Securing MS Azure WebApp access at directory level? - azure

I have a MS Azure ASP.NET Core 2.x WebApp that uses standard Identity based authentication.
I would like to restrict access to the website to only a certain set of people.
I need the entire website to be hidden unless you pass some kind of authorization gate. The requirement, however, is that the gate should not interfere with the standard ASP.NET Core Identity authentication/authorization mechanisms.
Essentially, we have a website that needs testing by a distributed team, but we don't want the site to be visible to non-members.
TIA!

Your best bet is going to be using the network-level control that comes with an ILB App Service Environment. If that's too pricey, try the IP restrictions feature on the public app service.

Related

What are the possible solutions to host an internal website for a company using google cloud platform?

I developed an internal portal that is relevant to the engineering team. I restricted access to the portal by implementing Sign in With Google and as expected it is only accessible to our organization email-ids only. Now, I want to host the portal and we use Google Cloud Platform. I want to further restrict access to the portal within the organization.
What are the possible solutions to host the portal internally using Google Cloud Platform? If I host the portal and gave access to public, what could be the possible security implications?
If I understand well your concept, you are running a Web portal to authenticate your organization users to access your Frontend application, which retrieves information on a GCS bucket to be displayed on this Web page.
In this situation, the Identity-Aware Proxy (docs) that could fit your needs.
The IAP lets you manage access to applications running in the App Engine standard environment, App Engine flexible environment, Compute Engine, and GKE. IAP establishes a central authorization layer for applications accessed by HTTPS, so you can adopt an application-level access control model instead of using network-level firewalls or VPNs. When you turn on IAP, you must also use signed headers or the App Engine standard environment Users API to secure your app.
In this link you can see a quick example of how you can control access to your web apps and VMs in GCP using the IAP feature.

Is Azure WebApp automatically rate limited / DOS protected?

I'm building a service that allows to enter activation keys in a desktop application, which will then call a web service to check the key and return a license. This call does not require authorization.
The web application is running as Azure "App Service". I'm afraid someone will be trying to "guess" activation keys and slow down my service. (I'm not afraid they will be able to correctly guess, they are long enough).
Do Azure WebApps have some kind of automatic rate-limiting or DOS-protection, or do I need to configure/code this myself?
If I have to do it myself, can you point me into the right direction?
As far as I know, we could use Dynamic IP Restrictions in web app.
The Dynamic IP Restrictions Extension for IIS provides IT Professionals and Hosters a configurable module that helps mitigate or block Denial of Service Attacks or cracking of passwords through Brute-force by temporarily blocking Internet Protocol (IP) addresses of HTTP clients who follow a pattern that could be conducive to one of such attacks. This module can be configured such that the analysis and blocking could be done at the Web Server or the Web Site level.
About how to config this feature. We could remote connect to the azure web app IIS and set it.
About how to remote connect web app IIS, you could refer to this article.
More details, you could also refer to this blog.

How to provide security for website or web application rather than using https?

I published my web app into Azure web application but I want to provide the security for this application.
I know by using HTTPS we can provide security for web application. I read this link before posting question here.
Rather than using https, are there any other techniques for providing security to web site or web application?
As this document mentioned about the Security Level in Azure App Service:
Infrastructure and platform security - You trust Azure to have the services you need to actually run things securely in the cloud.
Application security - You need to design the app itself securely. This includes how you integrate with Azure Active Directory, how you manage certificates, and how you make sure that you can securely talk to different services.
For Infrastructure and platform security, Azure would isolate your App Service apps and communication of sensitive datas (e.g. sql connectionstring, appId, appSecret,etc.) are always encrypted. Also, App service would provide threat management protects App Service resources from malware, DDoS, MITM, and other threats.
For Application security, you need to develop, manage your application in a security way. The frequent threats would as follows:
SQL Injection
Session hijacking
Cross-site-scripting
Additionally, you could leverage integration with Tinfoil Security to perform penetration testing on your app and follow the instructions to fix possible vulnerability. For a better understanding of it, you could refer to this official tutorial about secure an app in Azure App Service.

Making azure hosted website part of company intranet (singe sign on)

We are considering deploying some of our intranet web applications to Azure. The web applications are built using ASP.NET MVC. Source code is available, it is fully under our control. All our company machines are Windows 7 or up, part of a windows domain, sitting behind proxy a server. Users are registered in AD. What authentication technology would you recommend for a secure and convenient login experience? We prefer to save the employees from creating, remembering, typing in yet another username/pwd. Single-Sign-On is wonderful for the users. Can we achieve something similar? Up to what extent do we have to compromise on the convenience?
Reasons to move to Azure: Azure does not have the bureaucratic deployment obstacles that our intranet has. Furthermore, deploying webapps to Azure is just soooo easy and wonderful.
Azure Active Directory extends on-premises AD into the cloud, enabling users to use their organizational account to not only sign in to their domain-joined devices and company resources, but also all of the web and SaaS applications
(office 365) needed for their job.
Federated Single Sign-On for applications that support SAML 2.0, WS-Federation, openID connect.
Password based for apps with a html sign on page and Existing SSO using ADFS.

Does Azure API Management include WAF functionality?

I'm trying to understand whether the Azure API Management suite includes any WAF functionality (as described by OWASP for example) within its Security or Policy settings.
If "no" or "don't" know does it make sense to front public-facing APIs (that handle PII), exposed via the Azure API Management with a Web Application Firewall (WAF), or anywhere else in the Cloud -> APIM -> VPN -> Firewall -> On-Premise services topology?
Thanks in advance
Based on this list of WAF capabilities, API Management can do some of these things out of the box, many could be implemented using custom policies and some of these things cannot be done. Policies can manipulate HTTP requests and responses. However they cannot function at a level lower than this.
There is no built-in functions to try and prevent injection attacks, but it is possible to build them. It is also a reasonable option to deploy a dedicated WAF between API Management gateway and your APIs.
You can make your API Management Service private inside a subnet and put App Gateway with WAF in front of it. The tricky part is that this is available only in the Premium plan for API Management.
However, since ultimately you want to protect your application not the APIMS from attacks like SQL injection, you can put AppGateway+WAF between APIMS and your application. At the same time AppGateway will be your Load Balancer.
SSL and end-to-end encryption will need some attention.
Its best to have a separate WAF module on top of your APIMS.
APIMS <-> WAF <-> LB
API abusing is trending these days .I think WAF protection inbuilt to many cloud providers are basically in its infantry stage . Better to use some dedicated WAF modules

Resources