Password-less VM – The importance of securing your IaaS Linux VM in the Public Cloud

January 9, 2019 Leave a comment

When creating a VM in the Public Cloud, some would think that the Provider would be responsible for its security. Guess what, you are responsible for its security.

A common misunderstanding is assuming that a strong password would do the job of securing the VM access. To prove that is not good enough, yesterday I created a VM in Azure for a Containers Lab work and in less than 9hrs, I had 8712 failed login attempts as it shows in the picture above.

Creating a more Secure VM

So, what should you do to protect the access to my public VM?

“Password-less VM”: Using SSH public key, instead of password, will greatly increase the difficulty of brute-force guessing attack.

A “password-less” VM includes:

  • A username that is not standard such as “root” or “admin”: Azure already help you with that, by not allowing you to create “root” or “admin” as a username. Also note that in Linux, the username is case sensitive.
  • No password for the user; no password-based login permitted. Instead, configure Private key/certificate SSH authentication: That’s a must!
  • A randomized public SSH port.

Verifying

Using the below Linux command line, you should see a line showing: PasswordAuthentication no

$ sudo tail -n 10 sshd_config

Detailed Steps

Check out the Quick steps: Create and use an SSH public-private key pair for Linux VMs in Azure article on how to configure those steps.

What else should you do?

Azure offers great protection options for Azure VM’s. It’s definitely a must that you:

  • Install Microsoft Monitoring Agent to enable Azure Security Center which will help you prevent, detect, and respond to threats. Security Center analyzes the security state of your Azure resources. When Security Center identifies potential security vulnerabilities, it creates recommendations. The recommendations guide you through the process of configuring the needed controls. For detailed information see https://docs.microsoft.com/en-us/azure/security-center/quick-onboard-linux-computer
  • Configure Security Policies, which drives the security recommendations you get in Azure Security Center.
  • Configure Just-in-time (JIT) virtual machine (VM) access which can be used to lock down inbound traffic to your Azure VMs, reducing exposure to attacks while providing easy access to connect to VMs when needed. Configure custom ports and customize the following settings:

Protocol type– The protocol that is allowed on this port when a
request is approved.

Allowed source IP addresses- The IP ranges that are allowed on this port when a request is approved.

Maximum request time– The maximum time window during which a specific port can be opened.

  •  Configure Network security groups and rules to control traffic to virtual machines
  • Configure dedicated network connection between your on-premises network and your Azure vNets, either through a VPN or through Azure ExpressRoute: Production services should not be exposing SSH to the internet.

Stay safe!

Article also published in my Linkedin page: https://www.linkedin.com/pulse/password-less-vm-importance-securing-your-iaas-linux-cardoso/?published=t

Azure B2C: Flexibility is the key

November 27, 2018 1 comment

I have been working in some challenging’s Identity projects for the past 2 years and I have been amazed by the great flexibility that Azure B2C offers.

This week I am in Prague delivering an Azure Bootcamp for our 
internal Microsoft team and speaking on Identity and Security and Azure B2C is one of the major points of my sessions.

In August this year I’ve completed a project that enabled a major financial institution to offer an secure and easy way for their partners/customers to sign in to access their application.

Azure Active Directory B2C is a reliable, globally-distributed service with an SLA of 99.9%, capable of supporting millions of users and billions of authentications per day, allowing users to sign in with Microsoft Accounts, Azure AD, Facebook, Google+, LinkedIn and many others, or your own Identity provider, 

Customers profiles are protected through various security controls in addition to application or policy-based multi-factor authentication.

You can learn more on how to manage sign-up, sign-in, and customer profiles in your ASP.NET, desktop, or single-page Node.js applications at https://docs.microsoft.com/en-us/azure/active-directory-b2c/#step-by-step-tutorials 

Categories: Cloud, Microsoft Tags: ,

Where can you learn more about Windows 2019? Attend the November 8th Live Webinar with MS MVP Andy Syrewicze

October 29, 2018 1 comment

Windows Server 2019 is the operating system that bridges on-premises environments with Azure, adding additional layers of security while helping you modernise your applications and infrastructure:

  •  Hybrid capabilities with Azure. Extend your datacentre to Azure to maximise your investments and gain new hybrid capabilities.
  •  Advanced multilayer security. Elevate your security posture by protecting the datacentre, starting with the operating system.
  •  Faster innovation for applications. Enable the creation of cloud-native apps, and modernise traditional apps using containers and microservices.
  • Unprecedented hyper-converged infrastructure. Evolve your datacentre infrastructure to achieve greater efficiency and security.

Where can you learn more about Windows 2019?

Demo webinars are a great way to see a product in action before you decide to take the plunge yourself. It enables you to see the strengths and weaknesses first-hand and also ask questions that might relate specifically to your own environment.

Altaro - live Demo Webinar - Windows Server 2019 In Action -1200x628-no-cta[1]With that in mind there is a webinar scheduled to be presented live twice on November 8th by Microsoft MVP Andy Syrewicze to help you learn more about the new Windows 2019 features. The first session is at 2pm CET/8am EST/5am PST and the second is at 7pm CET/1pm EST/10am PST.

To note: With the record number of attendees for the last webinar, some people were unable to attend the sessions which were maxed out. It is advised you save your seat early for this webinar to keep informed and ensure you don’t miss the live event.

Save your seat: https://goo.gl/xEKQzP

This deep-dive webinar will focus on:

  • Windows Admin Center
  • Containers on Windows Server
  • Storage Migration Service
  • Windows Subsystem for Linux
  • And more!
Categories: Cloud

Windows 2019. Are you ready to start your evaluation?

October 4, 2018 1 comment

Microsoft announced this week that Windows Server 2019 is now generally available.

win2019

Windows Server 2019 is designed and engineered to help modernize your datacenter, delivering on four key areas:

Hybrid: The move to the cloud is a journey. To make it easier to connect existing Windows Server deployments to Azure services, we built interfaces for hybrid capabilities into the Windows Admin Center. With Windows Admin Center and Windows Server 2019, customers can use hybrid features like Azure Backup, Azure File Sync, disaster recovery to extend their datacenters to Azure and Storage Migration Service.

Security: In Windows Server 2019, we extended support of Shielded VMs to Linux VMs. Enabled Windows Defender Advanced Threat Protection (ATP), that detects attacks and zero-day exploits among other capabilities and included Defender Exploit Guard to help you elevate the security posture of your IT environment and combat ransomware attacks.

Application Platform: In Windows Server 2019, we reduced the Server Core base container image to a third of its size. We also provide improved app compatibility, support for Service Fabric and  Kubernetes, and support for Linux containers on Windows to help modernize your app. Also with Server 2019, Linux users can bring their scripts to Windows while using industry standards like OpenSSH, Curl & Tar with the improved  Windows Subsystem for Linux (WSL)

Hyper-converged Infrastructure (HCI): HCI is one of the latest trends in the server industry today. In Windows Server 2019, we democratize HCI with cost-effective high-performance software-defined storage and networking that allows deployments to scale from small 2-node, all the way up to 100s of servers with Cluster Sets technology, making it affordable regardless of the deployment scale.

Are you ready to start your evaluation? Click here to find out more

Source: https://cloudblogs.microsoft.com/windowsserver/2018/03/20/introducing-windows-server-2019-now-available-in-preview/

 

Are you ready to start your evaluation?

Categories: Cloud

Join the MVP’s to discover what’s new in Windows Server 2019 and System Center 2019

September 17, 2018 1 comment

As Microsoft release Windows Server 2019 and System Center 2019,  you may want to get a grasp on the staggering amount of new features, improvements and updates included  and hear from the Microsoft MVP’s and Windows Insiders.

Windows webinar

On October 3rd,  Microsoft MVPs Andy Syrewicze and Rob Corradini, alongside former Microsoft Senior Technical Evangelist Symon Perriman will be running an expert panel hosted by Altaro were you can get a full grasp of the both Windows Server and System Center 2019 and a closer look at some standout features that will have the biggest impact to organizations looking to upgrade to Window Server 2019.

What to expect from the webinar?

  • Next-generation management with Windows Admin Center
  • Windows Server 2019 Hyper-V enhancements and Failover Clustering
  • Windows and Hyper-V Containers on the Windows platform
  • Easy migrations using Storage Migration Service
  • And much more!

Got any questions about Windows Server 2019? Of course you do. Get answers direct from the experts during the webinar Q&A!

REGISTER HERE

With the knowledge gained in this webinar, you’ll be ready to take full advantage of the new possibilities Windows Server 2019 brings to the table, and in doing so, keep your organization ready for the next generation of IT workloads.

System Insights

June 26, 2018 1 comment

Windows Server 2019 was announced a while ago and we should be expecting its GA release by the end of this year (2018).

Don’t forget: JUNE 26th 2018 is the  Windows Server Summit, where you’ll be able to see some great new stuff for Windows Server 2019.

No surprises, as with each release, Microsoft brings some new exciting functionality: System Insights, which brings local predictive analytics capabilities natively to Windows Server.

System Insights predictive capabilities,  backed by a machine-learning model, locally analyse Windows Server system data, such as performance counters and events, providing high-accuracy predictions that help you reduce the operational expenses associated with reactively managing your Windows Server instances.

System Insights can be managed through Windows Admin Center:

cpu-forecasting-1024x552
Image source: https://cloudblogs.microsoft.com/windowsserver/2018/06/19/introducing-windows-server-system-insights/

Some of the functionalities include: :

  • Visualize prediction outcomes to intuitively understand capacity consumption trends.
  • Set custom remediation jobs to automatically run after a capability generates a specific result, helping users automatically mitigate the issues detected by the predictive capabilities.
  • Use PowerShell to aggregate prediction outcomes reported by Windows Server instances – e.g. cluster, application tier, rack, and data center.

Download the preview today

You can get started with System Insights today by downloading the preview of Windows Server 2019 and Windows Admin Center.

 

Categories: Cloud

The transition to adopting cloud services is unique for every organization. What does yours look like?

May 28, 2018 1 comment

Join Industry Experts:

  • Andy Syrewicze (Microsoft MVP and Technical Evangelist – Altaro),
  • Didier Van Hoye (Microsoft MVP and Infrastructure Architect – FGIA),
  • Thomas Maurer (Microsoft MVP and Cloud Architect – itnetX)

 

There are limited seats, REGISTER NOW to save your spot

For a FREE LIVE Webinar with will focus on cloud technologies and presented as a panel-style discussion on the possibilities of cloud technologies coming out of Microsoft, including:

  • Windows Server 2019 and the Software-Defined Datacenter
  • New Management Experiences for Infrastructure with Windows Admin Center
  • Hosting an Enterprise Grade Cloud in your datacenter with Azure Stack
  • Taking your first steps into the public cloud with Azure IaaS

After watching the experts discuss the details, you’ll see that the cloud doesn’t have to be an all or nothing discussion. This webinar will prepare you for your journey by revealing the available options and how to make the most out of them!

It is a great opportunity to ask industry experts as they share their experiences working with many customers worldwide.

WHEN:

Wednesday June 13th 2018 – Presented live twice on the day

  • Session 1: 2pm CEST – 5am PDT – 8am EDT
  • Session 2: 6pm CEST – 9am PDT – 12pm EDT

REGISTER NOW