Category Archives: Security

Microsoft Defender ATP: the protection of Linux systems

Many companies have infrastructures consisting of heterogeneous server operating systems and the difficulty of having to adopt and manage different security platforms to ensure protection of the entire machine fleet is known.. Microsoft recently announced the availability of Microsoft Defender Advanced Threat Protection (ATP), the security platform for enterprise endpoints designed to prevent, detect, investigate and respond to security threats, also for Linux systems. This article describes how to protect Linux machines with this solution and provides an overview of how Microsoft Defender Security Center enables you to monitor and manage the security of the entire spectrum of client and server platforms in enterprise environments (Windows, Windows Server, macOS and Linux).

Microsoft has steadily evolved its endpoint security platform in recent years Microsoft Defender Advanced Threat Protection (ATP), to the point of being recognized as a leader, also getting the highest positioning in the execution capacity, in the last Gartner quadrant of "Endpoint Protection Platforms".

Figure 1 – Gartner Magic Quadrant "Endpoint Protection Platforms" (2019)

The ability to protect Linux systems also makes it an even more complete solution, able to offer:

  • Powerful preventive features. The solution provides real-time protection for the following types of file systems: btrfs, ecryptfs, ext2, ext3, ext4, fuse, fuseblk, jfs, nfs, overlay, ramfs, reiserfs, tmpfs, udf, and vfat.
  • A complete command-line experience to configure and manage the agent, initiate scans and manage threats.
  • An integration into alert monitoring within the Microsoft Defender Security Center.

System Requirements

Before you deploy the solution, you should verify that all the requirements of Microsoft Defender ATP in the Linux environment are met.

The Linux distributions and their versions currently supported are as follows:

  • Red Hat Enterprise Linux 7.2 or higher
  • CentOS 7.2 or higher
  • Ubuntu 16.04 LTS or higher
  • Debian 9 or higher
  • SUSE Linux Enterprise Server 12 or higher
  • Oracle Linux 7.2 or higher

The minimum supported kernel version is the 3.10.0-327 and the feature that must be enabled is fanotify. Fanotify is a file access notification system built into many Linux kernels that allows Microsoft Defender ATP to scan files and, if necessary, block access to threats. The use of this feature must be totally dedicated to Microsoft Defender ATP, as the joint use of this feature by other security solutions, can lead to unpredictable results, including blocking the operating system.

Network Requirements

For Microsoft Defender ATP to work correctly on Linux systems, you must allow proper network communication to specific URLs. In this spreadsheet Microsoft lists the associated services and URLs that the protected system must be able to connect to. For more details on this, see this Microsoft-specific document.

Microsoft Defender ATP uses the following proxy systems:

  • Transparent Proxy
  • Manual configuration of the static proxy

However, are not supported PAC files, WPAD and authenticated proxies. Please also note that SSL inspection mechanisms are not supported for security reasons.

Deployment methods

Microsoft Defender ATP activation on Linux systems can be done manually or through third-party management tools, including Ansible and Puppet, Microsoft documents in detail the steps to follow. Both tools have the following steps::

  • Download the onboarding package from the Microsoft Defender Security Center.

Figure 2 – Download the onboarding package from the Microsoft Defender Security Center portal

  • Creating the manifest (Puppet) or the YAML file (Ansible).
  • Deployment that involves the enrollment of the agent and its configurations.

At the end of the installation process, you can fully manage the Microsoft Defender ATP component directly through bash.

Figure 3 – Running the mdadp command from a Linux machine with the component installed

Once the onboarding process is complete, you can manage Linux machines from the Microsoft Defender Security Center portal, as is the case with other operating systems.

Figure 4 – Linux devices in the Microsoft Defender Security Center portal

In the face of malware detections, alerts are reported within the Microsoft Defender Security Center:

Figure 5 – Detection timeline with Eicar test file on Linux machine

Software updates

Microsoft regularly publishes software updates to improve performance, security and provide new features for Microsoft Defender ATP for Linux. One thing to watch out for is that each version of Microsoft Defender ATP for Linux has an expiration date, after which it will no longer continue to protect the system, therefore, you must update the product before that date. For the procedure to update the solution, you can consult this document of Microsoft.

When you upgrade your Linux operating system to a new major release, you must first uninstall Microsoft Defender ATP for Linux, install the update and then reconfigure Microsoft Defender ATP on the system.

Configuring the solution

In enterprise environments that have multiple systems, Microsoft Defender ATP for Linux can be easily managed through configuration profiles. The configuration profile is nothing more than a file with an extension ".json" composed of different voices, identified by a key (denoted the name of the preference) followed by a value. Values can be simple, as a numeric value, or complex, as a nested list of preferences.

These profiles can be distributed by the management tool available to you, going to manage it centrally. Distributed preferences will take precedence over locally set preferences on the system so that you can better govern the different settings. For more details on the structure of this profile and the methodologies to be used for its distribution, see this article of Microsoft.


Although there are those who say that Linux machines do not need security solutions, I personally believe that linux systems should also be properly protected as with any other operating system. Microsoft Defender ATP for Linux is constantly expanding and exciting new features are expected in the coming months to enrich the solution with new and advanced protection features. The addition of Linux to the platforms natively supported by Microsoft Defender ATP marks an important turning point for all customers who need to also include these systems in a unified protection strategy. The Microsoft Defender Security Center provides a centralized solution for monitoring and managing the security of the entire server and client machine fleet.

Please follow and like us:

Integration between Azure Security Center and Microsoft Defender ATP

Microsoft Defender Advanced Threat Protection (MDATP) is a security platform for enterprise endpoints designed to prevent, detect, investigate and respond to security threats. This article discusses how Azure Security Center (ASC) is able to integrate with this platform and what are the aspects to consider to combine the different potentials and effectively contemplate the protection of servers.

Microsoft Defender Advanced Threat Protection (MDATP)

The main characteristics of the solution Microsoft Defender Advanced Threat Protection:

  • Advanced post-breach detection sensors: Thanks to sensors from Microsoft Defender ATP for Windows Servers, a wide range of behavioral signals can be collected.
  • Ability to perform post-breach checks by leveraging the power of the cloud: Microsoft Defender ATP is able to quickly adapt to changing threats as it uses the Intelligent Security Graph with signals from Windows, Azure and Office. With this powerful mechanism, you can respond quickly to unknown threats.
  • Threat intelligence: Microsoft Defender ATP generates alerts when it identifies tools, techniques and procedures used by attackers. The solution uses data generated by Microsoft 'hunters' and security teams, enriched by the intelligence provided by collaboration with different security partners.

The Microsoft Defender Advanced Threat Protection console (MDATP) is accessible to this link.

Features and benefits of integration

ASC integrates with MDATP to provide comprehensive Endpoint Detection and Response (EDR). With this integration, you can take advantage of the following features:

  • Automated Onboarding: the integration automatically activates the Microsoft Defender ATP sensor for Windows servers monitored by Security Center (except for systems Windows Server 2019, specific configurations must be made). Windows Server systems monitored by Azure Security Center will also be present in the Microsoft Defender ATP console.
  • Windows Defender ATP alerts will also appear in the Azure Security Center console, to keep all reports in one centralized console. However, to perform a detailed analysis of the reports, please log on to the Microsoft Defender ATP console, which provides more information such as incident charts. From the same console, you can also view the timeline of all detected behaviors for a specific system, for a historical period of up to six months.

Enabling integration between ASC and MDATP

To enable this integration, you must use Azure Security Center (ASC) standard tier, which includes the license to activate MDATP on server systems.

  • For virtual machines in Azure you need to have the ASC standard tier at the subscription level:

Figure 1 – Activating ASC standard tier at subscription level for VMs in Azure

  • For virtual machines that don't reside in Azure, but on-premises or in other clouds, simply enable the ASC standard tier at the workspace level:

Figure 2 – Standard tier activation of ASC at the workspace level for non-Azure VMs

In addition, you must enable the following setting from Azure Security Center:

Figure 3 – Enabling integration between ASC and MDATP

To see the different ways to onboard servers, you can access this Microsoft's document.

When you use Azure Security Center to monitor servers, a Microsoft Defender ATP tenant is also automatically created (by default in Europe). If the Microsoft Defender ATP solution is used before using Azure Security Center, the data will be stored in the location specified when creating the tenant, even if you integrate with ASC later. The location where the data is stored cannot be changed post-deployment, but if you need to move your data to another geographic location, you should contact Microsoft Support.

Figure 4 – Data Storage retention


Threat Detection

In the presence of this integration, against a threat detection by MDATP, an alerts is also generated in the Azure Security Center, which becomes the centralized console for the collection of security reports.

Figure 5 – SecurityAlert present in the ASC workspace

Alert information can also be sent by email via Action Group:

Figure 6 - Report received by email from ASC in response to a detection of a threat

You can access the Microsoft Defender Security Center portal to investigate the alert in depth, where you will find the details.

Figure 7 – Alert details from the Microsoft Defender Security Center portal


Azure Security Center (ASC) and Microsoft Defender Advanced Threat Protection (MDATP) are two distinct solutions, but with important relationships, both as regards the aspects relating to licensing and for the operational management of the security of server systems. Thanks to this simple integration you can manage systems onboarding and also include MDATP reports in ASC, so you can effectively monitor your environment and respond to security threats on server systems.

Please follow and like us:

Azure Security Center: exports of alerts and recommendations to other solutions

Azure Security introduces an interesting feature that allows you to send security information generated by your environment to other solutions. This is done through a continuous export mechanism of alerts and recommendations to Azure Event Hubs or to Azure Monitor Log Analytics workspaces. This feature opens up new integration scenarios for Azure Security Center. This article describes how to use this feature and delves into its features.

Azure Security Center (ASC) carries out a continuous assessment of the environment and is able to provide the recommendations concerning the security of the environment. As described in this article you can customize the solution to meet your own security requirements and the recommendations that are generated. In the standard tier, these recommendations may not be limited to the Azure environment alone, but it will also be possible to contemplate hybrid environments and on-premises resources.

Standard Security Center also generates alert when potential security threats are detected on resources in your environment. ASC sets priorities, lists the alerts, provides the information you need to quickly investigate issues and provides recommendations on how to resolve attacks.

Azure Event Hubs is a streaming platform for big data and a service for the ingestion of events. Can receive and process millions of events per second. The data sent to a Event Hub can be transformed and stored using any real-time analytics provider or batch or storage adapters.

The new feature that was introduced in the Azure Security Center is called Continuos Export, supports enterprise scenarios and allows you to do the following:

  • Export to Azure Event Hubs to gain integration with third-party SIEMs and Azure Data Explorer.
  • Export to a Log Analytics workspace to have an integration with Azure Monitor, useful to better analyze data, use Alert rule, Microsoft Power BI and customized dashboards.
  • Export in a CSV file, for individual data exports (one shot).

The configuration is simple and can be carried out using the following procedure.

In Azure Security Center, you select the subscription for which you want to configure data export, and in the settings sidebar you select Continuos Export:

Figure 1 – Continuous export in ASC's subscription settings

In this case you chose to configure the export to a Log Analytics workspace. You can select which recommendations to export and their severity level. Also for security alerts you can choose for which level to export. Export creates an object, therefore, you should specify which resource group to place it in.. Finally, you will need to select the Log Analytics target workspace.

Figure 2 - Configuring parameters to make the Continuous Export

The link for integration with Azure Monitor provides the ability to automatically create Alert rule already pre-configured.

Figure 3 - Automatically create alert rules in Azure Monitor

By default these alert rules do not constitute the Action Group, therefore it is advisable to modify them to do a trigger to suit your needs.

These are the two default alert rules created:

Figure 4 – Default Alert rules of Azure Monitor

Alternatively, having gone into the recommendations and the ASC alerts in a workspace, you can configure in the Azure Monitor Alert rule customized based on Log Analytics query.

The security alerts and the ASC recommendations are stored in tables SecurityAlert and SecurityRecommendations of the workspace. The name of the Log Analytics solution that contains these tables is relative to the ASC tier, which can then be Security and Audit (standard tier) or SecurityCenterFree (tier free).

Figure 4 – Tables in Log Analytics

The configuration of Continuos Export towards Event Hubs is similar and it is the best methodology to incorporate the recommendations and the Azure Security Center alerts with third-party SIEM solutions. Following, shows the connectors for the main third-party SIEM solutions:

In Azure Sentinel is instead available Data connector , it is native to contemplate the Azure Security Center alerts.

To configure exports to Azure Data Explorer you can use the procedure in this Microsoft documentation.


With this new feature introduced in Azure Security Center, you can consolidate all the alerts and recommendations generated by the solution to other tools, opening up new possible integration scenarios even with third-party solutions. All this is made possible through an easily configurable mechanism, allowing you to be notified immediately and quickly take action. These aspects are crucial when dealing with security information.

Please follow and like us:

Azure Security Center: how to customize the solution to meet your security requirements

Azure Security Center is a cloud solution that helps prevent, detect and respond to security threats that affect resources in the Azure environment and workloads in hybrid environments. By assigning a global score to your environment, you can assess your risk profile and act to take remediation action in order to improve the security posture. The solution is based on general recommendations, but in some cases it is appropriate to customize it to better contemplate your security policies. This article describes how you can introduce this level of customization in order to increase the value provided by Azure Security Center.

Using custom security policies

The default recommendations in the solution are derived from general industry best practices and specific regulatory standards.

Figure 1 – Standard score and recommendations in Azure Security Center

Recently was introduced the ability to add your own Initiatives custom, to receive recommendations if security policies specifically set for your environment are not met. The custom initiatives that are created are fully integrated into the solution and will be covered in Secure Score and in compliance dashboards.

To create a initiative you can follow the steps below:

Figure 2 – Starting the process of creating a custom initiative

Within the Initiatives you can include Azure Policies built into your solution or your own custom policies.

In the example below, theinitiative includes the following two policies:

  • A custom that prevents peering against a Hub network that is in a given resource group.
  • A bult-in that verifies that Network Security Groups are applied to all subnets.

Figure 3 – Creating a custom initiative

Following, you need to proceed with the assignment of theinitiative custom:

Figure 4 – Starting the assignment process


Figure 5 – Assigning the custom initiative


Figure 6 – Displaying the assigned custom initiative

The display of the recommendations in Security Center is not immediate, but currently it takes about 1 hour and you can see it in the following section:

Figure 7 - Custom initiative in the Regulatory Compliance section


Disable default security policy

Under certain circumstances it may be desirable to disable certain controls present by default in the Azure Security Center solution, as they are not appropriate for your environment and you do not want to unnecessarily generate the events. To do this, you can take the following steps::

Figure 8 - Access to the Security Center default policy


Figure 9 – Selecting the default Security Center policy assignment


Figure 10 – Disabling a specific policy that is present by default



Azure Security Center natively provides a series of controls to constantly check for conditions that are considered anomalous and can have a direct impact on the security of your environment. The ability to introduce a level of customization into your solution, makes it more flexible and allows you to verify and apply security compliance policies on a large scale that are specific to your environment. To improve security postures it is essential to evaluate the adoption of this solution and applying a good level of customization it greatly increases its value.

Please follow and like us:

Microsoft Always On VPN: transparent access to the corporate network suitable in smart working scenarios

Technology can play an important role in reducing the impact of COVID-19 on people and business realities, helping staff stay productive when it is not able to be physically at his workplace. In these days of emergency, companies have been forced to adopt effective solutions quickly to allow their employees to work remotely without sacrificing collaboration, productivity and security. The solutions that can be adopted in this area are different, each with its own characteristics and peculiarities, able to meet different needs. This article presents the main features of the technology Microsoft Always On VPN, to assess the benefits and what are the main use cases of the solution.

Key Features of Always On VPN

Starting with Windows Server 2016 and later Microsoft introduced a new remote access technology for endpoints called Always On VPN that allows transparent access to the corporate network, making it particularly suitable in smart working scenarios.  It is the evolution of the technology DirectAccess and, however effective, it presented some limitations that made it difficult to adopt.

As the name tell, VPN is “always active”, In fact, a secure corporate network connection is established automatically whenever an authorized client has Internet connectivity, all without requiring user input or interaction, unless a multi-factor authentication mechanism is enabled. Remote users access business data and applications in the same way, just as if they were in the workplace.

Always On VPN connections include the following types of tunnels:

  • Device Tunnel: the device connects to the VPN server before users log on to the device.
  • User Tunnel: it activates only after users have logged on to the device.

Using Always On VPN you can have a user connection, a device connection, or a combination of both. Both the Device Tunnel that the User Tunnel they work independently and can use different authentication methods. It appears therefore possible to enable the device authentication to manage it remotely through the Device Tunnel, and enable user authentication for connectivity to internal resources through the User Tunnel. The User Tunnel supports SSTP, and IKEv2, while the Device Tunnel only supports IKEv2.

Supported scenarios

Technology Always On VPN is a solution only for systems Windows 10. However, unlike DirectAccess, client devices don't have to run the Enterprise edition, but all versions of Windows 10 support this technology, adopting the tunnel type defined User Tunnel. In this scenario, the devices can be members of an Active Directory domain, but this is not strictly necessary. The Always On VPN client can be nondomain-joined (workgroup), therefore also owned by the user. To take advantage of certain advanced features, clients may be to join Azure Active Directory. Only for use Device Tunnel systems are required to join a domain and must have Windows 10 Enterprise or Education. In this scenario, the recommended version is 1809 or later.

Infrastructure requirements

The following infrastructure components are required to implement an Always On VPN architecture, many of which are typically already active in the business realities:

  • Domain Controllers
  • DNS Servers
  • Network Policy Server (NPS)
  • Certificate Authority Server (CA)
  • Routing and Remote Access Server (RRAS)

Figure 1 – Overview of VPN Always On technology

In this context it is appropriate to specify that Always On VPN is infrastructure-independent and can be activated by using the Windows Routing and Remote Access role (RRAS) or by adopting any third-party VPN device. Authentication can also be provided by the Windows Network Policy Server role (NPS) or from any third-party RADIUS platform.

For more details on the requirements, please refer to the Microsoft's official documentation.

Always On VPN in Azure environment?

In general,, it is advisable to establish VPN connections to endpoints as close as possible to the resources that must be accessed. For hybrid realities, there are several options for positioning the architecture Always On VPN. Deploying the Remote Access role on a virtual machine in Azure environment is not supported, however, you can use Azure VPN Gateway with Windows 10 Always On, to establish tunnels of both type Device Tunnel and User Tunnel. In this regard it should be noted that it is appropriate to make the correct assessments of the type and of the SKU to deploy Azure VPN Gateway.

Deployment types

For Always On VPN there are two deployment scenarios:

The deployment of Always On VPN can predict optionally, for client Windows 10 joined to domain, to configure conditional access to adjust how VPN users access company resources.

Figure 2 – Workflow for the deployment of Always On VPN for Windows 10 client domain-joined

The client Always On VPN can be integrate with the platform Azure Contitional Access to force multi-factor authentication (MFA), device compliance or a combination of these two aspects. If meets the Contitional Access criteria, Azure Active Directory (Azure AD) issues a short-lived IPsec authentication certificate that can be used to authenticate to the VPN gateway. Device compliance uses Microsoft Endpoint Manager compliance policies (Configuration Manager / Intune), which may include the status of integrity attestation of the device, as part of the compliance check for the connection.

Figure 3 – Client-side connection workflow

For more details on this deployment method you can refer to this Microsoft documentation.

Provisioning of the solution on the client
Always On VPN is designed to be deployed and managed using a mobile device management platform such as Microsoft Endpoint Manager, but you can also use Mobile Device Management solutions (MDM) of third party. For Always On VPN there is no support for the configuration and management via Group Policy in Active Directory, but if you do not have a MDM solution it is possible to proceed with a manual deploy of the configuration via PowerShell.

Integration with other Microsoft solutions

Besides the cases specified in the preceding paragraphs, technology Always On VPN can be integrated with the following Microsoft technologies:

  • Azure Multifactor Authentication (MFA): when combined with RADIUS services (Remote Authentication Dial-In User Service) and the extension NPS (Network Policy Server) for Azure MFA, VPN authentication can exploit multi-factor authentication mechanisms.
  • Windows Information Protection (WIP): thanks to this integration is permitted the application of network criteria for determining if traffic is permitted to pass through the VPN tunnel.
  • Windows Hello for Business: in Windows 10, this technology replaces passwords, providing authentication mechanism with two strong factors. This authentication is a type of user credentials related to a device and use a PIN (Personal Identification Number) biometric or personal.


Prepare your infrastructure to allow the endpoint to access the corporate network through technology Always On VPN it does not require any additional cost for software licenses and the necessary investments both in terms of effort and resources are minimal. Thanks to this connectivity method you can ensure the best user experience on the move, providing a transparent and automatic access to the corporate network while maintaining a high level of security. For the aspects listed above technology Always On VPN is not suitable for all usage scenarios, but it is certainly to be considered in the presence of systems Windows 10 that need remote access to corporate resources.

Please follow and like us:

Azure Security: Best Practices to improve Security Posture

The tendency to have more frequently solutions in the cloud and hybrid architectures requires you to adopt high security standards for your environment. But how do you get effective cloud security for Azure and what best practices you should follow? This article summarizes the key practices that you should use in Azure to ensure a high level of security and improve security postures.

MFA activation and restrictions for administrative access

For users with administrative rights, authentication should be enabled using administrative Multi-factor Authentication (MFA). In this regard it is very interesting to evaluate passwordless authentication mechanisms that require that the password be replaced with something that you own more something that you are or that you know.

Microsoft currently offers three distinct passwordless authentication scenarios:

Azure Active Directory provides the ability to enable MFA mechanisms, including passwordless authentication. MFA mechanisms based on text messages are easier to bypass, so it's good to target different Multi-factor authentication mechanisms or passwordless.

Minimize the number of people and their time, for administrative access to Azure resources, it is a practice to be adopted because it reduces the possibility of an attacker obtaining administrative access or an authorized user inadvertently affecting a specific resource. To enable authorized users to perform administrative actions, you can offer just-in-time privileged access (JIT) Azure and Azure AD resources. To do this, the Azure Active Directory service is adopted (Azure AD) Privileged Identity Management (PIM) which allows you to manage, controlling and monitoring access to company resources is a good practice to take.

Another key aspect to consider is the use of secure and isolated workstations for sensitive roles. In this official Microsoft document you can get to obtain more details about it.

Segmentation and adoption of the Zero Trust model

The security model, definedZero trust and in contrast with the conventional models based on perimeter security, involves adopting an approach to micro-segmentation and the definition of granular perimeters in your network architecture. To contain security risks, it is good to adopt a clear and simple segmentation strategy, allowing stakeholders with a clear understanding, to facilitate and monitor effective management. It will also be useful to assign the necessary permissions and appropriate network controls.

In this regard, we report a reference design regarding the Azure administrative model:

Figure 1 – Reference Design – Azure Administration Model

The following illustration shows the typical Hub-Spoke network model, where theHub is a virtual network in Azure that serves as a point of connectivity to the on-premises network andSpoke are virtual networks running the peering with the Hub and can be used to isolate workloads.

Figure 2 – Reference Enterprise Design – Azure Network Security

Adoption of an appropriate "Firewall Strategy"

Adopting a firewall solution in the Azure environment to better protect and segregate network flows is now mandatory.

The choice may involve the adoption of:

  • Microsoft solutions fully integrated into the platform, such as Azure Firewall, flanked by Web App Firewall (WAF) of the Application Gateway, an application load balancer (OSI layer 7) for web traffic, that allows you to govern HTTP and HTTPS applications traffic. The Web Application Firewall Module (WAF) for web publications achieves an application protection, based on OWASP Core Rule sets rules. The WAF protects applications from vulnerabilities and common attacks , such as X-Site Scripting and SQL Injection attacks. These solutions are suitable for most of the scenarios and offer intrinsic high availability and scalability functionality as well as a simple configuration and centralized management.
  • Solutions provided by third-party vendors that are available in the Azure Marketplace. The Network Virtual Appliances (NVAs) are numerous, and can provide advanced features and provide continuity in the user experience compared to solutions already active in the on-premises environment. Typically the configuration of these solutions is more complex and the cost tends to be higher than Microsoft solutions.

Choosing a DDoS Mitigation Solution for critical applications

Very important is the protection of all critical applications from distributed denial-of-service cyberattacks (DDoS – Distributed Denial of Service). These attacks are aimed at deliberately to exhaust the resources of a given system that provides a service to clients, such as a website that is hosted on web servers, to the point that it will no longer be able to provide these services to those who require it in a legitimate way.

In Azure, DDoS protection is available in two different tiers: Basic or Standard.

Figure 3 - Comparison of the features available in different tiers for DDoS Protection

The protectionBasic is enabled by default in the Azure platform, which constantly monitors the traffic and enforces real-time mitigation of the most common network attacks. This tier provides the same level of protection adopted and tested by Microsoft online services and operates for the public IP addresses of Azure (IPv4 and IPv6). No configuration is required for the Basic tier.

The Azure DDoS ProtectionStandard provides additional mitigation capabilities compared to Basic tier, which are optimized specifically for the resources in Azure virtual network. Security policies are auto-configured and are optimized by a specific network traffic monitoring and by applying machine learning algorithms, that allow you to profile in the most appropriate and flexible way your application studying the traffic generated. In the moment in which the thresholds set in the policy of DDoS are exceeded, DDoS mitigation process is automatically started, and it is suspended when it falls below the traffic thresholds established. These policies are applied to all public IP of Azure (IPv4) associated with resources present in the virtual network, such as: virtual machines, Azure Load Balancer, Azure Application Gateway, Azure Firewall, VPN Gateway and Azure Service Fabric instances.

Azure Security Center Adoption

Azure Security Center is a cloud solution that helps prevent, detect and respond to security threats that affect the resources and workloads on hybrid environments. To improve the security posture of your Azure environment is essential to assess the adoption of this solution, it is offered in two different tiers:

  • Free tier. In this tier Azure Security Center is totally free and it will do a continuously assessment, providing recommendations relating to the security of the Azure environment.
  • Standard tier. Compared to tier free adds enhanced threat detection, using behavioral analysis and machine learning to identify zero-day attacks and exploits. Through machine learning techniques and through the creation of whitelist is possible to control the execution of applications to reduce exposure to network attacks and malware. In addition, the standard level adds the ability to perform in an integrated manner a Vulnerability Assessment for virtual machines in Azure. Azure Security Center Standard supports several resources including: VMs, Virtual machine scale sets, App Service, SQL servers, and Storage accounts.

Figure 4 - Comparison between the tiers of Azure Security Center

Azure Security Center assigns a score to your environment, useful for monitoring the risk profile and for try to constantly improve the security postures, applying remediation actions. Good rule is to verify on a regular basis (least monthly) the security score provided by Azure Security Center and program initiatives aimed at improving specific areas. In addition, it is recommended to carefully check the alert that Security Center Standard generates when it detects potential security threats on its resources. Security Center sets priorities, lists the alerts, provides the information needed to quickly examine the problems and provides advice on how to resolve any attacks.

Introduce security in development and release stages

The adoption of DevOps models to deploy Azure applications and services enable, as well as providing maximum agility, to obtain benefits in terms of security. In DevOps models can be engaged in development and management stages the teams dedicated to quality control and security throughout the application lifecycle. Using Infrastructure-as-Code processes(IaC) it is possible to define and monitor the compliance on a large scale.

Do not use legacy technologies

In Azure environment it is not recommended the adoption of classical Network Intrusion Detection System (NIDS) and Network Intrusion Prevention Systems (NIPS) since the platform is able to filter out malformed packets natively. The solutions NIDS / NIPS are generally based on outdated signature-based approaches that can be easily removed during attempted attacks and generally produce a high false positive rate.


Achieve a high level of security in Azure environments is a major challenge that needs to be won and it requires constant monitoring, review and updating of security postures. This article have been reported those that are considered the main best practices of security offered by a direct field experience, which it is always good to enrich them by taking further precautions.

Please follow and like us:

Azure Security: how to do a Vulnerability Assessment using azure Security Center

Azure Security Center, the cloud solution that allows you to prevent, detect and respond to security threats affecting Azure resources and workloads in hybrid environments, recently enhanced with the ability to integrate a Vulnerability Assessment for Virtual Machines in Azure. This article explains how you can complete a vulnerability assessment process by using the Azure Security Center, examining the characteristics of the solution.

Vulnerability scanning included in Azure Security Center (ASC) is done through the solution Qualys, which is recognized as a leading tool for real-time identification of potential vulnerabilities in the systems. In order to use this feature you must adhere to the standard tier of Security Center, and in this case you will need to not incur additional licensing fees. The Standard tier also adds advanced threat detection (including threat intelligence), behavioral analysis, anomaly detection and security incidents and reports of conferral of threats.

If you wish to keep the tier free of ASC you can still make the deployment of solutions to perform a vulnerability assessment, which Qualys and Rapid7, but it is necessary to provide the management of the licensing costs, the distribution and configuration. For more details about the cost of Azure Security Center and for a comparison between the Free and the Standard tier, see the Microsoft's official documentation.

The most immediate and rapid method to scan for vulnerabilities in Azure is using the integrated solution Qualys in the Standard Tier of Azure Security Center. To enable it, simply go to the ASC Recommendations and select “Enable the built-in vulnerability assessment solution on virtual machines (powered by Qualys)“, come mostrato dall’immagine seguente:

Figure 1 - Recommendation of Azure Security Center to enable vulnerability assessment solution

Selecting this option Azure virtual machines are divided into the following categories:

  • Healthy resources: systems where the extension has been deployed to complete a vulnerability scan.
  • Unhealthy resources: machines where you can enable the extension to scan for vulnerabilities.
  • Not applicable resources: systems where the extension is not present and that it is not possible to enable it because they belong to the ASC tier free or because the operating system is among those not supported. Among the supported operating systems are: RHEL 6.7/7.6, Ubuntu 14.04/18.04, Centos 6.10/7/7.6, Oracle Linux 6.8/7.6, SUSE 12/15, and Debian 7/8.

Figure 2 - Enabling the solution

Selecting the machines of interest and pressing the button Remediate will be onboarded to the built-in Vulnerability Assessment solution. As a result, the specific extension will be installed on the systems and the first scan will be automatically started at the end of the installation.. The extesion is based on the Azure Virtual Machine agent and therefore runs in the Local Host context on Windows systems, and Root on Linux ones.

The names of the extension that will be present on the enabled systems are listed, for which the provider will always be Qualys:

  • Linux Machines: “LinuxAgent.AzureSecurityCenter”
  • Windows Machines: “WindowsAgent.AzureSecurityCenter”

As for extension updates, the same rules apply to other extensions, so the fewest versions of Qualys' scanner will be automatically deployed following an in-depth testing phase.. In some cases, you may need manual actions to complete the upgrade.

After the scan is complete, any vulnerabilities detected on the systems will be reported in the Recommendations by ASC.

Figure 3 – ASC notification reporting the presence of recommendations for intercepted vulnerabilities

Selecting the recommendation provides details of all vulnerabilities detected, severity and its status:

Figure 4 – List of detected security vulnerabilities

By selecting the single vulnerability you can see the details, potential impacts, remediation actions and affected systems.

Figure 5 – Information reported for each individual vulnerability detected


To strengthen the security posture of your environment you definitely should consider adopting Azure Security Center in the standard tier, that among the various functionality it allows to check that they are applied in a strict manner all safety criteria and allows to constantly monitor the compliance criteria. The inclusion in the solution of a vulnerability assessment tool, provided by Qualys, industry leader, adds further value to the solution, also be able to draw on the knowledge gained by this vendor in the discovery of vulnerabilities.

Please follow and like us:

[Video] – Architecting and Implementing Azure Networking

To implement hybrid clouds securely and functionally, an in-depth understanding of the various aspects of Azure networking is crucial. Recently I had the pleasure of participating in the Italian Cloud Conference where I held a session related to the Azure Networking. In this regard, I report the video of the session where 360-degree exploration of the key elements to be considered in order to build hybrid network architectures, taking advantage of the various services offered by Azure, in order to achieve the best integration with the on-premises environment, without ever neglecting security. Advanced hybrid network architecture scenarios were explored during the session, showing real-world examples, result of a’direct experience in the field.

Please follow and like us:

Data encryption in Azure

One of the areas related to the improvement of Security Posture of the corporate information system is certainly encryption, through the adoption of specific techniques, that makes the data readable only to those who have the solution to decrypt it. This article provides an overview of how encryption is used in Azure and provides references to further studies.

To protect your data in the cloud, you must first consider the possible states in which the data can be located and evaluate the related controls that can be implemented. Best practices for data security and encryption, particularly in Azure, concern the following states:

  • At rest: includes all information that statically resides on physical storage media, both magnetic and optical.
  • In transit: when data is transferred between components, locations or services, are defined in transit. For example,, transferring data across the network, service bus or during processes of input / output.

Encryption at Rest

Encryption at Rest is a highly recommended technique and is a priority requirement for many organizations to comply with data governance and compliance policies. Different industry-specific and government-specific regulations, require the presence of data protection and encryption measures. Encryption at Rest encrypts the data when it is persistent and is used, in addition to meeting compliance and regulatory requirements, also to have a high level of protection for data. The Azure platform natively involves the adoption of advanced physical security mechanisms, data access control and auditing. However, It is important to take overlapping security measures to deal with potential bankruptcies, and encryption at Rest is a great way to ensure confidentiality, compliance and data sovereignty.

Server-Side Data Encryption Models

Server-side data encryption models refer to encryption performed by Azure services. In this model, it is the Azure Resource Provider that performs encryption and decryption. There are several Encryption at Rest templates at Server Side available in Azure, each of which has different characteristics in key management, these can be applied to different Azure resources:

  • Server-Side Encryption using Service-Managed Keys. In this scenario, the encryption keys are managed by Microsoft and proves to be a good combination of control and convenience.
  • Server-side encryption using customer-managed keys in Azure Key Vault. In this mode, the encryption keys are controlled by the customer through Azure Key Vault, and includes support for using your keys (BYOK).
  • Server-side encryption that uses customer-managed keys on customer-controlled hardware. This methodology allows the customer to check the keys that reside on a repository controlled by the customer, outside of Microsoft's control. This feature is called Host Your Own Key (HYOK). However, configuration is articulated and most Azure services do not support this model at this time.

Figure 1 – Server-side encryption model

Client-side data encryption models

The client-side data encryption model refers to encryption performed outside Azure and is performed directly by the calling service or application. When you use this encryption model, the Resource Provider in Azure receives encrypted data without the ability to decrypt it or access the encryption keys. In this model, key management is performed by the calling service or application and is obscure for the Azure service.

Figure 2 – Client-side encryption model

Encryption at Rest for top Azure services

Azure Storage

Azure Storage provides on automatically encrypts the data when they are made persistent in the cloud environment. In fact, all Azure Storage services (Blob storage, Queue storage, Table storage, and Azure Files) support server side encryption of data at rest and some of them also support encryption client-side of data and encryption keys managed by the customer.

  • Server-side: all default Azure storage services have enabled by default the server-side encryption using keys managed by the service. For Azure Blob storage and Azure Files is also supported using encryption keys managed by the customer in Azure Key Vault. The technology used is called Azure Storage Service Encryption, in automatically able to encrypt the data before being stored and decode them when they are accessed. This process is completely transparent to the user and involves the use of AES encryption 256 bit, one of the most powerful block ciphers currently available. Azure Storage encryption is similar to BitLocker encryption in a Windows environment. Azure Storage encryption is enabled by default for all new storage accounts and cannot be disabled. Storage accounts are encrypted regardless of performance level (standard or premium) or from the deployment model (Azure Resource Manager or classic). All redundancy options provided for storage accounts support encryption and all copies of a storage account are always encrypted. Encryption does not affect the performance of storage accounts and there is no additional cost.
  • Client-side: this encryption is currently supported by Azure Blobs, Tables, and Queues. When used the data is encrypted by the customer managing their keys and is uploaded as an encrypted blob.

Virtual Machines

All Managed Disks, Snapshots and virtual machine images in Azure are encrypted using Storage Service Encryption via keys managed by the service. When processing data on a virtual machine, data can be kept in the Windows paging file or in the Linux swap file, in a crash dump or an application log. Therefore, to obtain a solution of Encryption at Rest more complete on IaaS virtual machines and virtual disks, which ensures that data is never kept in an unencrypted form, you need to use Azure Disk Encryption . This feature helps you protect Windows virtual machines, using the technology Windows BitLocker, and Linux virtual machines through DM-Crypt. Relying on Azure Disk Encryption you get a full protection of the operating system disks and data volumes. The Encryption keys and the secrets are protected within their own Azure Key Vault. Encrypted virtual machine protection is supported by the Azure Backup service. For more information about Azure Disk Encryption you can see the Microsoft's official documentation.

Azure SQL Database

Azure SQL Database currently supports encryption at rest in the following ways:

  • Server-side: server-side encryption is guaranteed through a SQL feature named Transparent Data Encryption (TDE) and it can be activated either at the database server level. Starting in June 2017 this feature is on by default for all new database. TDE protects SQL data and log files, using AES encryption algorithms and Triple Data Encryption Standard (3DES). Database files are encrypted at the page level, they are encrypted before being written to disk and de-encrypted when read into memory.
  • Client-side: client-side encryption of data to SQL Azure Database is supported through the functionality Always Encrypted, that uses keys that are generated and stored on the client side. By adopting this technology it is possible to encrypt data within the client applications before storing in the Azure SQL database.

As with Azure Storage and Azure SQL Database, also for many other Azure services (Azure Cosmos DB, Azure Data Lake, etc.) the data encryption at rest occurs by default, but for other services it can be optionally activated.

Encryption in Transit in Azure

The protection of data in transit must be an essential element to be considered in your data protection strategy. It is generally recommended to protect the movement and exchange of data always using SSL protocols / TLS. Under certain circumstances, it may be appropriate to isolate the entire channel of communication between the on-premises environment and the cloud using a VPN. Microsoft uses the TLS protocol (Transport Layer Security) to protect data when traveling between cloud services and customers. In fact, a TLS connection is negotiated between the Microsoft datacenter and client systems that connect to the Azure Services. The TLS protocol provides strong authentication, privacy and message integrity (allows detection of tampering, interception and message forgery).


The issue of protection through encryption of the data stored in Azure environment is seen as very important for those who decide to rely on the services in the cloud. Knowing that all Azure services provide encryption at rest options and that basic services encryption is enabled by default, is certainly very comforting. Some services also support the control of the encryption keys from the customer and the client side encryption to provide a greater level of control and flexibility. Microsoft is constantly improving its services to ensure greater control of the encryption at rest options and aims to enable encryption at rest as the default for all customer data.

Please follow and like us:

How to control the execution of applications using Azure Security Center

Azure Security Center provides several mechanisms to prevent security threats and reduce the attack surfaces of your environment. One of these mechanisms is theAdaptive Application Controls, a solution that can control which applications are running on the systems. Azure Security Center uses the machine learning engine to analyze applications running on virtual machines and leverages artificial intelligence to provide a list of allowed applications. This article lists the benefits that can be achieved by adopting this solution and how to perform the configuration.

Adopting this solution, available using the tier Standard of Azure Security Center, you can do the following:

  • Be alerted to attempts to run malicious applications, that may potentially not be detected by antimalware solutions. For Windows systems on Azure, you can also apply execution locks.
  • Respect corporate compliance, allowing the execution of only licensed software.
  • Avoid using unwanted or obsolete software in your infrastructure.
  • Control access to sensitive data that takes place using specific applications.

Figure 1 – Azure Security Center Free vs Standard Tier

Adaptive application controls can be used on systems regardless of their geographic location. Currently for systems not located in Azure and Linux VMs, only audit mode is supported.

This feature can be activated directly from the portal by accessing the Azure Security Center.

Figure 2 – Adaptive application controls in the "Advanced cloud defense" of Security Center

Security Center uses a proprietary algorithm to automatically create groups of machines with similar characteristics, to help enforce Application Control policies.

From the management interface, the groups are divided into three types:

  • Configured: list groups containing VMs where this feature is configured.
  • Recommended: there are groups of systems where enabling application control is recommended. Security Center uses machine learning mechanisms to identify VMs on which the same applications are always regularly running, and therefore are good candidates to enable application control.
  • Unconfigured: list of groups that contain the VMs for which there are no specific recommendations regarding the application control. For example, VMs that systematically run different applications.

Figure 3 – Types of groups

By clicking on the groups of virtual machines, you will be able to manage the Application control rules, that will allow you to create rules that evaluate the execution of applications.

Figure 4 – Configuring Application control rules

For each individual rule, you select the machines on which to apply it and the applications that you want to allow. For each application, the detail information is provided, in particular, the "Expoitable" column indicates whether it is an application that can potentially be used maliciously to bypass the list of allowed applications. For this type of application, you should pay close attention before allowing.

This configuration, for Windows systems, involves creating specific rules inApplocker, and it govern the execution of applications.

By default, Security Center enables application control in modeAudit, only to control activity on protected virtual machines without applying any locks on application execution. For each individual group, after verifying that the configuration you have made does not result in any malfunctions on the workloads on the systems, you can bring application control to application mode Enforce, as long as they are Windows virtual machines in the Azure environment, to block the execution of applications that are not expressly allowed. You can always change the name of the group from the same interface.

Figure 5 – Change the name and protection mode

At the end of this configuration, you will see, in the main Security Center panel, notifications concerning potential violations in the execution of applications than allowed.

Figure 6 - Violation notifications of applications Securiy Center

Figure 7 – Full list of the violations found

Figure 8 - Sample of violation


The functionality of Adaptive application controls allows with few easy steps to quickly enable a thorough check on the applications that run on systems. The configuration is simple and intuitive, especially thanks to functionality that allows to group the systems that have similar characteristics with regard to the execution of the application. It is therefore an important mechanism that helps prevent potential security threats and to minimize the attack surfaces of the environment. Added to the additional features, Adaptive application controls helps make Security Center a complete solution for the protection of workloads.

Please follow and like us: