Home Tags Azure security

Tag: Azure security

Azure Security Center Now Guards Windows Server 2016 VMs

Microsoft has added Windows Server 2016, its latest server operating system, to the roster of virtual machines supported by its Azure Monitoring Agent cloud-based threat protection offering. With the holidays out of the way, Microsoft has returned to r...

Azure customer saves Microsoft from an RHEL disaster

Broken authentication, improperly secured configuration files, and poor certificate management: Attackers could have exploited these issues to compromise any RHEL (Red Hat Enterprise Linux) instance on Microsoft Azure. Ian Duffy, an Irish software engineer with the e-commerce company Zalando, discovered these flaws when creating a machine image of RHEL that was compliant with the Security Technical Implementation Guide defined by the Department of Defense. Microsoft has since fixed these problems, but they offer an object lesson in the hazards of poorly implemented cloud security. The client configuration files in Azure's Red Hat Package Manager contain build host information that could be used to discover all of Azure's Red Hat Update Appliances, Duffy said. The Red Hat Update Appliance is part of the Red Hat Update Infrastructure, which lets cloud platforms like Microsoft Azure and Amazon Web Services run local yum repositories, instead of having individual RHEL instances connect to Red Hat servers every time they need to update a package or install a new application. Both Azure and AWS manage a Red Hat Update Appliance for each region, and each RHEL instance connects to the region's appliance when running yum to install or update packages. Duffy found it was possible to discover all of Azure's Red Hat Update Appliances and gain administrator access in order to upload compromised packages to the servers. Attackers could gain control over all Azure RHEL instances that executed yum against the compromised appliance and received the tampered files. "In theory ... one could have gained root access to all virtual machines consuming the repositories by releasing an updated version of a common package and waiting for virtual machines to execute yum update," said Duffy. Exposed update servers Duffy was trying to create a secure RHEL image that could be used on Azure and AWS when he uncovered the configuration files and the Red Hat Update Appliances. All the servers were exposing their REST APIs over HTTPS. An application called rhui-monitor.cloudapp.net running on port 8080 (rhui-monitor.cloudapp.net is included in the PrepareRHUI package that runs on all Azure RHEL instances) let him look into the archives containing logs, more configuration files, and the SSL certificates granting full administrative access to the Red Hat Update Appliances. Though the application required username and password authentication, Duffy found it was possible to run a back-end log collector and obtain the URLs to the archives without any credentials. The SSL certificates were the same for every instance, and it was possible to copy the SSL certificates from one RHEL instance to another on Azure and still authenticate on the appliance, Duffy found. This wasn't the case with AWS, as the instance also needed to boot from a correctly configured Amazon Machine Image (AMI) before it could use the SSL certificate. Microsoft immediately took steps to prevent public access to rhui-monitor.cloudapp.net and the Red Hat Update Appliances. The company told Duffy it has rotated all secrets, so even if the certificates had been maliciously copied, the attackers would no longer be able to access the appliances in this manner. The appliances were exposing their REST APIs over HTTPS, which meant attackers with full administrator access could upload their own packages into the appliance. Any RHEL instance on Azure running yum to obtain a package with that same name would automatically receive that modified package, not the official one served by Red Hat. All Azure RHEL images are configured without GPG validation checks, so clients built off that image would not be able to tell the package had been tampered with. Since the packages frequently execute as root, the attacker would gain full control over the RHEL instance. A specially crafted package capable of encrypting the entire virtual machine could lead to a ransomware attack on a massive scale. Or vandals could take over every RHEL instance for fun. "[Compromising updates] would just be a case of bumping the version number and releasing a package under the same name," Duffy said. Exposed storage accounts The issue with the update appliances would have given attackers access to every compromised RHEL instance on Azure, but a different vulnerability within the mandatory Microsoft Azure Linux Agent (WaLinuxAgent) would have had a "much more widespread" impact, Duffy said. The Red Hat Enterprise Linux image available on the Microsoft Azure Marketplace had a vulnerable version of WaLinuxAgent that exposed the administrator API keys for the storage account used by the virtual machine. With the API key, the attacker could download virtual hard disks for any RHEL instances using that storage account. Since multiple virtual machines shared a single storage account, an attacker could download multiple virtual hard disks at a time. Azure administrators should check to make sure they aren't using RHEL image with the vulnerable agent, WaLinuxAgent 2.0.16. Shared responsibility on the cloud Microsoft has clearly spelled out the expectations for securing its cloud platforms in the Shared Responsibilities for Cloud Computing and Microsoft Azure Security Response in the Cloud whitepapers. Microsoft will take care of all the security for its buildings, servers, networking hardware, and the hypervisor for organizations using Azure for IaaS. The operating system, network configuration, applications, identity management, client security, and data remain under IT control. In this case, because the issue lay with the fact that the appliances and applications were publicly accessible, the fix was Microsoft's responsibility. However, that doesn't absolve IT administrators from regularly monitoring the instances for unusual activity or checking what packages are being installed on their machines. Just because the provider is responsible for that portion of cloud security doesn't mean IT administrators can ease their vigilance.

Microsoft Launches Azure ExpressRoute

Microsoft officially flips the switch on its business-friendly, high-performance hybrid cloud connection service and introduces new Azure-powered file, security and disaster recovery solutions. Microsoft Azure E...

Microsoft boosts Windows Azure security with multi-factor authentication

Microsoft has added an additional layer of security, called multi-factor authentication, to its Windows Azure public cloud platform to provide increased access security and convenience for IT and users while accessing cloud applications. The new security tool provides Microsoft cloud users with secure access to on-premises and cloud applications from anywhere in the world. In addition to a user name and password, Windows Azure users will be able to authenticate via a mobile phone app, an automated voice call or a text message with a passcode, said Steven Martin, general manager of Windows Azure at Microsoft. “Identity and access management is an anchor for security and top of mind for enterprise IT departments. It is key to extending anytime, anywhere access to employees, partners and customers,” Martin wrote on Microsoft’s official blog. The multi-factor authentication feature can be configured by IT for cloud applications and “meets user demand for a simple sign-in experience”, he added. The cloud computing sector is forecast to grow at a pace of 36% every year, reaching revenues of $20bn (£12.7bn) by 2016. But a recent Gartner report revealed that users of cloud services – especially software as a service (SaaS) – are finding security provisions inadequate. Ambiguous terms around data confidentiality, data integrity and recovery after a data breach lead to dissatisfaction among cloud services users, Gartner analysts found.

As a result, they called for more transparency and better risk management in cloud services. Meanwhile, research by Ponemon Institute in March 2013 revealed that half of IT leaders are concerned about the security of cloud computing resources. By deploying the authentication server on existing hardware or in a Windows Azure virtual machine, users will be able to synchronise with their Windows Server Active Directory for automated user setup and secure access to on-premises virtual private networks (VPNs) and web applications, according to Microsoft. There are two billing options for Windows Azure multi-factor authentication – per user and per authentication. From 1 November 2013, it can be purchased for $2 per user per month for any number of authentications or $2 a month for 10 authentications. Users can also set up multi-factor security for other Microsoft cloud services such as Office 365, and Dynamics CRM. “Windows Azure multi-factor authentication is a managed service that makes it easy to securely manage user access to Windows Azure, Office 365, Intune, Dynamics CRM and any third-party cloud service that supports Windows Azure Active Directory,” said Scott Guthrie, corporate vice-president for Windows Azure.  The security feature can be also used to control access to IT’s custom applications that have been developed and hosted within the cloud platform. Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners.

If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from ComputerWeekly.com