Best tip ever for Azure Security – Security Center built-in policies

As far as the inception of the ASC (Azure Security Center) Security Policies, I’ve been recommending attaching security policies to subscription, or management group.

Best part of this, is that the deployment is handled for you by ASC, if you’ve allowed/configured ASC policies in first place

  • On as side note, once you get comfy with policies, you’ll want to add region restrictions + bunch of best practice policies, but that shall be part of another blog post.

ASC’s default policy initiative

ref: https://docs.microsoft.com/en-us/azure/security-center/security-center-azure-policy 

With the ASC’s default policy initiative you get to audit and monitor the following controls proactively

  • Compute And Apps (14 out of 14 policies enabled)
  • Data (12 out of 12 policies enabled)
  • Identity (10 out of 10 policies enabled)

Kuvaesitys vaatii JavaScriptin.

 

How to assign ASC’s default policy initiative?

If for some reason this isn’t setup for you, you might want to check the following setting in security center

  • Once you’ve acknowledged and understand how you’re inheritance and ASC Plan is configured, you can enable the policies by one simple control ’ Assign Security Policy ’

ASC

3


Once the policies start, you’ll begin see the results of evaluation

  • 289 resources evaluated 🙂 – How great is this!

ASC45

Highly recommended!

Br, Joosua

 

Creating Custom Multi-Factor Authentication Client with Azure Functions

I used to do a quite a bit of availability testing in past, but never got to test how virtual login flows would work with transient (non-persistent) one time passwords.

It wasn’t until recently I got assignment to do something that monitors MFA system. During the assignment I stumbled on something called PyOTP, which pairs quite well with Azure functions. After the assignment was over I decided to write this blog to share some details:

This blog covers creation of MFA client using Azure Functions and PYOTP.  If you’re interested how One-Time-Passwords do work, then check the RFC’s below for in depth information:

Disclaimer: The information in this weblog is provided “AS IS” with no warranties and confers no rights.

How does it work?

Prerequisites:

  1. Azure Subscription with possibility of creating Azure Functions
  2. Your MFA implementation is compatible with RFC4226 and RFC6238
    • Examples Microsoft MFA, RCdevs OpenOTP and many others

Azure Functions

  • Create New Azure Function (consumption plan will suffice)
  • Locate platform features, and select Advanced Tools (Kudu)
Locations

Platform features

  • Update Python version to 3.5.2 using guide Azure Functions Python
    • I opted to install ’python-3.5.2-embed-win32’
      • Bit earlier or later versions, I suppose do work just as well
    • Drag & Drop the correct packet to d:\home\site\tools (It will unzip automatically)
AzureFunctions2

Drag&Drop

PYOTP

This part covers installation of PyOTP, which is a Python library for generating and verifying one-time passwords. /Read more @ https://github.com/pyotp/pyotp 

  • Install PYOTP with Powershell, or CMD console in KUDU

Python -m pip install pyotp --target=d:\home\site\tools

PIP 2

installing PyOTP

Fetch the key from your MFA solution;

In the example I use Microsoft MFA

  •  Use the URL MFA Enroll
    • Select ’Configure app with notifications’ and take note of the ’Secret Key’

Kuvaesitys vaatii JavaScriptin.

  • Create Python HTTP trigger
    • Remember to toggle ’Experimental Language Support = Enabled’
BlogF

Create new HTTP Trigger

  • Test the function with the ”MFA key” fetched from MFA, and inserted into the code.
    • In production code you might not want to have the secret key in plaintext, for this prototype I opted for the low hanging fruit :)…
import os
import json
import platform
print("Python == ", platform.python_version())
import pyotp
totp = pyotp.TOTP('YourMFAKeyHere')
s = totp.now()
str(s)

response = open(os.environ['res'], 'w')
response.write(s)
response.close()
  • Output should now display the OTP in the response
Funcss

Function editor

Response

Call example

Consuming OTP’s

  • Choose your coding /scripting language and just add simple REST call to it:
    • Get the key to call the function from ’Get function URL’, and implement it to the part of the code where you fetch the OTP, and deliver it for the verification

      PY

      URI for the function

    • if possible, limit the call to only certain range of IP’s (this is not required for this thing to work, but its something you might want to consider)

Below is the snippet of that part where the OTP is delivered to the login form:

  • PowerShell is just too easy, and keeps my from learning new languages :)… so I opted for it (once again) to create the prototype:
$OTP=Invoke-RestMethod -UseBasicParsing -Uri "APIURIHERE" -Method Post
$keys = $OTP -split "" | where {$_ -ne ""}
[Microsoft.VisualBasic.Interaction]::AppActivate($ieProc.Id);Start-Sleep -Seconds 1

foreach ($key in $keys)
{
Start-Sleep -Milliseconds 20
[System.Windows.Forms.SendKeys]::SendWait("{$key}");
}

 

Hope this helps somebody 🙂 – I for sure had a blast doing it!
Br,
Joosua