Tuesday, March 20, 2018

Exploring Azure DNS Analytics

You would be hard pressed to review a security benchmark that did not talk about controlling outbound connections.  Generally, one would tackle this problem by doing one of the following:

- Outbound firewall
- Web Proxy
- Services such as OpenDNS

In Azure, it can become somewhat onerous to deploy any of the solutions above.  It isn't that it isn't possible, it is that you generally want to shy away from creating/adding more gear to support this type of activity.  Further, OpenDNS can become kind of a pain when you have to specify IP addresses to enforce rules.

That is why I was super excited when Azure announced DNS analytics solution in OMS.  While lacking any pro-active capabilities, I can now use this solution in OMS to help me understand what DNS queries are being made in my environment.  I also get the power of Azure Security as it analyzes my DNS requests for communication with any malicious domains.

You can read more about the solution here.

After having this solution turned on for a few days now, I've noticed the following:

- I hate how IE defaults to MSN as homepage, even for servers
- My servers are all configured to hit windows update directly, I should probably change that :S
- There are lots of Azure addresses that get hit as part of normal operation.  Opinsights, automation, etc, and they all use different domain names.
- My servers are all dynamically registering properly, with no failures

I'm skipping a lot of screenshots here because the documentation was pretty indepth.  Here is what gets stored in Log Analytics for the DNS solution.


 In short, I think this is a great service, and a must-have when you set up OMS to help monitor your Azure environment. 

Friday, March 16, 2018

Reporting on Azure Application Security Groups

In my last two posts, we have been talking about Azure Application Security groups.  The goal of this post is to create a small powershell script that we can use to audit/report on assignment of the groups against NIC resources.

The script below essentially goes through each NIC and looks at the IpConfigurations configuration.  If an application security group is present, it displays it in a list.

The script is a little rough, but it does the trick for now. Enjoy!


"Authenticating to Azure..."
    $azureLogin = Get-AzureRmContext
 if ($azureLogin.Subscription.Id -ne $subscriptionId){
  throw "This session is NOT logged in with the subscription id $subscriptionId"
    Login-AzureRmAccount -SubscriptionId $subscriptionId

if ($resourceGroupName){
    $nics = Get-AzureRmNetworkInterface -ResourceGroupName $resourceGroupName
} else {
    $nics = Get-AzureRmNetworkInterface

$nicObjects = @()

foreach ($nic in $nics){
    $nicName = $nic.Name
    $applicationSecurityGroups = @()
    foreach ($secGroup in $nic.IpConfigurations.ApplicationSecurityGroups){
        $secGroupResource = Get-AzureRmResource -resourceId $secGroup.id
        $applicationSecurityGroups += "{0}/{1}" -f $secGroupResource.ResourceGroupName, $secGroupResource.Name
    $nicObject = New-object System.Object
    $nicObject | Add-Member -MemberType NoteProperty -name "name" -value $nicName
    $nicObject | Add-Member -MemberType NoteProperty -Name "Application Security Groups" -value ($applicationSecurityGroups)

    $nicObjects += $nicObject

$nicObjects | Format-Table

Tuesday, March 13, 2018

Applying Azure Application Security Groups

In a previous post, I discussed the initial steps to creating application security groups in ARM templates.  This post takes this one step further and applies them to a NIC.  For reference, the Network Interface ARM template schema can be found here.

Fundamentally, application security groups are an array of groups that can be applied to a specific IP configuration on a specific nic.  I think this is a really elegant place to attach these constructs, and will allow for some interesting designs into the future.

Here is a quick ARM template of a bare-bones network interface with an associated application security group.

    "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
    "contentVersion": "",
    "parameters": {},
    "variables": {},
    "resources": [
            "name": "IISWebServer-NIC1",
            "apiVersion": "2017-10-01",
                                "id": "[concat(resourceId('Microsoft.network/virtualNetworks','appsecurity'),'/subnets/', 'default')]"
                            "ApplicationSecurityGroups": [
                                    "id": "/subscriptions/xxxx/resourceGroups/testappsecuritygroups/providers/Microsoft.Network/applicationSecurityGroups/IISWebServers",
    "outputs": {}

As with a lot of ARM template constructs, application security groups are referenced via ID.  If you are creating a parameterized version of the above, you will need to pass in both the resource group and the name of the application security group.