, you can remote desktop onto the machines that are running the role instances. You can also script more advanced IIS and machine configuration changes that run at role startup, including tasks that require administrator control.
Virtual Machines enable you to run web applications on virtual machines in Azure. This capability is also known as Infrastructure as a Service (IaaS). Create new Windows Server or Linux machines through the portal, or upload an existing virtual machine image. Virtual Machines give you the most control over the operating system, configuration, and installed software and services. This is a good option for quickly migrating complex on-premises web applications to the cloud, because the machines can be moved as a whole. With Virtual Networks, you can also connect these virtual machines to on-premises corporate networks. As with Cloud Services, you have remote access to these machines and the ability to perform configuration changes at the administrative level. However, unlike Web Sites and Cloud Services, you must manage your virtual machine images and application architecture completely at the infrastructure level. One basic example is that you have to apply your own patches to the operating system.
See updated and comprehensive comparison from this link: http://azure.microsoft.com/en-us/documentation/articles/choose-web-site-cloud-service-vm/
Azure Websites, Web Workers and Virtual Machines are three different computing approaches available on Windows Azure. They differ in the level of control and responsibilities:
Azure Website have lowest level of control, but you don't care about keeping in health virtual machine and IIS, because Azure stuff do this for you
Web Roles give you more control (traffic manager, remote desktop), but more administration is possible on your side which means that you can break something via remote desktop for example
Virtual Machines gives you full control of VM, so require the most administration efforts.
There is no one best choice, because it depends on what level of control you need, what features you need and what you want to leave Azure stuff to maintain. And it is big topic..
Please look at this articles for more information to make more informed choice:
http://www.windowsazure.com/en-us/documentation/articles/choose-web-site-cloud-service-vm/
http://davidpallmann.blogspot.com/2012/06/reintroducing-windows-azure-part-2.html
It boils down to tradeoff between ease of use and capabilities.
Two more things I found was cost of getting SSL for a custom domain site and Multi-tenant configurations.
For website you need to pay monthly on top of standard instance (Small instance is the cheapest option). This means in order to get custom domain https would cost you ~70/month for small instance plus ~41/ month for SSL that supports all browser.
For WebRole you can get XS instance and add your own SSL for free, which means ~$15 per month
and you have a custom domain with SSL.
For multi-tenant website check out
Multi-tenant Azure dynamic wildcard CName
A web role is a virtual machine that hosts multiple websites
This is a common question, and I would like to give out an excerpt from msdn.
Access to services like Caching, Service Bus, Storage, SQL Azure Database- WebSite:Yes WebRole:Yes
Support for ASP.NET, classic ASP, Node.js, PHP- WebSite: Yes WebRole:Yes
Shared content and configuration- WebSite:Yes WebRole:No
Deploy code with GIT, FTP- WebSite:Yes WebRole:No
Near-instant deployment-WebSite:Yes WebRole:No
Integrated MySQL-as-a-service support-WebSite:Yes WebRole:Yes
Multiple deployment environments (production and staging)-WebSite:No WebRole:Yes
Network isolation-WebSite:No WebRole:Yes
Remote desktop access to servers-WebSite:No WebRole:Yes
Ability to run programs with elevated permissions-WebSite:No WebRole:Yes
Ability to define/execute start-up tasks-WebSite:No WebRole:Yes
Ability to use unsupported frameworks or libraries-WebSite:No WebRole:Yes
Support for Windows Azure Connect/ Windows Azure Network-WebSite:No WebRole:Yes
To get a more in detail, visit this link: http://blogs.msdn.com/b/silverlining/archive/2012/06/27/windows-azure-websites-web-roles-and-vms-when-to-use-which.aspx