Azure Remote Desktop Traceability in a Cloud Service - security

If you follow Microsoft's instructions here to enable RDP on instances in a Cloud Service, they tell you to create a user and set a password for remote desktop purposes.
As this can quickly become a "shared account", I am wondering how one goes about linking this to a person. The Azure Operation logs do not seem to keep track of who RDP'ed or not, and the Windows Security Event Log obviously has no idea what user was connecting other than the user you created. This make traceability difficult.
While I understand RDP should only be enabled for troubleshooting purposes, I am hoping I missed something simple that would allow Azure Cloud Service users to enable RDP without losing all traceability on who is accessing what instance.
Short Version: How do I know who connected over RDP using the shared RDP Account? Azure logs, infrastructure logs maybe?
Thanks

There have been a few changes since the link you mentioned is published:
You can now enable/disable remote desktop through the portal. You don't have to do it at the time of publishing your cloud service. Using this, you can provision remote desktop connections for individual users in your team instead of relying on one shared RDP connection. To do so, click on CONFIGURE tab for your cloud service and then click on Remote icon and follow the instructions.
The thing you do on portal with remote desktop can also be done programmatically using Service Management API. With the latest Service Management API release, RDP functionality is basically an extension which you can enable/disable on the fly. I wrote a blog post not too long ago describing this functionality: http://gauravmantri.com/2013/05/06/windows-azure-cloud-services-extensions-and-service-management-api-fun-with-remote-desktop/
I haven't actually looked at security event logs so I can't say for sure that it would log this activity but I'm assuming it would.

Related

How would one login to Azure cloud classic service instance?

I have setup a azure cloud classic. Where I have two instances running one is web role and orleans silos. I want to enable trace and I need a means to login into the box and see the logs. Azure portal is not providing the logs I needed. I am following the following link https://learn.microsoft.com/en-us/azure/cloud-services/cloud-services-role-enable-remote-desktop but, in the first step, is to click on the cloud service and click configure but I do not see configure option anywhere. I see only 'Pin, swap and delete'. But I did see an option when click on the cloud class, called configuration. In that configuration, there is nothing for remote desk top.
I do have an option for remote desk top, but when I click that I get an message "This deployment is using RemoteAccess and/or RemoteForwarder modules. We recommend using the RDP extension instead. You can enable this mode by removing the modules from your .csdef and .cscfg and then saving your RDP configuration here."
so my basic question, how what is proper way to remote to that box provided I am getting above mentioned message?
According to your description, you are using Azure new portal to configure Remote Desktop. For a simple way, you could log into Azure classic portal to leverage Remote Desktop Extension approach for you to enable Remote Desktop even after your application is deployed.
Note: For more details, you could follow the section about configuring Remote Desktop from the Azure classic portal in this doc.
so my basic question, how what is proper way to remote to that box provided I am getting above mentioned message?
You could follow this tutorial about configuring Remote Desktop in the service definition file.

Using Azure MobileServices library with my own LAN WebApi

I am currently doing some research for the development of a mobile application for our company that should support offline data sync (on an iPad). We have explored many possibilities including PhoneGap/Cordova, Xamarin and simply native iOS development. Xamarin, for many different reasons, seems to be our best choice, so my question will assume we will develop in Xamarin.
I was looking into a library for managing offline data synchronization and the most obvious solution is Microsoft Azure MobileServices. However, my company is Canadian, and apparently it's hard to trust (legally) our data to clouds based in the US. Since we already deployed internally our WebApi on our intranet, I figured there was probably a way to point the MobileServices library to our own WebApi. I have read about the Azure Hybrid Connection possibility, but our data still conveying through Microsoft servers might not be a possibility. So, my question is this:
Is there a way to configure the Microsoft.WindowsAzure.MobileServices Client library to point directly to our intranet, RESTful WebApi backend, without going through any Microsoft Azure servers ?
I understand that, in order to be able to use the Client librairies seamlessly, we probably would have to adapt our WebApi to implement the necessary .net Backend interfaces. I'm mostly wondering if it's even possible as the MSDN documentation on the libraries all seem to point to direct connections to their servers (no possibilities to configure your own connection strings) and all instructions redirect you to their Azure Mobile Services website.
Thank you.
If you look at the API for your mobile client, you'll notice that the Azure Mobile Services Client SDK only cares about two things:
new AzureMobileClient( url, appkey)
...where it's hosted shouldn't be a concern. Everything else is just configuration.
If you want to host the Azure Mobile Services Backend on your own servers, technically you could do this, but there are likely a few caveats. Microsoft has announced that they will be launching a Canadian Azure data center, but we won't see it until 2016.
In the meantime, here's how you can host the services locally. Note that I have not tried to emulate all of the features of Azure Mobile Services (aka Zumo) so your mileage (or kilometerage) will vary.
Hosting Locally:
From a technical feasibility, you absolutely can run the services locally. I know this because you can create the Azure Mobile Services Backend project from within Visual Studio and run it locally for development purposes. This is what our development team does for testing their mobile applications.
Note that you can create the Azure Mobile Service backend directly from within Visual Studio: New Project -> Cloud -> Azure Mobile Service. You can also download the exact same template (pre-configured with your URL and ApplicationKey) directly from the Azure dashboard: Create -> Mobile Service.
Obviously, if you're hosting it on your server it will be up to you to configure and use a proper SSL certificate for your site.
ZUMO Permissions:
By default, the security roles on the server are turned off. So if you're locking down any of your methods using the [AuthorizeLevel] attribute these settings will be ignored at runtime. If you need to enable this feature you can do so by modifying the WebApiConfig.Register() method and marking the site as self-hosted: config.SetSelfHosted(true).
Configuration:
From a configuration perspective, the Azure Mobile Service dashboard provides several tabs for configuring Identity, Push Notifications, Connection Strings and App Settings. Sadly, you won't have a dashboard, but all of these settings have a corresponding value in the local web.config. Any value you provide here is automatically overwritten in Azure, but they're used when running locally.
The minimum settings you'll need to configure are listed here. The ApplicationKey you can distribute with your ZuMo client, but the MasterKey is for the Admin authorization level so you'll want to keep that secret. The MobileServiceName is used by the EntityFramework for your database schema and what appears in the URL of your site.
<add key="MS_MobileServiceName" value="myzumosite" />
<add key="MS_MasterKey" value="masterkey" />
<add key="MS_ApplicationKey" value="appkey" />
Values that start with a MS_ prefix map to corresponding values in the Azure Portal. MS_GoogleClientID and MS_GoogleClientSecret map to the Google Identity values in the dashboard, for example.
Any other value in the AppSettings node is immediately accessible via the ApiServices.Settings property and corresponds to the Settings node in the Azure dashboard.
Database connection strings continue to exist in the connectionStrings node. The same is true for azure notification hub.
Database:
Obviously, the database you configure will be up to you as well. Permissions and User accounts are also obvious. There may be some minor differences between the SQL Azure syntax for Entity Framework database migration scripts that you'll need to worry about. (I've discovered the database migration scripts don't work from the Package Manager, but they do work when the database scripts are run when your website starts)
Caveats:
You will not have a nice dashboard for monitoring performance of your site, reviewing logs or changing runtime settings
You will not be able to scale out your site immediately; Scaling and deployment will be your problem
Deployment configuration is your responsibility (Project -> Publish won't be available unless you configure it)
Not sure if you'll be able to use Azure Active Directory as an authentication scheme, though from the sounds of it that won't be a concern. You can write your own authentication providers: Microsoft's Zumo library only supports a handful, but the underlying Owin.Security package that Microsoft uses supports several dozen systems!
Your site will need to be publically visible to your mobile clients
Push Notifications should work, but you will be using Azure's notification hub for this.
I have no idea where ApiServices.Log will go
The easiest path to take would be to:
Create the Mobile Service in Azure to get the notification hub and settings preconfigured
Download the starter site from the dashboard
Configure the web.config as mentioned here.
It's not possible to simply configure WAMS Client library to work with your own WebApi Backend.
But WAMS library is available at github, so I'm sure you can reuse a lot of code from the WAMS project, especially if you want to use a PCL project.
To route your data securly through Azure, you could think about setting up express route. Additionally, for last weeks update, it's possible to apply a custom domain to the WAMS Backend, including your own certificate to secure your connection.

Window Azure vs Citrix Xenapp

Current my company delivers our software to our customers through a Citrix Xenapp Server. As administrators we are able to launch instances of the servers and our customers are only able to launch their specific application
My Question is does Windows Azure also offer this type of environment. I am looking to deploy a new version of our application and I am leaning towards Azure, but if that is the direction we go in I would like to migrate all of our existing system to Azure and not maintain both Azure and Citrix.
Greg,
In principle yes you can do this, but you can't just plug in Azure as a direct replacement for XenApp (with zero/minimal effort). Azure effectively has it's own runtime. While it is Windows based and there is certainly potential to reuse code in an existing app in an Azure equivalent, you would need to re-write your app to make it run in Azure.
Given your app is running on XenApp it is likely it is a fat client app, i.e. most of its logic lives in the main executable that you run on XenApp, with potentially some other back end services being utilised. In comparison you should think of Azure as a platform for providing web apps. So you would re-architect the app as an Azure hosted web app, then you could deploy it via Azure in a multi-tenanted manner to your customers who would then access it through a browser rather than a Citrix Receiver.
Regards,
Donovan

Accessing Azure Storage Services from Azure Websites?

I'm curious to know if this is possible, and if so, is it a good or bad idea?
We are developing an Azure application that is largely centered around worker roles that receive their work on a CloudQueue, and put the results in a CloudBlob, that the client then downloads. The web interface itself is a dead-simple ASP.NET MVC site that throws jobs in the CloudQueue, and builds URLs to download CloudBlobs.
Currently we accomplish this by having a Azure Cloud Project in our solution, which has a Web Role with the UI, and Worker Roles with the actual work.
Could we use Azure Websites to publish and host the UI, which calls back to our Worker Roles? The Azure DLLs are just regular old .NET libraries, I'm assuming Azure Websites won't have a problem with them. So, when we want to update the UI, we just publish with Visual Studio. And when we want to update the Worker Role - which is 300MB+ and has a bunch of nasty dependencies like Crystal Reports - we can build the cloud bundle and update the Cloud Service through the Azure management portal.
This seems to me like doing this would make it easier to update the UI. I think it would also be cheaper to host it, as we won't have to buy a bunch of instances for the Web Role.
If your question is "Could we use Windows Azure Websites*", based on your application architecture, you sure can use Azure Website to deploy your front end and configure all the networking connection properly so you can continue access other Azure Storage services. As you are using mostly Blob and Queue, you can continue use HTTP/HTTPS settings in the Azure websites. You can keep worker role by as it is however if it is very complex to deploy, using Windows Azure VM may be another direction to go.
I could say website deployment could be easier if your web app does not have something complex to configure in web server as websites may not be able to match web server level configuration compare to webrole and Azure VM. Answering "Easier and cheap" could be very subjective as this is all depend on load and distribution so you would have to try and evaluate it.

Published Web app to Azure, how do I browse to it, monitor it?

I have created my first app for azure. It's has an MVC3 web role which writes some data to table storage.
It also has a worker role that does some work behind the scenes to the same data.
It all works fine in the emulator.
I've uploaded it all to Azure as a staging deployment, the hosted service it is reports all roles as "ready". The health for all roles is "healthy", though the worker role appears to crash and goes to "degraded" and then resets itself (I assume this is what is happening).
So what now? I have found a "DNS Name" on my Web Role in the form "http://{guid}.cloudapp.net/"
Clicking on that link just gives me a network access error, http://www.downforeveryoneorjustme.com/ can't find it either.
What am I missing? Where can I see diagnostics similar to the emulator? I've set "Enable Diagnostics" to use my Azure storage account in each role. How do I get into the storage to see if it has traced anything? Can this be done through the Management Portal?
I've tried searching through MSDN, but I can't find a page that says "and then you click the DNS name link and your website will launch. I'm sure there is a lovely page like that but I can't find it.
thanks in advance!
In August 2011, the Windows Azure role templates were updated to work with the ASP.NET Universal Providers. As such, when you create a new project, the session state provider is backed by SQL Express by default. If you don't change this to SQL Azure or Cache (or disable session state), you'll run into issues.
I'm not sure this is exactly the issue you're running into, but it's a common one. See Nate Totten's blog post for more information about this (Nate calls out this issue a few pages down, under IMPORTANT NOTE).
You can access diagnostics data directly from Visual Studio Server Explorer.
Here you have all necessary information: Browsing Storage Resources with Server Explorer http://msdn.microsoft.com/en-us/library/windowsazure/ff683677.aspx
Personally I use Azure Diagnostics Manager from Cerebrata http://www.cerebrata.com/products/AzureDiagnosticsManager/ that is easy and has a good dashboard

Resources