Azure network manager security configuration “NRMS-ZeroTrust...” created 54 inbound port rules on my Azure VM which closed my active RDP session and blocked all access to SQL Server.
Is anyone else having a similar issue with their Network Manager (preview)? A screen print of my Azure VM Networking and Vnet Network Manager is below although in preview it looks like stackOverflow has blacked out the rule information you need to see.
I have selected “leave preview” but this didn’t remove the rules.
I see the Remove and update Azure Virtual Network Manager Preview components checklist, but I have no idea what “undeploy the security admin configuration deployment” means as there is no link in the doc. Unlike all the other Azure VM Networking Inbound Port Rules, you can't drill into or delete the rules created by the ZeroTrust config. Creating a rule to explicitly allow the IP of my workstation is ignored.
• You can surely ‘undeploy the security admin configuration deployment’ that has been enabled by accessing the NSG (Network Security Group) of your VM. Also, as you stated that the ‘Zero Trust’ configuration deployed has blocked your access to the VM through RDP and to the SQL Server, it is as such blocked because the similar kind of rules have been configured on the Azure Network Manager with regards to the virtual network in which your VM is configured.
• Also, a security admin rule allows you to enforce security policy criteria that match the conditions set. You can only define security administrative rules for resources within the scope of the Azure Virtual Network Manager instance. These security rules have a higher priority than network security group (NSG) rules and will get evaluated before NSG rules. Also note that security admin rules don't change your NSG rules.
Security admin rules can be used to enforce security rules. For example, an administrator can deny all high-risk ports or protocol from the Internet with security admin rules because these security admin rules will be evaluated prior to all NSG rules as that have been done with you.
• Thus, to configure the security admin configuration to modify the Zero trust rules set for the network group of which your virtual network is a member, go to your VM’s NSG --> Under ‘Support + Troubleshooting’, select ‘Effective security rules’, in that check the name of the ‘Associated Azure Network Manager’ and select it, then select the ‘Configurations’ option under ‘Settings’, in that check the security configuration rule collection set and modify the rules or remove them from that collection set and save it. Once done, you should be able to access the VM over RDP and the SQL Server over its ports. In this way, you can modify the ‘Zero Trust’ network configuration rules for a VM.
Please find the below snapshot of the above said settings in my tenant: -
Please note that you need to have ‘Subscription Admin’ permissions to configure and modify the network manager settings. Also, refer to the below article for detailed configuration and deployment of Azure Virtual network Manager: -
https://virtualizationreview.com/articles/2021/11/03/azure-virtual-network-manager.aspx
Related
I have recently replicated my Azure VM using Azure site recovery and performed a test failover. I was disappointed to see the NSG rules, route table not reflected from Source to target. If the network settings aren't reflected from source to target I don't think so it is of use using Site recovery. Am I missing any steps? I have also created "Allow 443 port outbound rule" for source NSG.
How to Create outbound HTTPS (443) rules for the Site Recovery IPs that correspond to the source location: Location-East US, Site Recovery IP address-13.82.88.226, Site Recovery monitoring IP address-104.45.147.24
Site Recovery does not create NSGs as part of the failover operation. It's recommended to create the required Azure NSGs before initiating failover. You can then associate NSGs to failed over VMs automatically during failover, using automation scripts with Site Recovery’s powerful recovery plans. You could get more info about Azure to Azure replication with NSG.
For Azure VM replication, ensure that the NSG rules on the source Azure region allow outbound connectivity.
Like this example NSG configuration. Please note, you need to create an outbound HTTPS (443) rules for the Site Recovery IPs that correspond to the target location in the source NSG, but create an outbound HTTPS (443) rules for the Site Recovery IPs that correspond to the source location in the target NSG.
In this case, you want to create outbound HTTPS (443) rules for the Site Recovery IPs that correspond to the source location: Location-East US, Site Recovery IP address-13.82.88.226, Site Recovery monitoring IP address-104.45.147.24, it will like this:
I would like to host a password protected static website on a server, and meet the following 2 requirements:
The static website credentials MUST NOT give any additional access to the hosting server.
The hosting must play nicely with other IIS hosted websites
The hosting server is running Windows 10 Pro.
I've identified 4 options:
Host it in IIS with Basic Authentication enabled
Host it in Apache, separate port, secure with .htpasswd file
Host it in Apache in a VM, use a bridged network, secure with .htpasswd file
Develop a middleware/route request authentication application
Option 1:
Evidently, this option requires a whole new User on the computer.
I do not understand the limitations of a new user's access.
When I hit WindowsKey + R, and run netplwiz, I can configure the user to belong to one of these groups:
Users(default): Users are prevented from making accidental or intentional system-wide changes and can run most applications.
Guest: Guests have the same access as members of the Users group by default, except for the Guest account, which is further restricted as described earlier.
IIS_IUSR: Built-in group used by Internet Information Services.
I can not find the following information in any Microsoft docs:
How IIS_IUSR is "used" by IIS
If any of these groups restrict all access, other than viewing the Basic Auth website
An exhaustive list of permissions granted by the user login credentials, and each group
This method seems confusing and annoying at best, and a complete security failure at worst.
Option 2:
This seems more secure to me, because I can understand the limitations of the user access better.
Option 3:
This seems even more secure, because the hosting server is not directly accessed.
I do not know if this creates other security vulnerabilities though.
Option 4:
This one seems the most secure, because I have full understanding and control over the website's access.
This could take a lot of work though.
An organization can adopt the following policy to protect itself against web server attacks.
Patch management– this involves installing patches to help secure the server. A patch is an update that fixes a bug in the software. The patches can be applied to the operating system and the web server system.
Secure installation and configuration of the operating system
Secure installation and configuration of the web server software
Vulnerability scanning system– these include tools such as Snort, NMap, Scanner Access Now Easy (SANE)
Firewalls can be used to stop simple DoS attacks by blocking all traffic coming the identify source IP addresses of the attacker.
Antivirus software can be used to remove malicious software on the server
Disabling Remote Administration
Default accounts and unused accounts must be removed from the system
Default ports & settings (like FTP at port 21) should be changed to custom port & settings (FTP port at 5069
I have question around DLP (data leakage prevention) from a corporate network.
I have a Virtual Machine on a corporate network. The VM can access an Azure SQL DB in the cloud: aaa.database.windows.net through a connection over port 1433.
However, I don't want that same VM to connect to bbb.database.windows.net.
Azure offers no guarantees on the public IP (both servers could appear as the same IP) - what technology can I use on the corporate's perimeter network/firewall to permit access to aaa but disallow access to bbb?
The attack I am concerned about is someone internal to the company querying data out of aaa and inserting it in to bbb. For example, if the one server is ourcorporatedate.database.windows.net and the other is somerandom.database.windows.net the someone internal to the company could take corporate data and write it to some random database.
Thanks
You can use Virtual Network service endpoints and rules. Virtual network rules are one firewall security feature that controls whether your Azure SQL Database or SQL Data Warehouse server accepts communications that are sent from particular subnets in virtual networks. Learn how to use it and benefits/limitations on this documentation.
If database aaa and bbb have the same public IP address. I think there is not a good way to set in the on-premise firewall to permit access to aaa but deny access to bbb. From the same client, the firewall rule will have the same source IP, protocol, port, and destination IP for outbound traffic.
If you want to selectively grant access to just one of the databases in your Azure SQL server, you can only create a database-level rule for the required database. Also, Specify an IP address range for the database firewall rule that is beyond the IP address range specified in the server-level firewall rule, and ensure that the IP address of the client falls in the range specified in the database-level rule. Server level rules allow access to the Azure SQL Server. Which means that the client will have access to all the databases stored on that SQL Server. Refer to this doc.
The current VPN feature in SQL Azure does not directly prevent this (but please look for future updates where this is planned for the service endpoints feature for SQL Azure). However, there are various mitigations you can use to detect or reduce the ability to do this:
You can enable auditing on the aaa database. This can detect all logins and major state changes to the DB. (Detect)
You can reduce the permissions for various kinds of users on the database to the bare minimum and use features which further reduce the size of the data that a customer can copy out of the database at all. This includes row-level security, data masking, always encrypted (which you would lock down to a specific app/user to be able to decrypt sensitive data in the client - other clients without the key just get cypertext), etc.
Use firewall rules (as stated in the other answers) to restrict which clients can connect to the database at all - then you can restrict where they can connect with permissions.
Please note that SQL Azure's logical servers do not generally imply that every customer database in that server has the same IP. Currently there is a knob in service endpoints (docs page is currently down so I can't get you a link atm) to configure whether you go through the per-region gateway or not. If you don't (recommended), you would see the IP of the hosting node and this can change over time. The Service endpoints feature will give VPN users more control for network-level rules going forward, but some of these features have not yet landed in production. I encourage you to mitigate with other steps (above) until that is available to you.
What is the difference between Agent User ID (Settings tab) and User/Password (Transport tab)? Please share the scenarios of both two when configuring the replicating agents in AEM.
This is well documented in Adobe's documentation here
The context that is missing is to understand the how ACLs work, each user/group has certain privileges/rights; which outside normal CRUD operations include Read ACL, Edit ACL and Replicate. You can read about them here
Now coming to your question, a replication agent has host configuration (the system on which it is setup) and target configuration (the system it connects to). Agent User ID is used for the host system while User/Password on transport tab is for the target system.
For a replication agent on author, the user used in Agent User Id must have read and replicate rights on all path that need to be processed where as user specified in User/Password on transport tab must have create/write access to replicate the content on Publish instance.
I'm using Jelastic for my application and I just installed the Apache for it. The problem is that I need to set up a firewall for it, like iptables or other, after all is a web application and it needs security.
How can I do that?
The host said to me, that the only way is to use VDS and I should configure a VDS for me, installing Apache, FTP and transfer my application to there.
But I can believe that there is no way to protect the Apache.
Thank you in advance.
The available options vary depending on your hosting provider. For example, the Jelastic platform gives hosting providers and private cloud customers the ability to define a set of default firewall rules for each newly provisioned node.
Additionally, since Jelastic 4.1, there is an option for the provider to define additional custom firewall rules for any specific container. At the moment this functionality is only accessible from the provider's side, so it means you need to work with your provider's support team.
If you don't want to do that, or your chosen Jelastic provider does not offer good support, you can either:
Use an unmanaged node type in your Jelastic environments, such as the Elastic VPS or Docker nodes. Here you have full root access to define whatever firewall rules you desire.
Use application server rules to restrict access according to IP. E.g. inside your httpd.conf (which you already have full access to customise)
In the recent release, Jelastic introduced a possibility to manage inbound and outbound firewall rules on the container level right through the interface. The detailed instruction is here.