Quite often I do get asked about Azure Virtual Machine security and what I recommend you to configure/look at in relation to securing your Virtual Machine configuration.
In this blog, I am going to include 6 Virtual Machine security security suggestions to get you started that you may want to consider applying to your Virtual machine configurations.
(Please note:- depending on your configuration/requirements; you may have various polices/compliances to meet; this blog is to get you kick-started into Azure Virtual Machine Security)
Depending on your setup and configurations; there is numerous types of antivirus/antimalware setups available; ranging from Microsoft Antimalware that will detail how you can configure this in this blog, along with other various software providers such as Synamtec and Trend Micro
I mentioned; Microsoft Antimalware, what is it? its a real-time protection capability that helps you identify and remove viruses, spyware and additional malicious software. It comes with a configurable setup that you can exclude various appliactions, file locations etc from being scanned.
To install Microsoft Antimalware, I will be doing it via the Azure Portal as a Virtual machine extension.
Select Virtual Machine -> Extensions
Search in extensions list for “Microsoft Antimalware”
Configure the antimalware extension to your requirements for that Virtual Machine in relation to various exclusions and whether you require a scheduled scan to run or not
2. Update Management
Ensuring your Virtual Machine has the required Operating System updates is definitely recommended in relation to security, using Azure update management can assist with this process.
Update management enables you have consistent control and compliance of your Virtual Machines.
To use this service, it does require the use of a Log Analytics workspace and an automation account.
Configuration is setup as below:-
Select Virtual Machine -> Update Management
Configure required options and then enable
Once enabled, below shows how this process works using update management
3. Remote access
How are you accessing your Virtual Machine?
Over RDP/SSH via the public internet? Lots of various scenarios on how you access your virtual machine depending on numerous requirements but if you are using RDP/SSH via the public Internet to access your Virtual Machine I would consider replacing that with Azure Bastion
What is Azure Bastion?
Azure Bastion is a fully managed PaaS service that provides secure access for RDP and SSH to your Virtual Machines directly from the Azure Portal. In theory, managed RDP/SSH to VMs over SSL using private IP on the Virtual Machine; therefore mitigates exposure through public IP access
Configuring Azure Bastion
Select Virtual Machine -> Bastion
Then enter required details and create; it will then create an Azure Bastion setup
4. Azure Security Centre
Azure Security centre is awesome, the hub for all things security-related within your Azure Subscription.
In relation to Virtual machine; security centre assists you in protecting your virtual machines future; whether it is used to block suspicious access to your Virtual Machine to enabling “just-in time” access
There is various tiers within Security centre and I do recommend possibly upgrading to the paid tier in relation to Virtual Machine Security; additional benefits include:-
- Just In Time access, which reduces your exposure to network attacks
- Adaptive application controls to block malicious or unsupported applications
- Threat detection using advanced analytics and global threat intelligence
- Interactive investigation tools and automated remediation for rapid response
Security centre can be accessed multiple ways within Azure, select your virtual machine -> Security will bring you into a similar screen as below
5. Change Tracking
The Azure Virtual Change Tracking extension/solution that allows you to view guest-related OS changes within your Virtual Machine from Azure. This data can be used to alert-on if required various changes within your Virtual Machine environment.
What can be tracked?
Currently, the following change-types can be tracked within the Change Tracking Solution:-
- Windows Software
- Linux Software (packages)
- Windows and Linux Files
- Windows Registry Keys
- Windows Services
- Linux daemons
These type of changes can be viewed within the change tracking dashboard in Azure, in this blog I will detail how this can be viewed and possible ways you can alert of certain changes.
Change tracking is very beneficial from a security perspective and I do recommend you checking out my blog on change tracking to get you kick-started with the setup
6. Network Security Groups (NSGs)
NSG’s control access by permitting or denying network traffic in a number of ways, whether it be:-
- Communication between different workloads on a vNET
- Network connectivity from on-site environment into Azure
- Direct internet connection
Have a read of my blog 10 suggestions for best practice
Additionally, with NSGs, I recommend you also look at Application Security Groups (ASGs) detailed in this blog is a summary
Hopefully this blog assists you and gives you a kick-start into Azure Virtual Machine security; do reach out to me on Twitter if you have any queries!