11 Mwri A Penetration Testers Guide To The Azure Cloud v1.2
11 Mwri A Penetration Testers Guide To The Azure Cloud v1.2
11 Mwri A Penetration Testers Guide To The Azure Cloud v1.2
++
A Penetration Tester’s Guide
to the Azure Cloud
Apostolos Mastoris
Key direction
+ Understand main Azure components
and concepts.
+ Demonstrate Azurite.
PUBLIC
Contents
1. Cloud Services Trends,
Challenges & Azure
4. Conclusions
PUBLIC
++
How is the use of public Cloud services
distributed this year?
++
Cloud Computing Challenges
+ Security – Are there appropriate security controls to
secure the deployments?
++
Azure Service Models & Responsibilities
PUBLIC
++
Azure Deployment
+ Subscription
+ Deployment models:
+ Templates
++
Azure Management
+ Web Access - Azure Management Portal (Classic Mode)
& Azure Portal (Classic and Resource Manager Modes)
++
Azure Portal
PUBLIC
Contents
1. Cloud Services Trends,
Challenges & Azure
4. Conclusions
PUBLIC
Azure Security Controls & Pentesting -
Network Security
++
Network Security
+ Azure provides controls to secure each network layer:
++
Cloud Access Layer
+ DDoS Protection
++
Virtual Network (VNet)
+ Network isolation/segregation
+ Connectivity Scenarios
• Point-to-Site VPN
• Site-to-Site VPN
• ExpressRoute
PUBLIC
Azure Security Controls & Pentesting -
Network Security
++
VNet – Point-to-Site VPN
PUBLIC
Azure Security Controls & Pentesting -
Network Security
++
P2S VPN - Connect to VNet Gateway in Classic &
Resource Manager Models
+ Tenant to generate client certificate for authentication to VPN
service.
++
VNet – Site-to-Site (S2S) VPN
PUBLIC
Azure Security Controls & Pentesting -
Network Security
++
VNet – Site-to-Site (S2S) VPN
+ VNet-to-VNet connection requires a Pre-Shared Key (PSK)
for encryption. Can be found in cleartext in the
connection ‘Settings’ pane:
PUBLIC
Azure Security Controls & Pentesting -
Transport Security
++
Transport Security - Web Apps
+ SSL/TLS Certificate
• IP-based or SNI-based
++
Transport Security – Azure SQL Database
++
Transport Security – Azure SQL Database
{Server=tcp:sqlserver13.database.windows.net,1433;Data
Source=sqlserver13.database.windows.net;Initial
Catalog=sqldatabase1;Persist Security Info=False;User
ID={your_username};Password={your_password};MultipleActi
veResultSets=False;Connection Timeout=30;
Encrypt=True;TrustServerCertificate=False;}
++
Network Security Virtual Appliances
++
Network Access Control - Network
Security Groups (NSGs)
+ Access control lists for Subnets and VMs (Classic) /
NICs (Resource Manager)
++
Endpoint Access Control List (ACL)
++
User Defined Routing (UDR)
+ Routing in Azure is performed automatically based
on systems routes.
++
Azure SQL Server & Database Firewall
+ Connectivity to Azure SQL Server through SQL Server Management Studio (SSMS).
++
Azure SQL Server & Database Firewall
++
Traffic in Azure
+ By default, Azure resources require to connect to Azure
services to provide details about their status or request
information e.g. DHCP request.
++
Encryption
+ OS & disk encryption
++
Azure Key Vault
+ Cryptographic key management service
++
Azure Key Vault – Properties
+ Retrieve Key Vault ‘test-key-vault-1’ configuration:
++
Azure Key Vault – Key Properties
+ Retrieve Key Vault’s key ‘test-key-vault-1-kek-1’ configuration:
+ Key type:
• RSA: Keys (2048-bit RSA key) processed by Key Vault software encrypted
at-rest with encryption key located at Azure’s HSM.
+ Key operations:
++
Azure SQL Database
+ Transparent Data Encryption (TDE) for SQL databases -
Configuration through Azure Portal “Settings” pane:
PUBLIC
Azure Security Controls & Pentesting -
Encryption
++
Azure SQL Database
+ Transparent Data Encryption (TDE) for SQL databases –
Encrypt through SSMS:
Output:
PUBLIC
++
Database Data Masking
+ Azure SQL database supports data masking at column level.
++
Endpoint Protection
+ Anti-virus & Anti-Malware
Extensions
• Microsoft Antimalware
PUBLIC
Azure Security Controls & Pentesting –
Backup Security
++
Backup Security
+ MSSQL - Configuration
during VM creation:
++
Access Controls
+ Classic model
++
Role-Based Access Control (RBAC)
++
Authentication/Authorisation – Azure
SQL Database
+ Administrator – dbo (member of the db_owner group)
+ Other Groups:
++
Authentication/Authorisation – Web Apps
PUBLIC
++
Scanning Azure Services Externally
• 500/udp
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
++
Auditing & Monitoring
PUBLIC
Azure Security Controls & Pentesting –
Auditing & Monitoring
++
Auditing - Azure SQL Server
+ Auditing configuration
PUBLIC
Azure Security Controls & Pentesting –
Auditing & Monitoring
++
Threat Detection - Azure SQL Server
+ Threat detection
PUBLIC
Azure Security Controls & Pentesting –
Auditing & Monitoring
++
Monitoring - Azure SQL Server
+ Monitoring of various events based on
configured rules.
PUBLIC
Azure Security Controls & Pentesting –
Auditing & Monitoring
++
Monitoring - Azure Storage
+ Monitoring of various events based on
configured rules.
PUBLIC
Azure Security Controls & Pentesting –
Azure Security Centre
++
Azure Security Centre
+ Prevention
+ Detection
++
Azure Security Centre - Prevention
PUBLIC
Azure Security Controls & Pentesting –
Azure Security Centre
++
Azure Security Centre –
Prevention
+ Security Policy
• Recommendations based on
specific security policy e.g. baseline
rules, web application firewall
++
Azure Security Centre - Detection
PUBLIC
Azure Security Controls & Pentesting –
Azure Security Centre
++
Azure Security Centre - Detection
++
Azure Security Centre - Detection
Contents
1. Cloud Services Trends,
Challenges & Azure
4. Conclusions
PUBLIC
Azurite Explorer & Azurite
Visualizer
++
Azurite Explorer
+ https://www.youtube.com/watch?v=Ntm-VagQiJQ
PUBLIC
Azurite Explorer & Azurite
Visualizer
++
Azurite Visualizer
+ https://www.youtube.com/watch?v=PvzSc28_NLA
PUBLIC
MWR Labs
Conclusions
+ Familiarisation with Azure terms,
building blocks and security controls
is required.
PS> Listen-ToTheAudience
+ @mwrlabs
https://labs.mwrinfosecurity.com
https://github.com/mwrlabs/Azurite