Azure Cloud Security Checklist - Euriun Technologies

Microsoft Azure

Sec ID:

Sub-CID:

Category:

wdt_ID	Sec ID	Sub-Sec ID	CID	Sub-CID	Category	Security	Guidance	Recommendations
1	1	1	1	1.1	Optimize Cloud Identity Management	Establish a single Azure AD instance.	Consistency and a single authoritative source will increase clarity and reduce security risks from human errors and configuration complexity.	Designate a single Azure AD directory as the authoritative source for corporate and organizational accounts.
2	2	1	2	1.2	Optimize Cloud Identity Management	Integrate your on-premises directories with Azure AD.	Use Azure AD Connect to synchronize your on-premises directory with your cloud directory. Note: There are factors that affect the performance of Azure AD Connect. Ensure Azure AD Connect has enough capacity to keep underperforming systems from impeding security and productivity. Large or complex organizations (organizations provisioning more than 100,000 objects) should follow the recommendations to optimize their Azure AD Connect implementation.Use Azure AD Connect to synchronize your on-premises directory with your cloud directory. Note: There are factors that affect the performance of Azure AD Connect. Ensure Azure AD Connect has enough capacity to keep underperforming systems from impeding security and productivity. Large or complex organizations (organizations provisioning more than 100,000 objects) should follow the recommendations to optimize their Azure AD Connect implementation.
3	3	1	3	1.3	Optimize Cloud Identity Management	Don’t synchronize accounts to Azure AD that have high privileges in your existing Active Directory instance.	Don’t change the default Azure AD Connect configuration that filters out these accounts. This configuration mitigates the risk of adversaries pivoting from cloud to on-premises assets (which could create a major incident).
4	4	1	4	1.4	Optimize Cloud Identity Management	Turn on password hash synchronization.	Password hash synchronization is a feature used to sync user password hashes from an on-premises Active Directory instance to a cloud-based Azure AD instance. This sync helps to protect against leaked credentials being replayed from previous attacks. Even if you decide to use federation with Active Directory Federation Services (AD FS) or other identity providers, you can optionally set up password hash synchronization as a backup in case your on-premises servers fail or become temporarily unavailable. This sync enables users to sign in to the service by using the same password that they use to sign in to their on-premises Active Directory instance. It also allows Identity Protection to detect compromised credentials by comparing synchronized password hashes with passwords known to be compromised, if a user has used the same email address and password on other services that aren’t connected to Azure AD.
5	5	1	5	1.5	Optimize Cloud Identity Management	For new application development, use Azure AD for authentication.	Use the correct capabilities to support authentication: o Azure AD for employees o Azure AD B2B for guest users and external partners o Azure AD B2C to control how customers sign up, sign in, and manage their profiles when they use your applications
6	6	1	6	1.6	Optimize Cloud Identity Management	Manage and control access to corporate resources.	Configure Azure AD conditional access based on a group, location, and application sensitivity for SaaS apps and Azure AD–connected apps.
7	7	1	7	1.7	Optimize Cloud Identity Management	Block legacy authentication protocols.	Attackers exploit weaknesses in older protocols every day, particularly for password spray attacks. Configure conditional access to block legacy protocols.
8	8	1	8	1.8	Optimize Cloud Identity Management	Set up self-service password reset (SSPR) for your users.	Use the Azure AD self-service password reset feature.
9	9	1	9	1.9	Optimize Cloud Identity Management	Monitor how or if SSPR is really being used.	Monitor the users who are registering by using the Azure AD Password Reset Registration Activity report. The reporting feature that Azure AD provides helps you answer questions by using prebuilt reports.
10	10	1	10	1.10	Optimize Cloud Identity Management	Enable Multi-Factor Authentication by changing user state. - Option 1	This is the traditional method for requiring two-step verification. It works with both Azure Multi-Factor Authentication in the cloud and Azure Multi-Factor Authentication Server. Using this method requires users to perform two-step verification every time they sign in and overrides conditional access policies.
11	11	1	11	1.11	Optimize Cloud Identity Management	Enable Multi-Factor Authentication with conditional access policy. - Option 2	This option allows you to prompt for two-step verification under specific conditions by using conditional access. Specific conditions can be user sign-in from different locations, untrusted devices, or applications that you consider risky. Defining specific conditions where you require two-step verification enables you to avoid constant prompting for your users, which can be an unpleasant user experience. This is the most flexible way to enable two-step verification for your users. Enabling a conditional access policy works only for Azure Multi-Factor Authentication in the cloud and is a premium feature of Azure AD.
12	12	1	12	1.12	Optimize Cloud Identity Management	Enable Multi-Factor Authentication with conditional access policies by evaluating user and sign-in risk of Azure AD Identity Protection. - Option 3	This option enables you to: - Detect potential vulnerabilities that affect your organization’s identities. - Configure automated responses to detected suspicious actions that are related to your organization’s identities. - Investigate suspicious incidents and take appropriate action to resolve them. This method uses the Azure AD Identity Protection risk evaluation to determine if two-step verification is required based on user and sign-in risk for all cloud applications. This method requires Azure Active Directory P2 licensing.
13	13	1	13	1.13	Optimize Cloud Identity Management	Apply Role-based access control (RBAC) for segregation of duties	Segregate duties within your team and grant only the amount of access to users that they need to perform their jobs. Instead of giving everybody unrestricted permissions in your Azure subscription or resources, allow only certain actions at a particular scope.	Use built-in RBAC roles in Azure to assign privileges to users. Note: Specific permissions create unneeded complexity and confusion, accumulating into a “legacy” configuration that’s difficult to fix without fear of breaking something. - Avoid resource-specific permissions. Instead, use management groups for enterprise-wide permissions and resource groups for permissions within subscriptions. - Avoid user-specific permissions. Instead, assign access to groups in Azure AD.
14	14	1	14	1.14	Optimize Cloud Identity Management	Grant security teams with Azure responsibilities access to see Azure resources so they can assess and remediate risk.	Grant security teams the RBAC Security Reader role. You can use the root management group or the segment management group, depending on the scope of responsibilities: • Root management group for teams responsible for all enterprise resources • Segment management group for teams with limited scope (commonly because of regulatory or other organizational boundaries)
15	15	1	15	1.15	Optimize Cloud Identity Management	Grant the appropriate permissions to security teams that have direct operational responsibilities.	Review the RBAC built-in roles for the appropriate role assignment. If the built-in roles don't meet the specific needs of your organization, you can create custom roles for Azure resources. As with built-in roles, you can assign custom roles to users, groups, and service principals at subscription, resource group, and resource scopes.
16	16	1	16	1.16	Optimize Cloud Identity Management	Grant Azure Security Center access to security roles that need it. Security Center allows security teams to quickly identify and remediate risks.	Add security teams with these needs to the RBAC Security Admin role so they can view security policies, view security states, edit security policies, view alerts and recommendations, and dismiss alerts and recommendations. You can do this by using the root management group or the segment management group, depending on the scope of responsibilities.
17	17	1	17	1.17	Optimize Cloud Identity Management	Lower exposure of privileged accounts	Securing privileged access is a critical first step to protecting business assets. Minimizing the number of people who have access to secure information or resources reduces the chance of a malicious user getting access, or an authorized user inadvertently affecting a sensitive resource. Privileged accounts are accounts that administer and manage IT systems. Cyber attackers target these accounts to gain access to an organization’s data and systems. To secure privileged access, you should isolate the accounts and systems from the risk of being exposed to a malicious user.	Develop and follow a roadmap to secure identities and privileged access that are managed or reported in Azure AD, Microsoft Azure, Office 365, and other cloud services against cyber attackers.
18	18	1	18	1.18	Optimize Cloud Identity Management	Manage, control, and monitor access to privileged accounts.		Turn on Azure AD Privileged Identity Management. After you turn on Privileged Identity Management, you’ll receive notification email messages for privileged access role changes. These notifications provide early warning when additional users are added to highly privileged roles in your directory.
19	19	1	19	1.19	Optimize Cloud Identity Management	Ensure all critical admin accounts are managed Azure AD accounts.		Remove any consumer accounts from critical admin roles (for example, Microsoft accounts like @hotmail.com, @live.com, and @outlook.com).
20	20	1	20	1.20	Optimize Cloud Identity Management	Ensure all critical admin roles have a separate account for administrative tasks in order to avoid phishing and other attacks to compromise administrative privileges.		Create a separate admin account that’s assigned the privileges needed to perform the administrative tasks. Block the use of these administrative accounts for daily productivity tools like Microsoft Office 365 email or arbitrary web browsing.
21	21	1	21	1.21	Optimize Cloud Identity Management	Identify and categorize accounts that are in highly privileged roles.		After turning on Azure AD Privileged Identity Management, view the users who are in the global administrator, privileged role administrator, and other highly privileged roles. Remove any accounts that are no longer needed in those roles, and categorize the remaining accounts that are assigned to admin roles: - Individually assigned to administrative users, and can be used for non-administrative purposes (for example, personal email) - Individually assigned to administrative users and designated for administrative purposes only - Shared across multiple users - For emergency access scenarios - For automated scripts - For external users
22	22	1	22	1.22	Optimize Cloud Identity Management	Just In Time (JIT) Access	Azure AD Privileged Identity Management lets you: - Limit users to only taking on their privileges JIT. - Assign roles for a shortened duration with confidence that the privileges are revoked automatically.	Implement “just in time” (JIT) access to further lower the exposure time of privileges and increase your visibility into the use of privileged accounts.
23	23	1	23	1.23	Optimize Cloud Identity Management	Define at least two emergency access accounts.	Emergency access accounts help organizations restrict privileged access in an existing Azure Active Directory environment. These accounts are highly privileged and are not assigned to specific individuals. Emergency access accounts are limited to scenarios where normal administrative accounts can’t be used. Organizations must limit the emergency account's usage to only the necessary amount of time.	Evaluate the accounts that are assigned or eligible for the global admin role. If you don’t see any cloud-only accounts by using the *.onmicrosoft.com domain (intended for emergency access), create them.
24	24	1	24	1.24	Optimize Cloud Identity Management	Require all critical admin accounts to be password-less (preferred), or require Multi-Factor Authentication.		Use the Microsoft Authenticator app to sign in to any Azure AD account without using a password. Like Windows Hello for Business, the Microsoft Authenticator uses key-based authentication to enable a user credential that’s tied to a device and uses biometric authentication or a PIN. Require Azure Multi-Factor Authentication at sign-in for all individual users who are permanently assigned to one or more of the Azure AD admin roles: Global Administrator, Privileged Role Administrator, Exchange Online Administrator, and SharePoint Online Administrator. Enable Multi-Factor Authentication for your admin accounts and ensure that admin account users have registered.
25	25	1	25	1.25	Optimize Cloud Identity Management	Critical admin accounts	For critical admin accounts, have an admin workstation where production tasks aren’t allowed (for example, browsing and email). This will protect your admin accounts from attack vectors that use browsing and email and significantly lower your risk of a major incident.	Use an admin workstation. Choose a level of workstation security: - Highly secure productivity devices provide advanced security for browsing and other productivity tasks. - Privileged Access Workstations (PAWs) provide a dedicated operating system that’s protected from internet attacks and threat vectors for sensitive tasks.
26	26	1	26	1.26	Optimize Cloud Identity Management	Deprovision admin accounts when employees leave your organization.		Have a process in place that disables or deletes admin accounts when employees leave your organization.
27	27	1	27	1.27	Optimize Cloud Identity Management	Regularly test admin accounts by using current attack techniques.		Use Office 365 Attack Simulator or a third-party offering to run realistic attack scenarios in your organization. This can help you find vulnerable users before a real attack occurs.
28	28	1	28	1.28	Optimize Cloud Identity Management	Actively monitor for suspicious activities	Have a method to identify: - Attempts to sign in without being traced. - Brute force attacks against a particular account. - Attempts to sign in from multiple locations. - Sign-ins from infected devices. - Suspicious IP addresses.	Use Azure AD Premium anomaly reports. Have processes and procedures in place for IT admins to run these reports on a daily basis or on demand (usually in an incident response scenario).
29	29	1	29	1.29	Optimize Cloud Identity Management	Actively monitor for suspicious activities	Have an active monitoring system that notifies you of risks and can adjust risk level (high, medium, or low) to your business requirements.	Use Azure AD Identity Protection, which flags the current risks on its own dashboard and sends daily summary notifications via email. To help protect your organization's identities, you can configure risk-based policies that automatically respond to detected issues when a specified risk level is reached.
30	30	2	1	2.1	Strong Cloud Network Controls	Logically segment subnets	Don’t assign allow rules with broad ranges (for example, allow 0.0.0.0 through 255.255.255.255).	Ensure troubleshooting procedures discourage or ban setting up these types of rules. These allow rules lead to a false sense of security and are frequently found and exploited by red teams.
31	31	2	2	2.2	Strong Cloud Network Controls	Logically segment subnets	Segment the larger address space into subnets.	Use CIDR-based subnetting principles to create your subnets.
32	32	2	3	2.3	Strong Cloud Network Controls	Logically segment subnets	Create network access controls between subnets. Routing between subnets happens automatically, and you don’t need to manually configure routing tables. By default, there are no network access controls between the subnets that you create on an Azure virtual network.	Use a network security group to protect against unsolicited traffic into Azure subnets. Network security groups are simple, stateful packet inspection devices that use the 5-tuple approach (source IP, source port, destination IP, destination port, and layer 4 protocol) to create allow/deny rules for network traffic. You allow or deny traffic to and from a single IP address, to and from multiple IP addresses, or to and from entire subnets. When you use network security groups for network access control between subnets, you can put resources that belong to the same security zone or role in their own subnets.
33	33	2	4	2.4	Strong Cloud Network Controls	Logically segment subnets	Avoid small virtual networks and subnets to ensure simplicity and flexibility.	Most organizations add more resources than initially planned, and re-allocating addresses is labor intensive. Using small subnets adds limited security value, and mapping a network security group to each subnet adds overhead. Define subnets broadly to ensure that you have flexibility for growth.
34	34	2	5	2.5	Strong Cloud Network Controls	Logically segment subnets	Simplify network security group rule management by defining Application Security Groups.	Define an Application Security Group for lists of IP addresses that you think might change in the future or be used across many network security groups. Be sure to name Application Security Groups clearly so others can understand their content and purpose.
35	35	2	6	2.6	Strong Cloud Network Controls	Adopt a Zero Trust approach	Zero Trust networks eliminate the concept of trust based on network location within a perimeter. Instead, Zero Trust architectures use device and user trust claims to gate access to organizational data and resources. It is the next evolution in network security. The state of cyberattacks drives organizations to take the “assume breach” mindset, but this approach shouldn’t be limiting. Zero Trust networks protect corporate data and resources while ensuring that organizations can build a modern workplace by using technologies that empower employees to be productive anytime, anywhere, in any way.	For new initiatives, adopt Zero Trust approaches that validate trust at the time of access.
36	36	2	7	2.7	Strong Cloud Network Controls	Adopt a Zero Trust approach	Give conditional access to resources based on device, identity, assurance, network location, and more.	Azure AD conditional access lets you apply the right access controls by implementing automated access control decisions based on the required conditions.
37	37	2	8	2.8	Strong Cloud Network Controls	Adopt a Zero Trust approach	Enable port access only after workflow approval.	You can use just-in-time VM access in Azure Security Center to lock down inbound traffic to your Azure VMs, reducing exposure to attacks while providing easy access to connect to VMs when needed.
38	38	2	9	2.9	Strong Cloud Network Controls	Adopt a Zero Trust approach	Grant temporary permissions to perform privileged tasks, which prevents malicious or unauthorized users from gaining access after the permissions have expired. Access is granted only when users need it.	Use just-in-time access in Azure AD Privileged Identity Management or in a third-party solution to grant permissions to perform privileged tasks.
39	39	2	10	2.10	Strong Cloud Network Controls	Deploy perimeter networks for security zones	A perimeter network (also known as a DMZ) is a physical or logical network segment that provides an additional layer of security between your assets and the internet. Specialized network access control devices on the edge of a perimeter network allow only desired traffic into your virtual network. Perimeter networks are useful because you can focus your network access control management, monitoring, logging, and reporting on the devices at the edge of your Azure virtual network. A perimeter network is where you typically enable distributed denial of service (DDoS) prevention, intrusion detection/intrusion prevention systems (IDS/IPS), firewall rules and policies, web filtering, network antimalware, and more. The network security devices sit between the internet and your Azure virtual network and have an interface on both networks.	Based on the Zero Trust concept, we recommend that you consider using a perimeter network for all high security deployments to enhance the level of network security and access control for your Azure resources.
40	40	2	11	2.11	Strong Cloud Network Controls	Optimize uptime and performance	A popular and effective method for enhancing availability and performance is load balancing. Load balancing is a method of distributing network traffic across servers that are part of a service. For example, if you have front-end web servers as part of your service, you can use load balancing to distribute the traffic across your multiple front-end web servers. This distribution of traffic increases availability because if one of the web servers becomes unavailable, the load balancer stops sending traffic to that server and redirects it to the servers that are still online. Load balancing also helps performance, because the processor, network, and memory overhead for serving requests is distributed across all the load-balanced servers.	Employ load balancing whenever you can, and as appropriate for your services.
41	41	2	12	2.12	Strong Cloud Network Controls	Optimize uptime and performance	You have an application that: ➖ Requires requests from the same user/client session to reach the same back-end virtual machine. Examples of this are shopping cart apps and web mail servers. ➖ Accepts only a secure connection, so unencrypted communication to the server is not an acceptable option. ➖ Requires multiple HTTP requests on the same long-running TCP connection to be routed or load balanced to different back-end servers.	Use Azure Application Gateway, an HTTP web traffic load balancer. Application Gateway supports end-to-end SSL encryption and SSL termination at the gateway. Web servers can then be unburdened from encryption and decryption overhead and traffic flowing unencrypted to the back-end servers.
42	42	2	13	2.13	Strong Cloud Network Controls	Optimize uptime and performance	You need to load balance incoming connections from the internet among your servers located in an Azure virtual network. Scenarios are when you: - Have stateless applications that accept incoming requests from the internet. - Don’t require sticky sessions or SSL offload. Sticky sessions is a method used with Application Load Balancing, to achieve server-affinity.	Use the Azure portal to create an external load balancer that spreads incoming requests across multiple VMs to provide a higher level of availability.
43	43	2	14	2.14	Strong Cloud Network Controls	Optimize uptime and performance	You need to load balance connections from VMs that are not on the internet. In most cases, the connections that are accepted for load balancing are initiated by devices on an Azure virtual network, such as SQL Server instances or internal web servers.	Use the Azure portal to create an internal load balancer that spreads incoming requests across multiple VMs to provide a higher level of availability.
44	44	2	15	2.15	Strong Cloud Network Controls	Optimize uptime and performance	You need global load balancing because you: - Have a cloud solution that is widely distributed across multiple regions and requires the highest level of uptime (availability) possible. - Need the highest level of uptime possible to make sure that your service is available even if an entire datacenter becomes unavailable.	Use Azure Traffic Manager. Traffic Manager makes it possible to load balance connections to your services based on the location of the user. For example, if the user makes a request to your service from the EU, the connection is directed to your services located in an EU datacenter. This part of Traffic Manager global load balancing helps to improve performance because connecting to the nearest datacenter is faster than connecting to datacenters that are far away.
45	45	2	16	2.16	Strong Cloud Network Controls	Disable direct to internet RDP/SSH access to virtual machines	It’s possible to reach Azure virtual machines by using Remote Desktop Protocol (RDP) and the Secure Shell (SSH) protocol. These protocols enable the management VMs from remote locations and are standard in datacenter computing. The potential security problem with using these protocols over the internet is that attackers can use brute force techniques to gain access to Azure virtual machines. After the attackers gain access, they can use your VM as a launch point for compromising other machines on your virtual network or even attack networked devices outside Azure.	Disable direct RDP and SSH access to your Azure virtual machines from the internet. After direct RDP and SSH access from the internet is disabled, you have other options that you can use to access these VMs for remote management.
46	46	2	17	2.17	Strong Cloud Network Controls	Disable direct to internet RDP/SSH access to virtual machines	Enable a single user to connect to an Azure virtual network over the internet.	Point-to-site VPN is another term for a remote access VPN client/server connection. After the point-to-site connection is established, the user can use RDP or SSH to connect to any VMs located on the Azure virtual network that the user connected to via point-to-site VPN. This assumes that the user is authorized to reach those VMs. Point-to-site VPN is more secure than direct RDP or SSH connections because the user has to authenticate twice before connecting to a VM. First, the user needs to authenticate (and be authorized) to establish the point-to-site VPN connection. Second, the user needs to authenticate (and be authorized) to establish the RDP or SSH session.
47	47	2	18	2.18	Strong Cloud Network Controls	Disable direct to internet RDP/SSH access to virtual machines	Enable users on your on-premises network to connect to VMs on your Azure virtual network.	A site-to-site VPN connects an entire network to another network over the internet. You can use a site-to-site VPN to connect your on-premises network to an Azure virtual network. Users on your on-premises network connect by using the RDP or SSH protocol over the site-to-site VPN connection. You don’t have to allow direct RDP or SSH access over the internet.
48	48	2	19	2.19	Strong Cloud Network Controls	Disable direct to internet RDP/SSH access to virtual machines	Use a dedicated WAN link to provide functionality similar to the site-to-site VPN.	Use Azure ExpressRoute. It provides functionality similar to the site-to-site VPN. The main differences are: - The dedicated WAN link doesn’t traverse the internet. - Dedicated WAN links are typically more stable and perform better.
49	49	3	1	3.1	Secure Cloud Virtual Machines	Control VM access	If your organization has many subscriptions, you might need a way to efficiently manage access, policies, and compliance for those subscriptions. Azure management groups provide a level of scope above subscriptions. You organize subscriptions into management groups (containers) and apply your governance conditions to those groups. All subscriptions within a management group automatically inherit the conditions applied to the group. Management groups give you enterprise-grade management at a large scale no matter what type of subscriptions you might have.	Use Azure policies to establish conventions for resources in your organization and create customized policies. Apply these policies to resources, such as resource groups. VMs that belong to a resource group inherit its policies.
50	50	3	2	3.2	Secure Cloud Virtual Machines	Control VM access	Reduce variability in your setup and deployment of VMs.	Use Azure Resource Manager templates to strengthen your deployment choices and make it easier to understand and inventory the VMs in your environment.
	Sec ID			Sub-CID	Category