This is a question for Azure experts, in particular around the Windows VM's available in Azure.
Do they make any changes to the base build? Hardening and security standards? Or are they standard builds fresh out the box?
Any information on this would be greatly appreciated.
yes. Public and up-to-date information about security measures like compliance, some technical details, etc, can be found on the Azure Trust Center.
However, i do not think that Microsoft reveals all of the internal implementation information, but a lot of work is doing around isolation of hypervisor, root os, guest vms. Also, there is the Azure Fabric Controller is the "brain" that secures and isolates customer deployments and manage the commands sent to Host OS/Hypervisor, and the Host OS is a configuration-hardened version of Windows Server.
Some basic information can be found here:
https://technet.microsoft.com/en-us/cloud/gg663906.aspx
Azure Fabric Controller: https://azure.microsoft.com/en-us/documentation/videos/fabric-controller-internals-building-and-updating-high-availability-apps/
And i recommend to follow Mark Russinovich, Azure CTO, as his video are one of the most internal-details-revealing i ever saw.
You might wanna check out the CIS hardened Images in the Azure Marketplace: https://www.cisecurity.org/cis-hardened-images-now-in-microsoft-azure-marketplace/
Ther you can choose between two levels of hardening, depending on your workload as well as there multiple Windows Server versiosn and even some Linuxs distrubutions. If you want to harden the VMs yourself, I would check out the Dev-Sec Project on github: https://github.com/dev-sec
There you can customize the hardening to your needs if you have an automation tool in place like chef, puppet etc.
Related
As I see I need to create new linux app service.
Recreate domain, certificates binding and deployment pipeline.
And then remove old one.
Is it simplier way to do this?
As Jim Xu mentioned it is currently not possible to move the WebApp from Windows based to Linux. You may have to redeploy the App, leverage the same code with slight modifications and configuration changes as per the requirement.
Cloning feature is not available at the time of this writing. Also, currently there is a limitation - You cannot create a Linux Web App in an App Service plan already hosting non-Linux Web Apps.
Copying the Uservoice post here for clarity & convenience:
" Unfortunately we can’t provide this feature as there are too many internal dependencies for the underlying OS that would make this complex and potentially breaking for solutions. There definitely could be languages that might be supported but they would an edge case."
We really appreciate your feedback/suggestion, so kindly up-vote the Uservoice post -All of the feedback you share there will be monitored and reviewed by the Microsoft engineering teams responsible for building Azure.
I have azure app service where I am running a tomcat application, is there a way / or any in-build anti-malware option is available if not how to implement threat protection in this app service
Azure App Service uses the same Antimalware solution used by Azure Cloud Services and Virtual Machines but it is completely managed by our Engineering team on regular basis.
Also as a PAAS service we currently donot provide anti-malware scanning as a customer facing service. The implementation of A/V on our service has gone through, and will continue to go through, changes as we tune it for its primary purpose. Its primary purpose is to protect the service itself (PAAS) from viruses.
If you have custom requirement of having providing anti-virus scanning then IaaS VMs should be the choice as they have installable extension for virus scanning and the choice of different A/V technologies.
You can check the documentation in the below link:
https://learn.microsoft.com/en-us/azure/security/azure-security-antimalware Screen shot of the information under Architecture section of the link.
https://learn.microsoft.com/en-us/azure/app-service/app-service-security-readme
For now, there is no native virus scanning / anti-malware feature on Websites. However you could implement it with third party API like ClamAV or the extension in Azure App Service named with Tinfoil Security.
There are two ways to integrate Tinfoil Security to you app and this is the introduction, first you could refer to this doc ,I tried this way however It show Failed to purchase. So maybe you could try another way. Under Development Tools in your App choose Extensions , click Add button then Choose Extension, on the list there is a Tinfoil Security , that's what we need. I tried this way, it could be integrated to my App.
I'm new to Terraform, but how to say run it on a regular server? Is it possible? I am talking - regular on premises machine
EDIT: Years later I come back to this question: Let me reform it.
Can Terraform be used to provision a datacenter server, which is not on a hypervisor.
Terraform operates by calling into the APIs of various service providers and systems. Thus in principle Terraform can manage anything that has an API, and in practice it has existing support for a few different on-premises-capable systems, including:
OpenStack
VMWare vSphere
CloudStack
If the compute resources in your existing datacenter infrastructure are already managed with one of these systems, or if you are willing to install them, then Terraform can be used to manage at least parts of these systems. (For full details, see the documentation for each provider linked above.)
Terraform's plugin architecture allows support for other systems to be developed, so other API-driven datacenter management systems such as The Foreman could be supported by Terraform, and indeed third parties have developed integrations with others that are distributed outside of the "official set" that HashiCorp hosts.
By default, Terraform does not support bare metal provisioning services for on-prem equipment. However, the Open Source project; Digital Rebar Provision (DRP), has a Terraform Provider that allows the Terraform DSL to operate in conjunction with DRP. The Provider enables full support of bare metal provisioning by use of the Terraform DSL which drives the API of DRP to enable provisioning of bare metal.
The Digital Rebar Provision Terraform Provider is written and supported by RackN. You will need to install the DRP service on-prem, and configure it to enable provisioning workflows that are appropriate for your needs. Once this is done, the Terraform Provider then enables "ready state" infrastructure access to request Machines from the "terraform ready" pool of servers. The servers are then driven through the requested Workflow to configure it according to the operators needs.
On "destroy", the machine is cleaned, and returned back to the "terraform ready" pool of servers again. You can find "quickstart" information on getting DRP up and running by visiting the RackN hosted Portal.
As has been pointed out by #Martin Atkins; terraform drives other infrastructure or cloud resources via APIs. This is true also for Digital Rebar Provision. Terraform itself does not know how to interact with bare metal infrastructure. Use of a control or orchestration engine that understands how to address physical systems is required. In this solution - Terraform drives the Digital Rebar Provision service via the DSL, thus enabling provisioning activities of physical server systems on-prem.
For full disclosure - I work for RackN - which fosters and supports the Digital Rebar Provision service and capability.
There is an open-source Terraform Redfish Provider currently being developed by Dell EMC that allows for provisioning, deployment and update of x86 servers out-of-band (via BMC such as for e.g. iDRAC) using standard Redfish REST APIs. For more details on Redfish, please refer to DMTF Redfish specification here. At present, it currently supports following provider resources and data sources:
Resources:
resource_redfish_bios
resource_redfish_power
resource_redfish_storage_volume
resource_simple_update
resource_redfish_virtual_media
Data Sources:
data_source_redfish_bios
data_source_redfish_storage
data_source_redfish_virtual_media
data_source_redfish_firmware_inventory
The question is vaguely understandable but,
If it means that you want to write Infrastructure-as-Code for your personal on premises servers the answer is NO. Refer to Martin Atkins' answer.
If it means that you want to ssh into your on premises servers and execute terraform routines (plan, apply, destroy etc.), the answer is YES.
Download the suitable binary into your server operating system from here.
I wonder what is the security level for azure hosted websites. Is it Medium/High or Full?
They run in Full Trust (source).
However, they use a Sandbox mechanism, and as a result some APIs are not available (e.g. Sockets using IPv6), or do not work as expected (for example, the Socket.Available property is unavailable, which restricts the use of some libraries such as NetFTP).
If you are considering using WA Websites for scenarios in which .NET Security might be a problem, I suggest you to get in touch with Microsoft support to ensure that the specific features you may need are supported on this environment.
I want to move my website to Windows Azure, but need to make sure that I'm using PFS on all my instances and roles. (regular web roles and Websites as well)
How do I configure this so that each deployment is automatically configured this way?
This excellent article by André N. Klingsheim explains detailed options for hardening the SSL/TLS configuration on Windows Server and Windows Azure. This includes
Disabling SSL
Enabling TLS
Changing Cipher Suite Priorities
The author additionally provides a NuGet package as well as related source code for handling these updates during Azure role startup.
If you want to enforce (perfect) forward secrecy over just enabling it you will probably want to disable all cipher suites not supporting that. Looking at the relevant powershell script all TLS_RSA_*-suites need to be removed from $preferredCipherSuites. Note that this will drop compatibility with some (mostly legacy) browsers/clients.
Please also see this answer that contains several resources on cipher suite recommendations.
I believe that forcing PFS from the server side required a registry change.
This can be achieved for Web Roles using a start up script as described here
Given the need to change the registry, I don't think this is possible for Windows Azure Websites.