In the second of this blog series, I’ll take you through the remaining workload protection features in ‘Microsoft Defender for Cloud’. If you have not read part 1, here is the link.
In my previous blog, I could not cover all the features under ‘Workload Protection’; So, I’ll cover rest of them below in this blog.
- Just-In Time VM access
- File Integrity Monitoring
- Network Map
- Container Image Scanning
- SQL Vulnerability assessment
Just-In Time VM Access:
Security is a major challenge for organizations running mission critical applications on cloud. One of the biggest risks from hackers come via open ports, and Microsoft Defender for Cloud provides a great option to manage this threat using Just-in-Time VM access.
With Just-in-Time VM access, you can define what VM and what ports can be opened and controlled and for certain duration. Just-in-Time (JIT) access locks down and limits the ports of Azure VMs in order to overcome malicious attacks on the virtual machine, therefore only providing access to a port for a limited amount of time. Basically, you block all inbound traffic at the network level.
When JIT access is enabled, each user access request will be through Azure role based access control (RBAC), and access will be granted only to users with the right credentials. Once a request is approved, the Defender for Cloud automatically configures the network security groups (NSGs) to allow inbound traffic to these ports – only for the requested amount of time, after which it restores the NSGs to their previous states.
How to enable JIT?
Just-In-Time VM access can be enabled in 2 ways,
1. Using Microsoft Defender for Cloud
- Go to Microsoft Defender for Cloud Workload Protection
- Click on ‘Just-In-Time VM access’ as shown in below screenshot
- Click on respective VM and select ‘Enable JIT on 1 VM’
2. Using Virtual Machine blade
- Go to respective VM Click on ‘Configuration’
- Click on ‘Enable Just-In-Time’
Once you select either of the options, it will then show a list of recommended ports. It is possible to add additional ports as per requirement. The default port list is show below.
Now click on the port that you want to restrict. A new tab will appear with information on the protocol to be allowed, allowed source IP (per IP address, or a CIDR range).
An important thing to note is the request time. The default time is 3 hours; it can be increased or decreased as per the requirement. Then click, OK.
Click OK and the VM will appear in the Just-in-Time VM access window in the Microsoft Defender for Cloud.
Changes observed at NSG when JIT is enabled:
JIT will create a new Deny rule with a priority less than the original Management port’s Allow rule in the Network security group’s (NSG) Inbound security rule.
If the VM is behind an Azure firewall, the same rule overwrite occurs in the Azure firewall as well.
Connect to JIT enabled VMs:
- Go to JIT window under Workload Protection
- Select the VM that you need to access and click on ‘Request access’
This will take you to the next page where additional details need to be provided for connectivity such as,
- Click ON Toggle
- Provide Allowed IP ranges
- Select time range
- Provide a justification for VM Access
- Click on Open Ports
Request access from VM blade:
This process will overwrite the NSG Deny rule and create a new Allow rule with less priority than the Deny All inbound rule or the selected port.
File Integrity Monitoring (FIM):
FIM also known as Change Monitoring, helps you monitor Windows registry, operating system files, application software, system files and all the changes that might indicate an attack
How FIM works?
- All the VMs should have Log analytics agent installed so that data can upload to workspace.
- By comparing the current state of items with the state during the previous scan. FIM notifies if suspicious modification been made recently.
- Once you enable and initialize FIM on your log analytics workspace, it might take up to an hour time to complete.
- Upon completion, it is going to open up the FIM dashboard and populate based on the results from the workspace.
- The Settings button won’t be active if you do not have right access privilege such as Security Admin/ Reader role to make changes.
- When you click on ‘Settings’, it comes straight to the blade shown below. You can configure here what do you want to monitor. Few things are enabled, and few are not enabled.
- Once you have configured the settings, changes would appear like below screenshot.
- Click on VM to see what kind of changes happened yesterday under the category with Added/ Removed/ Modified entries.
Network Map provides a graphical view with security overlays giving you recommendations and insights for hardening your network resources.
Network Map provides a default view of topology only for the resources that have network recommendations with a high or medium severity. Map is optimized for the subscriptions you selected in the portal. If you modify your selection, the map is regenerated with the new selections.
Network Map topology view:
- In the inner circle, you can see all the Vnets within your selected subscriptions, the next circle is all the subnets, the outer circle is all the virtual machines.
- The lines connecting the resources in the map let you know which resources are associated with each other, and how your Azure network is structured.
- Click on any resources to drill down further into them and view the details
It provides you with a map of all the possible traffic between your resources. This provides you with a visual map of all the rules you configured that define which resources can communicate with whom. This enables you to see the existing configuration of the network security groups as well as quickly identify possible risky configurations within your workloads.
Click on Allowed Traffic to view detailed report analysis.
Container Image Scanning:
Vulnerability scanning for Container images is powered by Qualys, a leading provider of information security. This is very similar to vulnerability assessment of VM. When you push an image to Container Registry, Defender for Cloud automatically scans it, then checks for known vulnerabilities in packages or dependencies defined in the file. When the scan completes, Defender for Cloud provides details and a security classification for each vulnerability detected, along with guidance on how to remediate issues and protect vulnerable attack surfaces.
If you don’t have an Azure Container Registry (ACR) deployed in Azure, please follow below steps to create one:
#! Create a dedicated Resource Group for Azure Container Registry az account set --subscription " 12ec4b14-c098-499d-bf56-584f0b926fe9" az group create --name rg-acr-demo --location southeastasia
#! Create Azure Container Registry with Basic SKU #! The Basic SKU is a cost-optimized entry point for development purposes that provides a balance of storage and throughput. #! For production deployment, you want to look at the 'Standard' and 'Premium' SKUs az acr create --resource-group rg-acr-demo --name acrtestdemo678 --sku Basic
Once the container registry is deployed, you can get the details and then log in with the following commands:
It takes more than 30 min. for Defender for Cloud to provide any vulnerability remediation suggestion.
SQL Vulnerability Scanning:
Security is at the top of the list as data breaches are increasing year on year and there is a need to protect sensitive data stored in the databases. Microsoft Defender for Cloud database security allows you to protect your entire database estate, by detecting common attacks, supporting enablement, and threat response for the most popular database types in Azure.
- The types of protected databases are:
- Azure SQL Databases
- SQL servers on machines
- Open-source relational databases (OSS RDB)
- Azure Cosmos DB
For any existing database server, it can be enabled by navigating to the Advanced Data Security under the Security heading. This will ask a storage account to be connected for storing the scan results. You can use any existing storage account or create a new one, but a storage account is mandatory as it will store the scan results.
Run a Scan:
- You can run a scan as shown below:
- Once the scan is completed, the results can be read on the portal or can be exported to excel. The report displays high-level information about the items scanned with the numbers of passed and failed checks. It further categorizes the failed checks in the order of the Risks.
The vulnerability assessment tool makes it extremely simple to implement the security features in just a few clicks. It also offers great visibility in the database and strengthens the database security structure.
This marks the end of Workload protection with advanced protections features of ‘Microsoft Defender for Cloud’. Hope this is helpful and reach out to me for any queries. Happy reading!