Azure Hardening Checklist
- Disable App Registrations 1
- Limit Enterprise applications, for information on possible abuses checkout, illicit consent grant attacks 1
- Restrict External collaboration access 1
- Limit guest user access 1
- Enable 2FA or Microsoft Intune for device enrollement to Azure AD 1
- Review Network security groups (NSG) for overly permissive access (refer to your business needs) 1
- Apply primary deny on Network security groups 1
- Use virtual network service tags instead of hardcoding IPs to manage NSGs
- Ensure blob storages are set to private in production enviroments
- Checkout Azure Security Center periodically for recommended security improvements, specially adapted to your enviroment 2
- Enable NSGs for non-VPN gateway subnets in your network; Enable NSGs for VPN gateway might lead to breakdown the access to your systems 2
- Test your Azure functions and Azure Applications for traditional application vulnerabilities e.g., SQLi, XXE, SSRF, etc. 2
- Review access controls to your Azure Apps to ensure no overly permissive access is permitted (refer to your business needs)
- Use Microsoft CredScan to identify leaked credentials and secerets
-
Encrypt Data at rest and in-flight 2
-
Restrict access to your databases, One or more of the following will suffice 2:
- Configure Firewall rules for the database
- Utilize Azure Private Link. Checkout Azure Security best practices
- Restrict access to your VMs, , One or more of the following will suffice 2:
- Configure Bastion Hosts
- Use Azure Bastion - Fully Managed RDP/SSH
- Remove the public IP address of machines that should not be exposed to the internet
- Use Just-in-time VM access from azure 1
- Audit and Remove excessive Privileges Held by Service Principals 4
- Global Administrator
- Privileged Role Administrator
- Privileged Authentication Administrator
- Additionally, audit for any Service Principals that have been granted any of the following MS Graph app roles 4 :
- RoleManagement.ReadWrite.Directory
- AppRoleAssignment.ReadWrite.All
- Protect your secerets, consider using Azure Key Vault 2
- Store secerets in the Azure Key Vault
- Use Managed Service Identities to connect to key vaults
- Use a seperate Azure Subscription for production: allows the use of multiple RBACs and policies to enforce controls only for the non-production enviroment 2 .
- Configure a WAF, follow the steps below 2:
- Implement application gate way or front in front of your web application
- Enable a web application firewall