How to Improve Azure Security with CIS Benchmarks

I love experimenting with Trend Micro Cloud One Conformity! A recent edition to the product regarding Microsoft Azure is the inclusion of the CIS Benchmark reporting capabilities. This is aligned and accomplished with CIS Microsoft Azure Foundations Benchmark v1.1.0.

Today, I am going to provision a test Windows Virtual Machine with some known misconfigurations, and run the CIS report and see how I can improve! I am also going to provision an Azure Web App in Visual Studio Code with some misconfigurations, and see how that stacks up against the CIS benchmark tests. The Cloud One Conformity Bot should show how I can improve and remediate. Enjoy!

Ok, so first I went ahead and deployed a test Microsoft Windows Server 2019 Virtual Machine in my subscription. This had some purposeful misconfigurations to see if they would get picked up in the Trend Micro Cloud Conformity Bot process, and corresponding CIS Benchmarks Report.

And........the results are in! I ran the Trend Micro Cloud Conformity Bot against my Azure Subscription and pulled my results by CIS Benchmark. Looks like it picked up my dodgy Network Security Group. I also don't have flow logs for my Network Security Group for long term retention, and my OS disk is not encrypted! This is really cool how it breaks it out by Benchmark number! This is an easy way for Cloud Engineers to track the violations and what they have remediated.

Cool! So, how do I remediate this stuff? Well I can open up the RDP finding specifically to get the details on the affected resource, and click the resolve button to take me to the knowledge base.

Here is the Cloud Conformity knowledge base article for that finding (RDP) which tells me how to fix it in the Azure Portal, or programmatically fix in Azure CLI. Cool!

Let's go ahead and fix that via Azure CLI and see if that finding is remediated! You can see here I listed out all the Network Security Group rules by using the following Azure CLI command.

az network nsg list

As we see, I was able to list out all the Network Security Groups to find the offending Network Security Group rule. There it is! Lets zap that guy!

Then, I went ahead and updated the Network Security Group to not allow RDP open to the outside world, but within only the local Virtual Network. That was done with the following Azure CLI command.

az network nsg rule update -g TESTCISMachine --nsg-name TESTCISMachine-nsg -n RDP --source-address-prefix 'VirtualNetwork'

Ok, lets run the Cloud One Conformity bot again and see if that risk has been eliminated!

Looks good!

Let's now move on and fix the Network Security Group flow logs, and disk encryption issues. Those were the next items I had on my CIS report list. I like lists!

Well, looking at the Network Security Group flow logs violations it looks like I have two resources in my subscription with that problem. One is my test Virtual Machine for this article and my AKS (Azure Kubernetes Service) cluster. Cool! Let's go ahead and fix them both! Good to know!

Ok, so lets see what they are set at right now programmatically! Let's get a base reading!

az network watcher flow-log show --nsg TESTCISMachine-nsg --resource-group TESTCISMachine --query 'retentionPolicy'
az network watcher flow-log show --nsg aks-agentpool-24655092-nsg --resource-group MC_AKS_AKS_southcentralus --query 'retentionPolicy'

Well, that's not good! As we can see from the json output below from Powershell, It's not turned on for both Network Security Groups. I also noticed that the days are set to zero not the recommended 90 days. Well let's go ahead and change it via Azure CLI to fix.

We are going to fix it with the following commands!

az network watcher flow-log create --location southcentralus--resource-group TESTCISMachine --name TestFlowLog --nsg TESTCISMachine-nsg --storage-account testcismachinediag --retention 90

az network watcher flow-log create --location southcentralus --resource-group MC_AKS_AKS_southcentralus --name TestFlowLogAKS --nsg aks-agentpool-24655092-nsg --storage-account testaksv2 --retention 90

Looks like the upgrade to Network Security Flow Log retention was successful from Azure CLI output shown below!

Let's go ahead and check in on our Cloud One Conformity bot!

Huzzah!!! Well, that clears all of our Networking related risks in relation to CIS benchmarking!! Look at that! Green is a pretty color! I feel a lot better already!

Let's now take care of that pesky disk encryption issue shown below under Virtual Machines!

Well, from the Azure CLI output the Virtual Machine definitely doesn't have encryption turned on the OS disk. Let's fix it programmatically.

Here is the Azure CLI fix!

az vm encryption enable --disk-encryption-keyvault cistesting123 --name TESTCISMachine --resource-group TESTCISMachine --volume-type OS

Let's verify that the disk encryption completed successfully.....Boom goes the dynamite! Look at that Azure Portal! Beautiful site!

Alrighty then! Let's Cloud One Conformity bot check it up!

Wow!! All clear, my disk is now encrypted, and that cleared all checks for Virtual Machines! That is a good feeling! All thanks to Trend Micro Cloud One Conformity! We are ready to move on to my Azure Web App tests for this article.

Alrighty then! Let's try something new!! I recently pushed a test PHP based application to Azure Web App utilizing Visual Studio Code. I purposely put in some misconfigurations. I wanted to run some CIS Benchmarks on it with Trend Micro Cloud One Conformity.

It is a simple Microsoft built application referenced here. https://github.com/Azure-Samples/php-docs-hello-world

Here is its running in Azure Web App after pushing up to an Azure App Service Plan with Visual Studio Code.

Here is the same app running in a browser. Just says "Hello World!" and PHP runtime info displayed. Simple right?

So, what does our trusty Cloud One Conformity Bot check say about this Azure Web App/Service Plan according to the CIS Benchmark?

Interesting! Well for starters, I know I did put an older version of PHP runtime on purpose. Looks like it found that in 9.7 CIS Benchmark check.

I did that in the deployment phase with the Visual Studio IDE. I selected the 7.2 runtime at deployment time of the application. Silly me!

Well, looks like I can fix that pretty easily in the Azure Portal, or I can redeploy the web app service plan with the new runtime. Either way, it will restart the associated Azure Web App. We can now see that the PHP runtime has been updated properly with the php info file displaying the new PHP 7.3 runtime in the browser. Eureka!

Ok, lets run Cloud One Conformity bot and see if that clears up!

Voila! Let's see if we can clear up the rest of the Azure App Service Plan issues. Shall we? Sounds good to me!

Ok, next on our list is http/https violations.

First, we are not running the latest version. Purposely I am running HTTP 1.1 instead of HTTP 2.0. That can easily be fixed in the Azure Portal.

Here you can see where I fixed it, and Cloud One Conformity Bot picked up the change! I am not surprised, of course it did! Trend Micro Cloud One Conformity for the win!

Next, this has to do with requiring HTTPS Only redirect for the application and TLS 1.2. Those are now being turned on in the Azure Portal to fix the misconfigurations I introduced. Oopsy!

Look at that! Those are now being showing as remediated now on the latest Cloud One Conformity Bot check! HTTPS Only and TLS 1.2 now are good to go!

Neeeeeeeext! We are needing to require incoming client certificates for accessing the application.

Here is where you change that configuration in the Azure Portal under app service plan configuration. Note, you may need to scale up your App Service Plan to Basic instead of Free tier to do so.

Here is the corresponding Cloud One Conformity Bot check!

Ok, that only leaves one more violation! I can see the top of the mountain! Looks like we need to register our application to Azure Active Directory as a best practice!

The fix can be done here under the Identity settings for the Azure App Service!

Wow! This house is clear! We have cleared all our violations for CIS Benchmark regarding App Service!

As an added bonus, we have also improved our overall numbers!

This is a great addition to Trend Micro Cloud One Conformity which is already an phenomenal product!

Using CIS Benchmark as a guide is a great way to remediate common misconfigurations in your Azure Subscription. Today, we were specifically able to show how that applies to both Azure Virtual Machine misconfigurations and Azure Web App and Azure App Service Plan misconfigurations. These are two popular services that most folks in Azure use on a daily basis. I hope you enjoyed stopping by! I certainly enjoyed experimenting with the new CIS benchmarks. I encourage you to try it out and do the same! Trend Micro Cloud Conformity is a great tool to help you fix common misconfigurations, help you establish a Well Architected Framework, and now we have the bonus of additional CIS benchmark tests!

See you next time!

References:
https://www.cloudconformity.com
https://github.com/Azure-Samples/php-docs-hello-world

How to Improve Azure Security with CIS Benchmarks

Authors

Resources

Support

About Trend

Resources

Support

About Trend

The Americas

Middle East & Africa

Europe

Asia & Pacific