Microsoft Azure and Security Best Pratices – Part 1 Identity
So let me start this post off with a story…
A Couple of weeks ago I had some issues with a demo environment I was hosting in Microsoft Azure, where I had automated all of the infrastructure setups using ARM but there was still a lot of work done manually. The demo environment was setup using a single admin account which had access to the domain. Now one day before I had a speaking session, I got into an issue that the account password expired and I didn’t have a simple way to access the environment since I wasn’t able to disable NLA I couldn’t reset the password remotely since I don’t have console access to the environment. So basically locked out of my own environment with the single user account I had, so how could I solve this in Microsoft Azure?
First of I intended to use the “Password reset” option that Azure provides in the portal but that is by design disabled if you want to run it on a domain controller so therefore that was not an option.
I ended up with using a Custom Script Azure Extension running a PowerShell Script (Set-ADUser -Identity $_.SamAccountName -PasswordNeverExpires:$FALSE) to disable the password expiration of my user before I had my presentation, which was run in Azure and therefore allowed me to gain access again. Of course I was thrilled that I got access again before my session, but… and this brings me to the point of this post which is to show about best practices and how we can properly secure an Azure environment, because in theory I didn’t have any access to the virtual environment but because of my access in Azure I could run some scripts and gain access in, this first post is going to be focused on Identity and role based access control in Microsoft Azure.
Read the entire article here, Microsoft Azure and Security Best Pratices – Part 1 Identity
Via Marius Sandbu.