If a malicious user tamper with the file placed in AppServices and incorporate the virus, is there a way to know that? For example, installing antivirus software on a virtual machine and keep it in the same way.
http://stackoverflow.com/questions/38387004/antimalware-for-azure-app-services
I am looking at this URL for reference and I understand that using Tinfoil Security meets the requirements. However, Tinfoil Security can not be used because the license I use is Japanese CSP.
https://www.microsoft.com/en-us/TrustCenter/Security/ThreatManagement
I also saw this URL, but my English skill is not adequate, so my understanding may be less than enough. Therefore, I need some details. Was "Azure cloud service" written as "Azure cloud service and virtual machine's Microsoft antimalware" include AppService? I thought that only the cloud service was covered. For example: https://azure.microsoft.com/en-us/services/cloud-services/
I am checking whether the file size and timestamp has been changed in the AppServices web job, but please let me know if there are things that can be covered with the functions provided as a service of Microsoft.
Azure App Service uses the Anti-malware solution used by Azure Cloud Services and Virtual Machines.
This is mentioned here: App Service Security
This further points to the following article: Microsoft Antimalware for Azure Cloud Services and Virtual Machines
For extended scenarios Tinfoil was provided as an additional option. If that is not available to you, then using Azure Cloud Services (Web Roles) is more inline with your requirement.
Related
I have azure app service where I am running a tomcat application, is there a way / or any in-build anti-malware option is available if not how to implement threat protection in this app service
Azure App Service uses the same Antimalware solution used by Azure Cloud Services and Virtual Machines but it is completely managed by our Engineering team on regular basis.
Also as a PAAS service we currently donot provide anti-malware scanning as a customer facing service. The implementation of A/V on our service has gone through, and will continue to go through, changes as we tune it for its primary purpose. Its primary purpose is to protect the service itself (PAAS) from viruses.
If you have custom requirement of having providing anti-virus scanning then IaaS VMs should be the choice as they have installable extension for virus scanning and the choice of different A/V technologies.
You can check the documentation in the below link:
https://learn.microsoft.com/en-us/azure/security/azure-security-antimalware Screen shot of the information under Architecture section of the link.
https://learn.microsoft.com/en-us/azure/app-service/app-service-security-readme
For now, there is no native virus scanning / anti-malware feature on Websites. However you could implement it with third party API like ClamAV or the extension in Azure App Service named with Tinfoil Security.
There are two ways to integrate Tinfoil Security to you app and this is the introduction, first you could refer to this doc ,I tried this way however It show Failed to purchase. So maybe you could try another way. Under Development Tools in your App choose Extensions , click Add button then Choose Extension, on the list there is a Tinfoil Security , that's what we need. I tried this way, it could be integrated to my App.
Having read
"The Microsoft Antimalware Client and Service is installed by default in a disabled state in all supported Azure guest operating system families in the Cloud Services platform.
...
When using Azure Websites, the underlying service that hosts the web app has Microsoft Antimalware enabled on it. This is used to protect Azure Websites infrastructure and does not run on customer content."
here: https://learn.microsoft.com/en-us/azure/security/azure-security-antimalware
it appears that although the underlying execution environment is scanned and protected, nothing prevents the deployment of infected files (contrary to the response given here: https://stackoverflow.com/a/44805995/8354791).
And therefore the service needs to enabled.
It also appears this can only be done so via powershell, using the Set-AzureServiceAntimalwareExtension command, as per https://stackoverflow.com/a/25847270/8354791 and Powershell: Add Diagnostics/Antimalware to Azure PaaS Cloud Service using ExtensionConfiguration Parameter
Q: the link is a bit old (2015). Is powershell still the only way to turn on debugging for an App Service?
Q: is the analysis of the above text correct that MS is scanning its own environment, but exclude the scanning of files deployed to their services?
Q: is there a cost to enabling this service?
Q: What is the relationship to Malware Assessment (https://learn.microsoft.com/en-us/azure/log-analytics/log-analytics-malware)? Is that a more current way of scanning Web Apps?
Q: this is a manual approach, using Powershell. Is there a link to understanding how to enable this service using an CI/CD deployed ARM template?
Q: I see this service is mentioned as a solution for scanning deployed code files -- but can this service be used to scan Blobs where uploaded media would be stored?
I know I've asked a lot of questions...but hopefully you agree they are all tightly related...
Thanks immensely!
Azure App Service is a managed platform. Microsoft Antimalware Client and Service is enabled by default on app service instances, there is no user action that allows enabling/disabling this feature for apps hosted in App Service.
All of the documentation you are referencing is about "Azure Cloud Services" and "Azure VM's" and not Azure App Service. Here is the security documentation for Azure App Service: https://learn.microsoft.com/en-us/azure/app-service/app-service-security-readme
Malware Assessment is part of OMS suite and its an additional tool for managing large deployments and detecting instances that might be affected by malicious code.
I am looking at possibly running some of our business on Azure.
I am trying to pick the services that would work best for my company, but I am getting mixed signals.
Because I am starting a new system, I want to pick the offerings that are not "legacy" (aka "current"). But there seems to be no way straight forward way to know that.
For example, this page of the Microsoft Documentation says
Cloud Services is similar to Service Fabric in degree of control versus ease of use, but it’s now a legacy service and Service Fabric is recommended for new development.
This page clearly states that Cloud Services is "legacy". However, you would never know this by going to the Cloud Services overview page. It has great marketing material that sells Cloud Services as a great option. But if I picked it, then I would be starting out on a platform that is in a legacy status.
Now I know that about Cloud Services vs Service Fabric. But there are tons offerings on Azure. I am trying to research them one by one to find out which ones are the most recent incarnation, but I feel like I am wasting my time.
Another example is storage. Lucky for me an Azure MVP answered my question on this one. Apparently, there is "older storage account" based disks and "managed" disks. Turns out managed disks are the new, easy way to do things. The storage account is harder. Still available, but not really what a new user should be picking. But again, this is very hard to find out unless someone who has been working with this stuff for a long time tells you.
I was about to start in on App Services and Web Apps, but I thought I would ask first to see if I am doing research that is already done and posted out there.
Is there somewhere that shows the current list of Azure services that you should look at if you are starting a new project?
I asked the similar question almost a year ago, and I even spoke with Azure Support Team after that. At that time, Microsoft did not officially state Cloud Service is legacy.
Does Azure App Service/Web App replace Azure Cloud Service?
We have been hosting our enterprise applications in Cloud Service since 2013, and a couple of them are in App Service. Here is my thought -
4 years ago we only have Cloud Service - Web Role and Worker Role,and App Service (formally named as Web App) is not fully ready for enterprise applications yet. Since App Service came up, Microsoft heavily promote App Service compare to Cloud Service. In addition, what I notice is Cloud Service did not get new features like App Service.
Service Fabric is quite new, and it doesn't have all the belts and whistles like App Service, so we might have to wait a bit for enterprise applications.
Only advantage of Cloud Service is you can remote desktop to a role instance, after the application is deployed.
If I host a new application in Azure today, I'll definitely use App Service.
Microsoft has published a list of Azure reference architectures. It was last updated in November 2016. You can browse it here, and there is some guidance given. But for example, you mentioned using Service Fabric (which is a great way to go for a robust app that really needs to scale), but Service Fabric isn't mentioned in the aforementioned resource.
I spend a lot of time running down Azure resources in relation to web applications (not to be confused with App Service Web Apps), and I have not found a definitive source of the type of info you're looking for personally.
We checked this documentation - https://blogs.msdn.microsoft.com/appserviceteam/2016/08/26/onboarding-to-azure-web-marketplace on how to onboard our web apps in the Azure marketplace and also the GitHub link - https://github.com/SunBuild/web-app-marketplace
We have contacted MSFT on how to host our application which has an API and WCF applications as sub-applications.
MSFT replied that sub applications are not currently supported in through this onboarding model.
So, we are trying to onboard the three applications individually and link them in the Azure marketplace. We are not sure whether this will work or if this is possible.
In the sample applications in the GitHub link - https://github.com/SunBuild/web-app-marketplace, they have a hosting plan JSON file for the web app resource. Can we link the applications using this hosting plan JSON file?
We could not find any information or definition related to this hosting plan file - https://github.com/SunBuild/web-app-marketplace/blob/master/WebApp-SQLDatabase/DeploymentTemplates/Website_NewHostingPlan_SQL_NewDB-Default.json
Does anyone tried this before or know how to do this?
sub applications are not currently supported in through this onboarding model.
From the documentation, we could know if web app need Virtual application setting to be configured for web app, we will not be able to on board the application.
we are trying to onboard the three applications individually and link them in the Azure marketplace. We are not sure whether this will work or if this is possible.
In my view, if you on board these application individually, it may not enable us to bundle multi individual applications to make them link with each other. You could contact with Azure marketplace support team.
We could not find any information or definition related to this hosting plan file - https://github.com/SunBuild/web-app-marketplace/blob/master/WebApp-SQLDatabase/DeploymentTemplates/Website_NewHostingPlan_SQL_NewDB-Default.json
In the link you posted, we could find that it is an Azure Resource Manager (ARM) template that is used to define resources you want to deploy. This article explained about the Azure Resource Manager template, please refer to it.
I want to deploy Kentico 9 site on Azure and want to use shared file system for my media content, can you please suggest which Azure configuration (Azure Cloud Services or Azure Web Apps) I should referred?
I'd highly recommend going with Web App over Cloud Services. Mainly because Web App is almost like running on a regular server where Cloud Services is quite a bit different and harder to work with in my opinion.
Check this article out regarding some issues with Kentico and Azure Blog storage as well as how to setup your storage provider to only store media files.
http://www.kehrendev.com/blog/brenden-kehren/may-2016/problems-with-azure-and-kentico
Could you describe what do you mean by shared file system for my media content?
From my experience - it`s (a little bit) easier to deploy (and maintain) Kentico to Azure Web Apps but they do not provide so many customizations - in my humble opinion - the biggest one is you are not able to connect via remote desktop (but this is supported by Azure Cloud Services).
Please note - if you are using Cloud Services you must use Azure Blob Storage - source - which could be in conflict with your requirements.
You can find more information about Web Apps vs Cloud Services vs Virtual Machines on the mentioned page.
TL;DR; - if you do not need customizations, remote desktop and startup tasks - go for WebApps. If not, try to specify more requirements.
You can also check comparinson of the technologies from the Microsoft`s point of view here.
It's not clear who you want to share the media with...
If you want to share the assets amongst more Kentico instances or with a 3rd party system, I'd probably use the Azure Blob Storage. Kentico comes with a dedicated file provider for this exact use out of the box. It's called CMS.AzureStorage.
Using the blob storage is not a limiting factor in terms of hosting your app. You can still use all available options: Web Apps, VM or Cloud Service. There are some technical implications, of course. But they're all described in the documentation.
I recommend checking the comparison matrix to find a hosting option that suits your need best. Kentico recommends using App Service (Web Apps) for most projects as it's easiest to maintain. However, you can't use certain features like Kentico Windows services, for instance. Question is, do you really need them?