Windows Azure website security level - security

I wonder what is the security level for azure hosted websites. Is it Medium/High or Full?

They run in Full Trust (source).
However, they use a Sandbox mechanism, and as a result some APIs are not available (e.g. Sockets using IPv6), or do not work as expected (for example, the Socket.Available property is unavailable, which restricts the use of some libraries such as NetFTP).
If you are considering using WA Websites for scenarios in which .NET Security might be a problem, I suggest you to get in touch with Microsoft support to ensure that the specific features you may need are supported on this environment.

Related

Azure security - Hardening of O/S builds, security standards?

This is a question for Azure experts, in particular around the Windows VM's available in Azure.
Do they make any changes to the base build? Hardening and security standards? Or are they standard builds fresh out the box?
Any information on this would be greatly appreciated.
yes. Public and up-to-date information about security measures like compliance, some technical details, etc, can be found on the Azure Trust Center.
However, i do not think that Microsoft reveals all of the internal implementation information, but a lot of work is doing around isolation of hypervisor, root os, guest vms. Also, there is the Azure Fabric Controller is the "brain" that secures and isolates customer deployments and manage the commands sent to Host OS/Hypervisor, and the Host OS is a configuration-hardened version of Windows Server.
Some basic information can be found here:
https://technet.microsoft.com/en-us/cloud/gg663906.aspx
Azure Fabric Controller: https://azure.microsoft.com/en-us/documentation/videos/fabric-controller-internals-building-and-updating-high-availability-apps/
And i recommend to follow Mark Russinovich, Azure CTO, as his video are one of the most internal-details-revealing i ever saw.
You might wanna check out the CIS hardened Images in the Azure Marketplace: https://www.cisecurity.org/cis-hardened-images-now-in-microsoft-azure-marketplace/
Ther you can choose between two levels of hardening, depending on your workload as well as there multiple Windows Server versiosn and even some Linuxs distrubutions. If you want to harden the VMs yourself, I would check out the Dev-Sec Project on github: https://github.com/dev-sec
There you can customize the hardening to your needs if you have an automation tool in place like chef, puppet etc.

rabbitmq-management plugin HTTP API - Security concerns

I want to enable RabbitMQ Management plugin on my production environment, but I'm not sure about the security concerns this might bring.
I already have a few applications connected to the RMQ, and hence can't change the credentials now (I'm using default).
Could anyone shed some light on this? I want to know what all things I might need to worry about and what I could do to minimise vulnerabilities.
Thanks!
Management Plugin use credentials, which is enough for most cases unless you want it to be accessible from outside. At this case iptables is your friend. In addition you can proxy HTTP api and management interface via nginx (or apache) and use additional security layer like basic auth.
If you are a bit paranoid (like me) you can combine all 3 methods to have more protection (and have non-trivial access to your management interface from non-usual locations like free wifi zone in airport when flow control get applied ont your server, but this is quite unusual situation).
UPD:
Note: if your application is badly-designed and mix routine job with management job under same account you may get into some troubles. I suggest you management plugin Permission section for further reading.
Usually, separate account for application and management job, as well as disabling default guest account (for outside only or in general) is the best choice from security point of view.
If you are forced to use default guest account you can disable management plugin for it and create separate account for administration only. In fact in recent RabbitMQ version it is disabled for accessing from outside.
To do this, firs create administration user (account with administrator tag), make sure it works and then update guest use by removing all tags it has (actually, removing administrator tag is the only one set by default for guest account).
Here is a pic of default guest account with note what to remove.

How do I configure Perfect Forward Secrecy in Windows Azure (OS, or Websites)

I want to move my website to Windows Azure, but need to make sure that I'm using PFS on all my instances and roles. (regular web roles and Websites as well)
How do I configure this so that each deployment is automatically configured this way?
This excellent article by André N. Klingsheim explains detailed options for hardening the SSL/TLS configuration on Windows Server and Windows Azure. This includes
Disabling SSL
Enabling TLS
Changing Cipher Suite Priorities
The author additionally provides a NuGet package as well as related source code for handling these updates during Azure role startup.
If you want to enforce (perfect) forward secrecy over just enabling it you will probably want to disable all cipher suites not supporting that. Looking at the relevant powershell script all TLS_RSA_*-suites need to be removed from $preferredCipherSuites. Note that this will drop compatibility with some (mostly legacy) browsers/clients.
Please also see this answer that contains several resources on cipher suite recommendations.
I believe that forcing PFS from the server side required a registry change.
This can be achieved for Web Roles using a start up script as described here
Given the need to change the registry, I don't think this is possible for Windows Azure Websites.

Is azure for big applications only?

I've recently been asked to redevelop an .Net 2.0 WinForms application with a back end SQL Server Express DB.
One of the requirements is to allow remote users access to the application, so I've been considering hosted options to avoid VPN setup. The data is not sensitive and does not fall under data protection act, so a basic security approach for the web will cover me.
I like the idea of using Azure for a few reasons, but I'm not sure if a good fit for a users base of 5 or 6 with no real scope to grow. I've never used Azure and I plan to develop using MVC and a SQL backend as this is my main skillset.
A few points in favour of Azure in my mind are:
Tight integration with the TFS preview that I'm using for this project
Easy to setup a sandpit and a live version
Easy maintenance as I expect other hosted options will require more knowledge of underlying OS
Sticking to a full Microsoft stack should hopefully make things simpler
From what I find on the Azure site the message is all about scalability, which is great if you need it.
My question is simply, do you need a large user base, or plans to grow quickly, to use azure or is it how we should be hosting apps now?
What you're asking here is the perfect case for Windows Azure Web Sites:
You get 10 web sites for free (no custom DNS, but this is perfect for your 'sandpit'/test version). The shared mode supports custom DNS and is very cheap.
Tight integration with TFS preview and GitHub
You don't need to worry about the underlying OS, you simply publish from Visual Studio or with TFS Preview.
Sticking to the Microsoft stack is the easiest solution, but other technologies work great aswell. Since you're talking about MVC I'm assuming you are considering ASP.NET MVC, which is a perfect match with Windows Azure. Take a look at the training kit for some good examples.
The day you'll need a solution which more scalable (meaning you'll have more users and more income) you can easily upgrade to a reserved instance or to a Cloud Service (Web/Worker Role).
About your question: "My question is simply, do you need a large user base, or plans to grow quickly, to use azure or is it how we should be hosting apps now?"
Windows Azure is a cloud service platform (includes PaaS as Cloud Services, IaaS as Windows Azure Virtual Machines and also Websites suggest by Sandrino above), and with cloud services you have ability to start very small and grow as much and as quickly as your user requirement is, so you can use Azure with both cases. On the other hand there are some advantages using certain offering depend on your which service you are going to use to run your application.
I think article (Section: "What Should I Use? Making a Choice") will explain the strategy about how you make a selection among various services.
This SO discussion does talks about the difference between cloud Services and Azure WebSites as well.

What types of projects are suitable for Azure?

What type of projects/software applications are suitable for Azure and why?
Thanks
Rather than thinking of what can be supported in Azure, it might be more helpful to think about its challenges as you decide to port your app over:
Web applications. Since a Web Role hosts IIS, you'll generally have little issue porting a general-purpose asp.net or asp.net mvc website to Azure. There are some glitches you'll run into - see my related answer for more details.
UI. If your app has specific output similar to a WinForms app, you won't be able to run it since you have no video output.
GPU dependencies. If you're doing some background processing dependenton a specific GPU, you won't be able to run in an Azure VM.
Registry and other system-level access. If your app needs to update the registry or run an MSI, you won't be able to install your app.
Instance affinity. If your app requires session stickiness (e.g. a logged-in user MUST visit the same server instance with each access), you won't be able to accomplish this.
COM interop. COM interop is very limited, since you can't install anything via the registry. If you rely on Excel Services, you won't have that capability.
SQL limitations. SQL Azure is limited to 50GB today, and offers no ability to custom-tune the server instance. Also, while it does support a big subset of SQL Server, it doesn't support 100% of SQL Server, so it's possible some of your sprocs may no longer work. There's no SQL Agent today, so you'd need to recreate that functionality in a worker process.
That's just a quick braindump of some challenges you might run into - I'm sure there are others.
Just keep in mind that Azure is providing Windows 2008 Server images for your app to run on, so if your app can run in that environment today, and doesn't require things I listed, you should be in pretty good shape.
You can make most of the .NET projects working in Azure. Azure has support of following project types: web site (both ASP.NET and ASP.NET MVC), worker (background application) and wcf service.
Don't forget security too - there's various ways of authenticating onto Azure but none are as simple as just setting IIS/ASP to windows auth.

Resources