CCN-STIC-884A-Secure Configuration Guide For Azure

ICT Security Guide
CCN-STIC 884A
Secure Configuration Guide for Azure
December 2019
CCN-STIC 884A Secure Configuration Guide for Azure
Edit:
2.5.4.13=Qualified Certificate: AAPP-

SEP-M-SW-KPSC, ou=sello electrónico,
serialNumber=S2800155J, o=CENTRO
CRIPTOLOGICO NACIONAL, c=ES
 National Cryptologic Centre, 2019

NIPO: 083-19-256-1
Date of Edition: December 2019

Plain Concepts has participated in the creation and modification of this document and its annexes. Sidertia
Solutions S.L. has participated in the revision of this guide.
LIMITATION OF RESPONSIBILITY
This document is provided in accordance with the terms compiled in it, expressly rejecting any type of
implicit guarantee that might be related to it. In no case can the National Cryptologic Centre be considered
liable for direct, indirect, accidental or extraordinary damage derived from using information and software
that are indicated even when warning is provided concerning this damage.
LEGAL NOTICE
Without written authorisation from the National Cryptologic Centre, it is strictly forbidden, incurring
penalties set by law, to partially or totally reproduce this document by any means or procedure, including
photocopying and computer processing, or distribute copies of it by means of rental or public lending
2
National Cryptologic Centre
FOREWORD
The current national and international scenario is dominated by developments in

Information and Communication Technologies (ICT) and by risks emerging from their
use. The Administration is fully aware of this scenario and it is necessary for this body
to develop, acquire, conserve and secure use of ICTs to guarantee that its services run
effectively for the citizen's and the country's best interests.
Working from the Centre's knowledge and experience on threats and vulnerabilities in
terms of emerging risks, Law 11/2002, dated 6th May, regulating the National
Intelligence Centre, entrusts the National Intelligence Centre the functions related to
information technology security, according to the Article 4.e), and to the protection of
classified information, according to the Article 4.f). It also gives, through the Article
9.2.f), its Secretary of State-Director the responsibility of managing the National
Cryptologic Centre.
One of the most outstanding functions that it assigns to it, in Royal Decree 421/2004,
dated 12th March, regulating the National Cryptologic Centre is to draw up and
disseminate standards, instructions, guides and recommendations to guarantee
security for the Administration's information and communication technologies.
Royal Decree 3/2010, dated 8th January, develops the National Security Framework
(hereinafter called ENS) in the field of Electronic Administration which is also referred
in the second section of Article 156 of Law 40/2015, dated 1st October, of the Public
Sector Legal System. The National Security Framework establishes the security policy,
in matters of use of electronic means, which ensures the protection of information.
Indeed, Royal Decree 3/2010, dated 8th January, updated by Royal Decree 951/2015,
dated 23rd October, sets the basic principles and minimum requirements as well as any
protection measures to be introduced in Administration systems. In article 29, it
authorises the CCN to develop CIS guidelines to ease the fulfilment of these minimum
requirements.
The CCN-STIC documents series was drawn up to comply with this function and the
ENS, aware of the importance of establishing a frame of reference on this matter that
can be used as support so that Administration staff can carry out their difficult and
occasionally thankless task of providing security for ICT systems within their
responsibility.
July 2019
Felix Sanz Roldan

Secretary of State
Director of the National Cryptologic Centre
3
TABLE OF CONTENTS
1. SECURE GUIDE FOR AZURE ..................................................................................... 6
1.1 DESCRIPTION OF THE USE OF THIS GUIDE ...............................................................6
1.2 SERVICE DEFINITION ................................................................................................6
1.3 FUNCTIONALITIES OF THE AZURE SERVICE ..............................................................6
2. SECURE DEPLOYMENT FOR AZURE ......................................................................... 7
2.1 USING THE POWERSHELL CONSOLE.........................................................................7
2.2 ACCESS TO THE AZURE PORTAL FROM A BROWSER................................................9
2.3 RESOURCE MANAGEMENT IN AZURE ....................................................................16
3. SECURE CONFIGURATION FOR AZURE .................................................................. 21
3.1 OPERATING FRAMEWORK .....................................................................................21
3.1.1 ACCESS CONTROL ..............................................................................................21
3.1.1.1 ACCESS REQUIREMENTS ...............................................................................28
3.1.1.2 SEGREGATION OF FUNCTIONS AND TASKS ..................................................52
3.1.1.3 ACCESS RIGHTS MANAGEMENT PROCESS ....................................................52
3.1.1.4 AUTHENTICATION MECHANISM ...................................................................55
3.1.1.5 LOCAL ACCESS (LOCAL LOGON) ....................................................................67
3.1.1.6 REMOTE ACCESS (REMOTE LOGIN) ..............................................................67
3.1.2 EXPLOITATION ...................................................................................................67
3.1.2.1 RECORDING USER ACTIVITY ..........................................................................67
3.1.2.2 PROTECTION OF ACTIVITY RECORDS ............................................................71
3.1.2.3 PROTECTION OF CRYPTOGRAPHIC KEYS.......................................................83
3.1.3 CONTINUITY OF SERVICE .................................................................................102
3.1.4 CONTINUITY PLAN ...........................................................................................102
3.1.5 PERIODIC TESTING ...........................................................................................114
3.1.6 SYSTEM MONITORING.....................................................................................118
3.1.6.1 INTRUSION DETECTION ..............................................................................118
3.1.6.2 METRIC SYSTEM ..........................................................................................127
3.2 PROTECTIVE MEASURES .......................................................................................149
3.2.1 PROTECTION OF COMMUNICATIONS .............................................................149
3.2.1.1 NETWORK SEGREGATION ...........................................................................149
3.2.1.2 SECURE PERIMETER ....................................................................................156
3.2.1.3 PROTECTION OF CONFIDENTIALITY. ...........................................................168
3.2.1.4 PROTECTION OF AUTHENTICITY AND INTEGRITY .......................................171
4
3.2.2 PROTECTION OF INFORMATION .....................................................................172

3.2.2.1 RATING OF INFORMATION .........................................................................172
3.2.2.2 ENCRYPTION ...............................................................................................174
3.2.2.3 BACKUP .......................................................................................................174
3.2.3 PROTECTION OF SERVICES ..............................................................................183
3.2.3.1.1 PROTECTION AGAINST DENIAL OF SERVICE ........................................183
4. GLOSSARY AND ABBREVIATIONS ....................................................................... 190
5. SUMMARY TABLE OF SECURITY MEASURES ....................................................... 191
5
1. SECURE CONFIGURATION GUIDE FOR AZURE
1.1 DESCRIPTION OF THE USE OF THIS GUIDE

The contents of this guide showcase Microsoft Azure's security management and
advanced threat protection-based deployment and configuration for public cloud
workloads.
Following the setup steps described in this guide, you can:
 Protect applications against common exploits and vulnerabilities with a firewall
of applications.
 Protect Azure's resources from denial of service attacks.
 Deploy authentication methods.
 Deploy the cryptographic keys and other secrets used by the applications and
services in the cloud.
 Follow the recommendations regarding the assignment of roles for the
management and administration of Azure tasks.
1.2 SERVICE DEFINITION

Azure is a complete cloud platform that can host applications, simplify the development
of new applications and even improve local applications. Azure integrates the cloud
services it needs to develop, test, deploy and manage its applications. This guide
discusses the settings required to comply with the National Security Framework
protection measures.
1.3 FUNCTIONALITIES OF THE AZURE SERVICE

In the Microsoft Azure portal, there are different infrastructure and platform services
that can be easily configured as needed.
Among the services, there are infrastructures called:
 IaaS: storage, networks, and virtual machines
 PaaS: high availability SQL databases, CMS for web development and backend
for mobile applications.
They all are compatible with every type of technology: Oracle databases, Linux, php, iOs,
My SQL, Android, php...
These services are guaranteed with a 99.99% availability, and in case of failure, the
backup service will be activated with a guaranteed higher availability.
This cloud complies with the security measures required to achieve the conformity
certification of the National Security Framework in the HIGH category.
6
2. SECURE DEPLOYMENT FOR AZURE

This guide defines a secure connection from the Azure PowerShell console executing
from the computer as well as from the Azure portal. To do this, follow the next steps.
2.1 Using the Powershell Console

Azure PowerShell AZ
The Azure PowerShell AZ module is used to create and manage Azure resources from
the command line or through scripting.
From PowerShell you can deploy services, create accounts, modify and delete Azure
Active Directory accounts, and apply the several settings discussed in the guide.
It is important to check the operating system prerequisites. To do so, consult the
following link from Microsoft:
https://docs.microsoft.com/es-es/powershell/scripting/install/windows-powershell-system-
requirements?view=powershell-6
Azure PowerShell supports several authentication methods. The most direct method is
to use the same web browser window as the Azure portal, using Azure Cloud Shell, which
makes use of the same browser session. Although it can also be used from your browser.
In both cases, the connection is always secure.
In a local PowerShell session, it asks to log in interactively in a Web browser.
In the case of executing automation scripts, the recommended approach is to use a
Service Entity (Service Principal) with the necessary minimum permissions. Restricting
permissions protects Azure's resources from unauthorized access.
If you connect though PowerShell, execute this command.
Azure PowerShell
1. To log in interactively, use the Connect-AzAccount cmdlet.
7
 PS C:\> Connect-AzAccount
2. An email account and password are requested from the Tenant's

administrator.
Note: It is recommended to create a service entity in advance for the management of
Azure. See section [3.1.1 Access Control/User Account Creation] in this guide.
Password-based authentication
To obtain the service entity's credentials, use the Get-Credential cmdlet command. This
cmdlet shows a notice for a username and password. Use the service entity identifier as
your username.
From the Powershell console execute the following command:
 $pscredential = Get-Credential
 Connect-AzAccount -ServicePrincipal -Credential $pscredential -Tenant
$tenantId
In automation scenarios, credentials can be created from a username and a secure string
(Password), the syntax would be as follows:
 $passwd = ConvertTo-SecureString <use a secure password here> -
AsPlainText -Force
 $pscredential = New-Object
System.Management.Automation.PSCredential('service principal
name/id', $passwd)
 Connect-AzAccount -ServicePrincipal -Credential $pscredential -
Tenant $tenantId
Certificate based authentication

Certificate based authentication requires Azure PowerShell to be able to retrieve
information from a local certificate store based on a fingerprint of the certificate.
8
To do this, execute the following Powershell command.

 Connect-AzAccount -ApplicationId $appId -Tenant $tenantId -
CertificateThumbprint <thumbprint>
Note: If you use a service entity instead of a registered application, add the -ServicePrincipal
argument and provide the service entity identifier as the value of the -ApplicationId parameter.
 Connect-AzAccount -ServicePrincipal -ApplicationId
$servicePrincipalId -Tenant $tenantId -CertificateThumbprint
<thumbprint>
Note: More information can be found at https://docs.microsoft.com/es-es/azure/cosmos-

db/certificate-based-authentication
Changing the active subscription

Many entities have multiple subscriptions. In Azure you can identify each of them and
operate in configurations using PowerShell or from the portal.
To change subscriptions, first a context object must be retrieved from Azure PowerShell
with Get-AzSubscription, and then the current context must be changed with Set-
AzContext.
The following example shows how to obtain a subscription on the currently active
Tenant and set the session as active
 $context = Get-AzSubscription -SubscriptionId ...
 Set-AzContext $context
To add a new context after login, use Set-AzContext (or its alias, Select-AzSubscription).
 PS C:\> Set-AzContext -Subscription "Subscription 1" -Name "Domain"
Regarding security, it is important to remove all the credentials and associated contexts
from a user or service entity using the Disconnect-AzAccount command (also known as
Logout-AzAccount).
 Disconnect-AzAccount user1@su_dominio
2.2 Access to the Azure Portal from a browser.

1. Azure's portal must be accessed with an Administrator user.
The administrator user must access the Azure’s portal through the following link:
portal.azure.com
9
Note: Your email account and password are required.
Portal Configuration
Once you have logged into Azure's portal, a home page is displayed with the icons of
all the applications you have access to.
1. Click on the set icon described below.

Note: If you have multiple subscriptions from this one here you can switch to your
subscriptions.
10
2. If you want to set a logout for inactivity, display the bar and choose a custom
duration.
3. Set the language and region.
4. The view of the main panel can be customized.
11
Note: If you want to restore all the default settings click on Restore default settings.
Custom Panel
From the Azure’s portal you can customize and create multiple panels by creating a new
Dashboard or edit the existing one. To do this, it is recommended to follow these
guidelines:
1. To create a new one, click on [Panel/New Panel].
12
Note: From here you can add all the services you want to view in the custom panel.
2. To finish, click on [Customization Complete].

Note: You can edit the panel(s) you have by clicking on edit.
Share panel
Once you have created a new custom panel, you can publish and manage the accesses
to users that can be viewed and operated on it.
Follow these guidelines:
1. From the Panel, click on [share].
Note: This panel appears where you must define a name, your subscription and the location
which is Northern Europe.
13
2. To finish, click on [Publish].
3. Once published, a new assistant appears where the users who have access must
managed. To do this, click on Manage users.
4. Click on [Add/Add Role Assignment].
14
5. Select the role to grant to the user. In this example the role of Collaborator is
assigned.
6. Finally, click on [Save].
Using the Cloud Shell Console

From the Azure portal you can use Azure Cloud Shell which allows to access from your
browser and manage all of Azure's resources.
15
1. Click on the icon that shows the image.
Note: Pressing the terminal will validate your credentials.
From this console you can execute PowerShell commands.

Here are some recommended commands for managing Azure's services.
Establishing the subscription
 List the subscriptions you have access to.
 az account list
 Set your preferred subscription.

 az account set --subscription 'my-subscription-name'
Note: Information on more commands is available at: https://docs.microsoft.com/es-
es/azure/cloud-shell/overview
2.3 Resource management in Azure

Azure Resource Manager (ARM) is used for resource management in Azure. This allows
to deploy applications and their resources in a consistent manner. ARM makes it easy to
manage and view resources. It is recommended to include resources with the same life
cycle in the same resource group.
Resource Group
A resource group is a container where resources that are managed as a group are stored.
16
Creation from the Portal

1. On the Azure menu, click on [Resources Groups/Add].
2. Next, the following fields must be completed:

 Subscription: In the subscription the resource is created.
 Resource Group: Name assigned to the resource group.
Note: Names cannot be repeated within the same subscription.
 Region: The recommended Northern Europe.
3. Click on [review and create].
Creating from PowerShell

You can create the resource group using the PowerShell console.
1. Copy the content and execute it in PowerShell
 New-AzResourceGroup -Name CCNVPN -Location ' North Europe'
Note: The list of commands can be consulted from the following link:
https://docs.microsoft.com/en-us/cli/azure/resource?view=azure-cli-latest
17
Creating a storage account

Azure Storage is the Microsoft's storage solution for data hosting. It offers a storage of
objects that can be massively scaled.
Now, the steps you must take to create a new storage account are described.
1. From Azure's portal search for storage account.
2. Click on [add].
3. In resource group click on Create new one. At this moment the name is assigned.
Note: A new resource group can be created or deploy and select an existing one for this new
storage account.
4. Next, the following fields are filled in:
18
Account Name: Define an account name.

Location: Select North Europe.
Performance: Premium is recommended.
Note: Standard Storage accounts are backed up using magnetic drives and provide a
lower cost per GB. This is the best option for applications that require massive storage
or where access to data is rare. Premium Storage accounts are backed up using solid-
state drives and offer consistent, low-latency performance. These accounts can only be
used with virtual machine disks and are the best choice for I/O-intensive applications like
databases. In addition, virtual machines that use Premium Storage for all disks can
access a 99.9% service level contract, even when they do not execute within an
availability set.
Account type: Storage V2 is recommended.
Replication: Storage with local redundancy
5. In the networks tab it is recommended to select private connection point.
6. In the advanced options tab follow these guidelines.
19
Security: Click on enabled.

Note: The secure transfer option increases the security of the storage account because it only
allows requests to the account over a secure connection. For example, when you call API REST to
access your storage accounts, you must connect via HTTPS. Requests using HTTP are rejected if
the "Secure transfer required" option is enabled.
Data protection: Click on enabled.
Note: If it´s enabled, temporary deletion allows you to save and recover data from the blobs in
many of the cases where blobs or snapshots of them have been deleted. This protection is
extended to blobs that are deleted when they are overwritten.
Retain for: Define 365 days
7. On the Labels tab write a name and the value that has this storage. Example:
20
9. Click on [create].
3. SECURE CONFIGURATION FOR AZURE

The following sections present the implementation measures included in the areas of
Operational Framework and Protection Measures of the National Security Framework.
3.1 OPERATING FRAMEWORK
3.1.1 Access Control
Azure Active Directory is the main tool for managing access and privileges to Azure's
resources within an organization.
While this guide only addresses Azure Active Directory cloud user account management,
it also allows hybrid configurations.
The hybrid identity documentation can be consulted in the link:
https://docs.microsoft.com/es-es/azure/active-directory/hybrid/index
21
To meet the requirements within the scope of the ENS, the following sections discuss
the initial configuration, user account management and administration of Azure Active
Directory.
Important: This guide does not discuss how to manage Windows Server Active Directory
users and objects. For this type of activities, it is recommended to consult the guide CCN-
STIC-870A Implementation of the ENS in Windows Server 2012 R2.
Identification
The identity provider is responsible for checking the identity of users and applications
that exist in an organization's directory and for issuing security tokens after the correct
authentication of those users and applications.
Any application that needs to outsource authentication to the Microsoft identity
platform must be registered in Azure Active Directory (Azure AD). Azure AD records the
application and uniquely identifies it in the directory.
To do this, accounts must be created in Azure Active Directory.
Also note that this guide only describes the management of Azure Active directory
accounts in its Tenant but not in Hybrid environments.
Reference is made to these Microsoft links:
 https://docs.microsoft.com/es-es/azure/active-directory/hybrid/whatis-hybrid-
identity
 https://docs.microsoft.com/es-es/azure/active-directory/devices/hybrid-
azuread-join-managed-domains
The following describes how user account and user group management is performed.
Azure Active Directory - Add, delete and modify accounts and user groups
To manage users/groups click on [Azure Active Directory] in the left menu, you can also
use the search engine at the top:
22
Creation of user accounts.

1. Click on the [Users/New User] tab. The following data is completed:
 Name: Name of the new user account
 Username: unique identifier used to authenticate at the Tenant.
 Profile: Adds additional user information.
 Groups: Groups to which the user belongs, by default there are none
created.
 Directory role: Permissions the user has within the Tenant.
Note: Optionally you can create a guest user belonging to another organization. The
same is notified by mail.
If you want to create the guest account, it is recommended to follow the guidelines
below.
1. From the Users panel click on New Guest User.
2. Complete the required fields for the invitation.
23
3. At the end, click on invite.
Note: A notification is sent to the invited account.
User account deletions.

1. To manage the deletion of an account, select the user to be deleted.
24
2. The option to delete is shown below.
3. Press [delete].
Edit user account profile.

1. From the [Azure Active Directory/Users] portal click on the user you want to
modify.
2. Then fill in all the available fields.
25
3. From this panel you can modify the account properties and add additional
information.
Creating Active Directory groups.

1. From the Azure Active Directory menu click on [Groups/New Group].
26
2. Then click on [new group].

3. In this section complete the data for its creation.
 Type of group: There can be two types:
o Security: Used to manage member and team access to shared
resources of a group of users.
o Office365: Provides collaboration opportunities by giving
members access to shared mail, calendars, files, the SharePoint
site, etc.
 Group Name: The name of this new group.
 Group description: Identifying name.
 Type of membership: They can be of the following types:
 Assigned: Allows to add specific users to be members of this
group and to have exclusive permissions.
 Dynamic user: Allows to use dynamic membership rules to
automatically add and remove members. If a member's attributes
change, the system examines the dynamic directory group rules
to see whether the member meets the rule's requirements (is
added) or no longer meets the rules' requirements (is removed).
 Dynamic device: Allows you to use dynamic group rules to
automatically add and remove devices. If the attributes of a
device change, the system examines the dynamic directory group
rules to see if the device meets the rule's requirements (is added)
or no longer meets the rule's requirements (is removed).
 Owners: Users who manage the group.
 Members: Users who belong to this group.
4. To finish, click on [create].
27
Group Deletion
To delete a group, select the group and then click on [delete].

You can also create users and groups using PowerShell.
To do this, execute these commands.
 User creation.
 $PasswordProfile = New-Object -TypeName
Microsoft.Open.AzureAD.Model.PasswordProfile

 $PasswordProfile. Password = "Password"

 New-AzureADUser -DisplayName "CCN-USER1-ADM" -PasswordProfile
$PasswordProfile -UserPrincipalName "CCN-USER1-ADM@SU DOMINIO" -
AccountEnabled $true -MailNickName "Newuser"
 Group creation.
 PS C:\>New-AzureADGroup -DisplayName "Administrador_SQL" -MailEnabled
$false -SecurityEnabled $true -MailNickName "NotSet"
Note: More information about PowerShell commands can be found in the link:
https://docs.microsoft.com/es-es/azure/active-directory/users-groups-roles/groups-settings-
v2-cmdlets
3.1.1.1 Access requirements
Restricted access to Azure's portal.

It is advisable to restrict access to the Azure portal to all those users who do not have
administrative privileges. This feature limits the possibility of leakage of sensitive
information from users, such as email accounts, phone numbers and personal
addresses.
1. From the Azure portal click on [Azure Active Directory].
28
2. Click on [user configuration].
3. Click on YES to restrict access.
29
The "No" option allows a non-administrator user to use this experience with Azure AD's
administration portal to access Azure AD resources for which they have read permission,
or to manage their own resources.
The "Yes" option limits access to Azure AD data in the administration portal to all non-
administrator users, but it doesn't limit access if you use PowerShell or another client,
such as Visual Studio.
Conditional access
Introduction conditional access

Conditional access is the tool that Azure Active Directory uses to unify signals, make
decisions and force the application of the organization's policies. Conditional access is
at the core of the identity-based access control strategy.
The modern security perimeter now extends beyond an organization's network to
include both the user and device identity. Organizations can use these identity signals
as part of their access control decisions.
The most common policies that can be configured:
 Membership in a user or group
Policies can be targeted to specific users and groups, giving
administrators more control over access.
 IP location information
You can create ranges of trust IP addresses that can be used when making
decisions on policies.
Note: Administrators can decide to block or allow whole country IP range traffic.
 Device
Users with platform-specific or state-marked devices can be used when
applying conditional access policies.
The following are the recommended policies to configure:
 Require multi-factor authentication for users with administrative roles
 Require multi-factor authentication for Azure management tasks.
30
 Require trusted locations for Azure Multi-Factor Authentication

registration.
 Block or grant access from specific locations
 Block dangerous login behaviors.
 Require devices managed by the organization for specific applications
Note: Remember that, for the use of conditional access policies, an Azure AD Premium P1 or P2
license is required. See the following link: https://azure.microsoft.com/es-
es/pricing/details/active-directory/
Conditional access configuration

The first recommended measure of conditional access is to define the locations from
which users will connect.
To do so, follow these instructions.
1. From the Azure portal, click on [Azure Active Directory/Conditional Access].
2. Click on [Locations with Names].
31
Note: In this section you can define geographic locations and configure the trust IPs.
3. Click on [New Location].
4. You must define a name and a geographic location, in this case select SPAIN.
The Include unknown areas box defines IP addresses that cannot be assigned to any
country or region.
32
5. To finish, click on [Save].
Note: It is recommended to add a geographic location policy in IP ranges.

To do this, add a new location and select IPs ranges.
 Define a name
 Click on IP ranges
 Click on the Mark as Trusted Location box
 Define the public IPs you trust.
At the end of the name location panel, the two locations created are displayed.
In order to make these locations online, a policy is created defining to whom this
condition applies.
To do so, follow the guidelines below.
1. From the Azure portal click on [Azure Active Directory/Conditional Access].
33
2. Click on [New Policy].
3. Define the name of the policy and click on [Users and Groups].
34
4. Click on [all users].

Note: In this section it can be defined whether this policy will apply to users/groups or exclude
users/groups that do not require this condition.
5. Click on [Conditions].
6. Click on [selected locations].

7. Select the two locations.
8. Finally, click on 'Access controls'.
35
9. Select 'MFA check'. The Azure Multi-Factor Authentication service can be found
in the section [3.1.1.5 Authentication Mechanisms] of this guide.
10. To finish, click on [Activated in enable policy].
36
11. Click on [Create].
Next, the possible conditions that can be generated.

 Risk of Login
Login risk is an indicator of the probability (high, medium, or low) that the legitimate
owner of a user account will not log in.
Azure AD calculates the level of risk during a user's login. The calculated level of login
risk can be used as a condition in a conditional access policy.
Note: To enable this condition, you must have Azure AD Identity Protection.
You can consult the documentation in the link: https://docs.microsoft.com/es-es/azure/active-
directory/identity-protection/howto-sign-in-risk-policy#what-is-the-sign-in-risk-policy
Device platforms
The device platform is the operating system that executes on the device. Azure AD
identifies the platform using the information provided by the device, such as the user
agent. It is recommended that all platforms have a policy applied to them.
37
 Cloud applications or actions.

With conditional access policies, it is controlled how users access to applications and
cloud services.
 All the applications in the cloud by applying baseline guidelines that apply to the
entire Tenant. These policies require multi-factor authentication. A policy that
applies to all the cloud applications applies to the access to all the websites and
services.
 Select applications to target specific services by its policy. For example, to
require users to have a compatible device to access SharePoint Online. This
policy also applies to other services when accessing SharePoint content. An
example is Microsoft Teams.
Role Based Access Control (RBAC)

Role Based Access Control (RBAC) helps to manage who can access Azure's resources,
what can be done with those resources, and what areas can be accessed.
What can be done with RBAC?
These are some examples of what can be done with RBAC:
38
 Allow a user to manage the virtual machines of a subscription and

another user to manage the virtual networks
 Allow a group of DBAs to manage SQL databases in a subscription
 Allow a user to manage all the resources in a resource group, such as
virtual machines, websites, and subnets
 Allow an application to access all the resources in a resource group
RBAC operation
The way in which the access to resources is controlled by RBAC is through role
assignments. This is a key concept: It is about how permits are applied and their scope.
A role assignment consists of three elements: security entity, role definition and scope.
The principle of minimum privilege should be applied in order to allow users to perform
only those operations that are necessary within the scope of their duties.
Azure allows the use of several integrated roles. Four key roles are listed below. The first
three apply to all types of resources.
 Owner: Has full access to all resources, including the right to delegate this access
to others.
 Collaborator: Has permissions to create and manage all the types of Azure
resources, but you cannot grant access to others.
 Reader: Has permission to view Azure's existing resources.
 User Access Manager: Has permissions to manage user access to Azure's
resources.
In addition, there are also others roles focused on service already created in Azure, such
as "SQL Database Collaborator", "SQL Security Administrator", etc.
Note: All these roles can be found in the official Microsoft documentation:
https://docs.microsoft.com/es-es/azure/role-based-access-control/built-in-roles
Custom RBAC Roles

In the previous point, the roles already included in Azure have been mentioned. In case
these roles do not suit your needs, you can create roles in which you define the set of
permissions that the users to whom they are assigned will have.
The only way to define roles is through JSON templates, which can be created from
scratch or based on a role already created and modified as needed.
The JSON for defining the role has the following structure:
39
 {
 "Name": "Role Operator",
 "Go": null,
 "IsCustom": true,
 "Description": "You can create, change and delete roles",
 "Actions": [
 "Microsoft.Authorization/*/read."
 "Microsoft.Authorization/roleDefinitions/write",
 "Microsoft.Authorization/roleDefinitions/delete"
 ],
 "NotActions." [],
 "AssignableScopes": [
 "/subscriptions/965c7398-06c7-4edf-87ee-35744843942b"
 ]
 }
 Name: Name of the role.

 Id: Id of the role, as it is a personalized role it is always left as null.
 Description: Description of the role.
 Actions: Role permissions. To see all the existing actions in Azure consult the
following documentation https://docs.microsoft.com/es-es/azure/role-based-
access-control/resource-provider-operations
 NotActions: Actions to which permission is explicitly denied.
 AssignableScopes: The scope in which the role applies is assigned. Maybe:
o At the subscription level.
o At the resource group level.
Prerequisites
It is necessary that the administrator user that connects to Azure's portal has the
appropriate permissions for the management of RBAC roles. To do this, perform the
following checks:
1. From the Azure portal search subscriptions.
2. Click on [Subscriptions].
40
3. Click on [access control (IAM)].
4. Click on [roles].
5. Click on the Owner group.
6. Check that your Tenant's administrator user is present.
41
Deployment of a custom role

Once the JSON has been created with the role, explained in the previous section, it must
be deployed so that it can be used in Azure.
The method to deploy the role is through PowerShell, through the following command:
 New-AzRoleDefinition -InputFile ".RBAC OperatorRoles.json"
Note: The route of the parameter file -InputFile can be either an absolute route or a relative
route.
Assigning a role to an entity

Next, a role is assigned to a security entity. Use the example of a custom role created in
that section.
1. First you must connect to the Tenant of Azure AD.
 Connect-AzureAD
2. Insert the Tenant's administrator credentials.

3. In the next step you must obtain the ID of the entity to which you apply the role,
with the following command you obtain the group identifier. It can also be a user,
business application.
Note: Remember that a business application user is defined as a service account user for an
application.
 $group = Get-AzureADGroup -SearchString "Administrator Roles"
4. In the case of a user, this command is used, with the desired user.
 $user = Get-AzADUser -DisplayName "ccn-user"
5. In the case of a service user, use this command, with the desired service
username.
 $userservice = Get-AzADServicePrincipal -DisplayName
"OperationsServicePrincipal
6. You can also find out which Azure subscription the role will be applied to. To do
this, the following command is used:
42
 $sub = Get-AzSubscription | ogv
A new window opens where you select the subscription to which you want to
apply the role.
7. Next, you must create the variable $scope with the format that the display
needs. To do this, concatenate the string /subscriptions/ and the subscription ID.
 $scope="/subscriptions/"+$sub. id
8. Finally, you must assign the role to the entity, which in this case is the group
called "Administrator Roles"
 In the case of a group, the following command is used
 New-AzRoleAssignment -ObjectId $group. ObjectId -RoleDefinitionName "
Role Operator" -Scope $scope
 In the case of a user, the following command is used

 New-AzRoleAssignment -ObjectId $user. Id -RoleDefinitionName " Role
Operator" -Scope $scope
 In the case of a service user, the following command is used

 New-AzRoleAssignment -ObjectId $userservice Id -RoleDefinitionName "
Role Operator" -Scope $scope
Recommended commands RBAC

Below are some recommended commands that are useful for working with roles. For
the examples in the commands, the example of the custom role created in that section
is used.
 Obtain information about the role created:
 Get-AzRoleDefinition -Name "Role Operator"
In the name parameter put the name of the role.

 Update a role once JSON has been updated.
 Set-AzRoleDefinition -Name "Role Operator"
 Delete a role.
43
 Get-AzRoleDefinition -Name "Log Analytics operator" | Remove-

AzRoleDefinition
Azure AD Identity Protection

Azure AD Identity Protection is a feature of Azure Active Directory Premium P2 that
allows to configure policies to automatically respond when a user's identity is
compromised or when someone other than the account owner attempts to log in with
their identity.
Azure AD Identity Protection allows:
• Proactively prevent the misuse of identities that are at risk.
• Automatically mitigate the risks when suspicious activity is detected.
• Research users and risk logins to address potential vulnerabilities.
• Receive an alert when a user's risk reaches a specified threshold
It is recommended to enable Azure AD Identity Protection, at least, in those accounts
with high levels of privileges as global administrators, and those users who handle
sensitive information in the organization.
The following describes the actions to be performed for the activation.
Carry out the following steps:
1. Search in the Azure's portal.
Three policy should be configured on this

panel.
User risk policy.
Login Risk Policy.
MFA registration policy.
User risk policy.

1. Click on [Users].
44
2. Select all users.
3. Press [Done] when finished.

5. Click on [select a risk level].
6. Select High.
45
7. Press [Select] to finish.

Note: More information on user risk levels can be found at the following link:
https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview#what-
is-a-user-risk-level
8. Click on [Controls].
9. Click on [Allow access] and [Require change of password].
10. To finish, press [Select].

11. Click on [Activate policies].
46
Login Risk Policy

1. Click on [Login Risk Policy].
47
4. To finish, click on [Done].

5. Click on [conditions].
6. Click on Select a risk level and choose High.
7. To finish, click on [Select/Done].

8. Click on [Access].
9. Click on [allow access/Check with MFA].
48
10. To finish, click on [Select].

11. Click on [Apply Policy/Activated].
The MFA Registry policies are now configured. To do this, perform the following steps:
1. Click on [MFA Registration Policy].
49

5. Click on [access].
6. Click on [Require Azure MFA registration].
7. Finally, click on [select].

8. Click on [Apply Policy/Activate].
50
From the dashboard you can view real-time risk reports on logins or risk detections.
At the end of the panel you can configure alerts that will arrive via email or a weekly
summary with the detections found.
In addition, please refer to section [3.1.1.5 Authentication mechanisms/Conditional
access policies] of this guide.
Note: More information can be found at: https://docs.microsoft.com/es-es/azure/active-

directory/identity-protection/overview
Recommendations
Next, some recommended services that can be configured.
51
Azure AD Privileged Identity Management

Azure Active Directory (Azure AD) Privileged Identity Management (PIM) is a service that
allows you to manage, control and monitor access to important resources within your
organization. This includes access to Azure AD resources, Azure resources, and other
Microsoft Online Services, such as Office 365 or Microsoft Intune.
Note: More information can be found at https://docs.microsoft.com/es-es/azure/active-
directory/privileged-identity-management/pim-configure
Just In Time Access

Just-In-Time (JIT) virtual machine (VM) access allows to block access to virtual machines
at the network level by blocking incoming traffic to specific ports.
When Just-In-Time is enabled, Security Centre blocks incoming traffic to Azure virtual
machines by creating an NSG rule. The virtual machine ports for which incoming traffic
is blocked must be selected. These ports are controlled by the Just-In-Time solution.
Note: More information can be found at https://azure.microsoft.com/es-es/updates/just-in-
time-virtual-machine-access/
3.1.1.2 Segregation of functions and tasks

For the segregation of roles and tasks, roles are assigned to your Tenant's users via RBAC.
Custom roles can be assigned for management groups and subscriptions.
The following diagram shows an example of creating a hierarchy that is recommended
for management groups.
We recommend the previous creation of groups assigned by means of roles to different

functions within the Tenant.
RBAC role management can be consulted in section [3.1.1.2 Deployment of a custom
role] of this guide.
3.1.1.3 Access rights management process

Azure implements data operations that allow granting access to data within an object.
52
You can specify a range at various levels: management group, subscription, resource
group or resource.
The roles that are recommended from a security point of view are described below.
 Owner: Full access to all resources, including the right to delegate this
access to others
 Collaborator: Has permissions to create and manage all types of Azure
resources but cannot grant access to others.
 Reader: Has permission to view Azure's existing resources.
 User Access Manager: Has permissions to manage user access to Azure's
resources.
To do so, follow these instructions:
1. Click on [Subscriptions] or use the search engine on the Azure’s portal.
2. Click on [IAM Access Control].
3. Click on [roles].
4. Here you can see the users who have the mentioned roles.
53
5. To assign a role, click on [role assignments].
6. Click on [Add-Add Role Assignment].
7. Select a a role.
8. Select User/Group.
9. Choose the user who grants the role.
54
10. To finish, click on [Save].

Note: Remember that in Azure you can assign different roles, both from this panel and in a
specific service.
It is recommended to use custom RBAC roles. To do this, see section [3.1.1.2
Deployment of a custom role] in this guide.
3.1.1.4 Authentication mechanism

Azure Multi-Factor Authentication (MFA) protects access to data and applications,
while maintaining simplicity for users. It provides more security, as it requires a second
form of authentication and offers secure authentication through a variety of
authentication methods.
Implementation Considerations
Azure Multi-Factor Authentication can be implemented without the need to apply
conditional access policies. In this guide, it is recommended that when MFA is
implemented, a conditional access policy should be used so that users can perform
multi-factor authentication and meet certain criteria, for example
 All users, a specific user, the member of a group or an assigned role.
 A specific cloud application is accessed.
 Device platform.
 Device status.
 Network location or geographic location of IP address.
 Client applications.
 Login risk (requires Identity Protection).
 Compatible devices.
 Client application approved.
 A specific cloud application is accessed
 Device platform
 Device status
 Network location or geographic location of IP address
 Client applications
Authentication methods
Azure MFA allows to configure several authentication methods. To do this, you must
configure a policy that defines the method by which users will be registered.
The methods recommended from a security point of view are described below.
 Notification via mobile application
A mobile application such as Microsoft Authenticator generates a new OATH verification
code every 30 seconds. The user writes the verification code in the login interface.
 Phone call
55
An automatic voice call is made to the user. The user answers the call and presses # on
the phone keyboard to approve their authentication.
 Text message to the phone
A text message containing a verification code is sent to the user, then the user is asked
for the verification code in the login interface.
MFA activation in Azure Active directory users.

To activate Azure Multi-Factor Authentication, follow the guidelines described below.
As mentioned above, Azure Multi-Factor Authentication can be enabled without the
conditional access, using a mandatory two-factor authentication method for users.
Follow these instructions:
1. From the Azure portal, click on [Azure active directory /MFA].
2. Click on [additional cloud-based MFA settings].
56
3. Click on [Allow users to create application passwords to log in to non-browser

applications].
4. Multi-factor authentication can be omitted at this point in IP address ranges.
57
5. Click on [All user test method options].

6. Click on [Allow users to remember Multi-factor Authentication on trusted
devices].
7. Click on [save].
Activation of Azure Multi-Factor Authentication
Once you have set up the check options you must activate MFA on the users. To do so,
follow these guidelines:
1. From the Azure portal click on [Azure Active Directory/Users].
2. Click on [Multi-factor Authentication].
3. Select all users for whom you want to apply MFA.
58
The process is to click on all users and then click on [Enable].

It is recommended that this update be done massively. To do this, click on [Massive
Update].
A CSV file is downloaded where the user's email and status are filled in.
When you complete the csv with the users, click on Massive Update and then on Search
File.
This loading can be done by PowerShell commands.
Enable MFA using Azure AD Powershell

To change the user status using Azure AD PowerShell, perform the following steps:
1. Install the module first, using:
 Install-Module MSOnline
2. This example of a PowerShell script enables MFA for an individual user. The state
property of the variable $st is modified. Depending on whether you enable or
disable the value is: "Enable" or "Disabled”
59
 Import-Module MSOnline
 $st = New-Object -TypeName
Microsoft.Online.Administration.StrongAuthenticationRequirement
 $st.RelyingParty = "*"
 $st.State = "Enabled"
 $sta = @($st)
 Set-MsolUser -PrimaryUserName1@domain -
StrongAuthenticationRequirements $this
Note: Using PowerShell is a good option when you need to massively enable users. For example,
the following script loops through a list of users and enables MFA on their accounts:
 $users = "user1@domain", "user2@domain", "user3@domain"
 foreach ($user in $users)
 {
 $st = New-Object -TypeName
Microsoft.Online.Administration.StrongAuthenticationRequirement
 $st.RelyingParty = "*"
 $st.State = "Enabled"
 $sta = @($st)
 Set-MsolUser -PrincipalUser $user -StrongAuthenticationRequirements
$sta
 }
 To disable MFA, use this script:
 Get-MsolUser -PrincipalUserNameUser@domain | Set-MsolUser -
StrongAuthenticationMethods @()
Convert MFA users per user to MFA based on conditional access

If users were enabled with Azure Multi-Factor Authentication enabled and applied per
user, the following PowerShell command can perform the conversion to Azure Multi-
Factor Authentication based on conditional access.
The following PowerShell command can help you perform the conversion to Azure
Multi-Factor Authentication
Execute it in an ISE window or save it as a .PS1 file to execute it locally.
60
 # Sets the MFA requirement state

 function Set-MfaState {
 [CmdletBinding()]
 param(
 [Parameter(ValueFromPipelineByPropertyName=$True)]
 ObjectiVe,
 [Parameter(ValueFromPipelineByPropertyName=$True)]
 $UserPrincipalName,
 [ValidateSet("Disabled","Enabled","Enforced")]
 State $State
 )
 Process {
 Write-Verbose ("Setting MFA state for user '{0}' to '{1}'." -
f $ObjectId, $State)
 $Requirements = @()
 if ($State -ne "Disabled") {
 $Requirement =

[Microsoft.Online.Administration.StrongAuthenticationRequirement]::new
()
 $Requirement.RelyingParty = "*"
 $Requirement.State = $State
 $Requirements += $Requirement
 }
 Set-MsolUser -ObjectId $ObjectId -UserPrincipalName
$UserPrincipalName `
 -StrongAuthenticationRequirements $Requirements
 }
 }
 # Disable MFA for all users
 Get-MsolUser -All | Set-MfaState -State Disabled
Registered and unregistered Azure MFA users can be identified with PowerShell
commands that are based on the PowerShell MSOnline module.
 Identification of registered users
61
 Get-MsolUser -All | where {$_.StrongAuthenticationMethods -ne $null} |

Select-Object -Property UserPrincipalName | Sort-Object
userprincipalname
 Identification of unregistered users

 Get-MsolUser -All | where {$_.StrongAuthenticationMethods.Count -eq 0}
| Select-Object -Property UserPrincipalName | Sort-Object
userprincipalname
Note: It is recommended to use multifactor authentication when adding devices to Azure AD.
When it is set to "Yes", users who add devices from the Internet must use a second authentication
method.
Enable Multi-factor on devices

Follow these guidelines to enable it.
1. From the Azure portal, click on [Azure Active Directory/Devices].
2. Click on device configuration.
62
3. Click on Require Multi-Factor. This option must remain in YES.
4. Finally, click on [Save].
Note: Remember that this setting applies to all devices. From the same panel you can select the
users and groups that can join devices to Azure AD in case you want to limit it.
63
Authentication mechanisms
Another measure recommended in this guide is the protection through Azure Active
Directory's password settings, both at the attempt threshold and in locks and audit.
To do so, it is recommended to follow these guidelines.
1. From the Azure portal, search for Authentication Methods.
2. Click on [Password Protection].
3. Follow the recommended instructions.
You must customize the account blocking in multiple attempts by following these
instructions.
64
 Blocking threshold: It is advisable a maximum of 5 attempts.

 Locking time in seconds: Recommended in 60 seconds.
 Forbidden Passwords: When enabled, the words from the following list are used
in the forbidden password system to avoid the use of easy-to-guess passwords.
 Password Protection: Must be activated for password protection on Active
Directory domain controllers.
Note: More information on password protection can be found in this article.
https://docs.microsoft.com/es-es/azure/active-directory/authentication/howto-
password-ban-bad-on-premises-deploy
 Method: You must select Forced. This way, users cannot set forbidden
passwords and the attempt is recorded.
4. Finally, click on [save].
Azure Active Directory – Creation of Business application with self-signed

certificate
A business application, also known as a service account, is used for the purpose of
performing a certain task. The most frequent use is for execution of automation tasks,
applications and services of Azure.
For this purpose, the necessary permissions are granted for the execution of the task,
with the advantage that we can define the minimum permissions for this account and,
therefore, avoid giving more permissions than necessary to the users.
It can be defined as many service users as needed, and this is an advantage, since the
creation of users in Azure AD is limited by the fees in the Azure subscription.
Although self-signed certificates are used in the example, they are not recommended
from a security point of view. Instead, certificates signed by a trusted Certificate
Authority (CA) should be used in order to have control over the certificates used for
business applications.
To create a business application with self-signed certificates, the following steps must
be taken:
 $Name = "CertificateName"
 $Cert= New-SelfSignedCertificate -DnsName $Name -CertStoreLocation
'cert:LocalMachine'`
 -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA
and AES Cryptographic Provider"`
 -NotAfter (Get-Date). AddMonths(50) -HashAlgorithm SHA256 -
KeySpec Signature
 $keyValue = [System.Convert]::ToBase64String($cert. GetRawCertData())
5. Sign in to Azure and create the business application:

 Login-AzAccount

 $sp = New-AzADServicePrincipal -DisplayName OperationsServicePrincipal
-CertValue $keyValue
65
Once created you can view the new service account from the [Azure Active
Directory/Registration Applications] menu.
To delete a business application (service account) from the previous window, click on
the one you want to delete. Finally, click on the delete button.
Certificate of business application [service account]

The consultation or modification of a business application certificate can only be done
through Powershell, as described below:
 To view the business application certificate, from PowerShell.
 Get-AzADServicePrincipal -DisplayName "OperationsServicePrincipal"
Get-AzAdSpCredential -ObjectId $sp.
66
How to work with a business application

To work with a business application, you use Powershell, following these steps:
The following steps show an example of how to work with a business application called
OperationsServicePrincipal. Please note that you must have the certificate used by the
business application installed on your machine.
1. Save the ID of the tenant and the business application in a variable
 $TenantId = (Get-AzSubscription -SubscriptionName).TenantId

 $ApplicationId = (Get-AzADApplication -DisplayNameStartWith
OperationsServicePrincipal).ApplicationId
2. Obtain the digital fingerprint of the certificate.

 $Thumbprint = (Get-ChildItem cert:\CurrentUser\My\ \Where-Object
{$_.Subject -eq "CN=CertificateName" }).Thumbprint
3. Login with the Azure business application

 Connect-AzAccount -ServicePrincipal `
 -CertificateThumbprint $Thumbprint `
 -ApplicationId $ApplicationId `
 -TenantId $TenantId
3.1.1.5 Local access (local logon)

It is recommended to use a conditional access to discriminate the local access allowed
from the office or another access that needs to be authorized, considering, for example,
the source IP address or the devices used.
MFA settings are described in section [ 3.1.1.1 Access Requirements] of this guide.
3.1.1.6 Remote access (remote login)

Azure is a cloud solution accessible by the end user through the Internet. According to
the ENS: remote access is the one carried out from outside the organization's own
facilities, through third-party networks.
The use of MFA and Azure AD is recommended to strengthen the authentication of
remote accesses.
To do this, follow the instructions in section [3.1.1.4 Authentication Mechanisms/Multi-
factor Enablement of Devices] of this guide.
3.1.2 Exploitation
3.1.2.1 Recording user activity

With this functionality, you can send Azure AD audit and login logs to Azure's storage
account, to an event center, to Azure Monitor, or to a custom solution.
The following describes the types of logs related to user activity:
67
 Audit Logs: The audit log activity report provides access to the history of all tasks
performed at the Tenant.
 Logon records: The Logon activity report determines who has performed the
tasks included in the audit log report.
Note: Remember that only administrators with permissions can access the log.
In order to consult the log, follow these instructions:
Click on:
1. [Azure Active Directory].
2. [Audit Logs].
3. [Export data setting].

Note: It’s necessary to add the AuditLogs / SignInLogs collection.
4. [Adding a diagnosis].
68
5. Define a name and click on set up storage account.
Note: A storage must be dedicated for the collection of logs.
6. Then, press on [transmit to the event center].

Note: It is recommended that the retention of AuditLogs and SigninLogs be no less than 60 days.
69

The results of the user activity log can be consulted from the [Azure/Active
Directory/Audit Log].
In addition, you can export the results in CSV or JSON format from:
You can also view user logins. To do this, from the [Azure/Active Directory/Login] portal.
70
You can customize your search by clicking on columns. Where you can define the filters
you want.
3.1.2.2 Protection of activity logs

Azure's activity log provides information on subscription level events that have occurred
in Azure. This includes a range of data, from Azure Resource Manager operational data
to updates on service status events.
For the protection and retention of the activity log, the following actions must be
performed:
Creating a Workspace in Log Analytics

Log Analytics is a service that stores in a working area the logs that are collected by Azure
Monitor. In short, it collects telemetry data from various sources and uses the Kusto
query language to retrieve and analyze the data.
Log Analytics provides the following features for working with log queries.
 Multiple Tabs: Create separate tabs to work with multiple queries.
 Rich displays: Variety of charting options.
 Improved intellisense and automatic language refill
 Syntax highlighting: Improve readability of queries.
 Query Explorer: Query and saved functions by access.
 Schematic view: Review the structure of the data to help write the
queries.
 Sharing: Create links to queries, anchor the queries to any shared Azure
panel.
 Intelligent analysis: Identify the peaks in the graphics and a quick analysis
of the cause.
 Column selection: Sort and group the columns in the query results.
71
The Log Analytics work area offers multiple advantages, in addition to being able to
perform searches and log queries, which can be associated with an Azure panel. This
panel offers a general overview of the state of the Tenant's most vital resources, as well
as the metrics you have previously configured.
The Azure panel can be shared among several users. It is configured from your work area
(through the implementation of solutions in the Working Area Summary and the View
Designer).
It would be important to highlight the possibility of establishing both a data retention
period and a maximum daily consumption. This allows to control the use of the
application and the expenditure.
Log Analytics Working Area Deployment

 Search Log Analytics Working Area.
 Click on [Log Analytics/Add] working area
 Choose a name for the working area and click on create new resource group.
72
 Finally, choose the Northern Europe Location and click on Accept.
Note: Remember that you can find Log Analytics from All Resources.
73
Creating a storage account

Basic data:
Resource Group: Choose the resource group you have created in the working area.
Account name: Choose a name to define the account
Performance: As these are logs for the activity log, leave the standard option.
Type of account: In this case StorageV2. Although you can display the menu and choose
other types of accounts.
Replication: RA-GRS guarantees high data availability.
Access level: Select frequently.
74
1. In the networks tab select and configure:

Connectivity methods: It is recommended to select Public connection point (selected
networks) as it allows you to choose an existing network.
Virtual Network: Choose a network where this storage account is created. You can also
choose to create a new one.
Subnets: Select the subnet you have to configure in Azure.
2. On the advanced options tab, enable security and a data retention of at least 365 days
is recommended.
3. On the Labels tab identify a dedicated name and value for all the components of the
storage account.
75
4. Finally, click on [review and create].
5. Once the storage account has been created, you must perform an export to the event
center.
Retention of the activity log

1. From the Monitor, click on [Activity Log] and then on [Export to Event Center].
The following data is completed:

2. In the assistant select the region of Northern Europe.
3. Click on [Export to a storage account] and choose the account you have created.
76
4. Finally, the recommended retention time is 365 days.

5. Click on [save].
6. You can view the logs from [Azure Monitor/Activity Log/Logs].
Note: A panel with all the activities is shown.
77
Deployment of a panel.
Azure allows the creation of customized panels in order to create an organized view of
Azure's resources. It is recommended for use in daily operations or tasks and for
monitoring resources, thus allowing for quick monitoring.
The following steps are taken to create a custom panel:
1. Sign in.
2. Select Panel, this view is usually the default view when you enter the
portal.
3. Click on [New Panel].
4. Clicking on New Panel opens the Icon Gallery, from which you select the
icons, and an empty grid where you organize the icons.
78
5. Press (no.1) and change the name of the panel to a more descriptive one
and add the elements that make up the panel. In example, metrics are
added.
Note: Metrics are added to the panel but are configured after the panel is created.
6. Press [Customization Complete] to save the panel.
79
7. Once the creation of the panel is completed, the metrics are configured.
Click on [Edit Metrics]. In the example, the metrics are configured to see
the traffic that passes through the VPN.
8. Select the fields:

 Resource: Select the subscription you are in, the resource group and the
resource type.
80
 Space metric name
 Metrics
 Aggregation
81
Encryption of activity logs

Finally, the storage where all activity logs are located is encrypted.
Note: Remember that these actions can be performed by the administrator users.
1. To do this, click on [storage accounts] and select the account you have created
for the logs.
2. Then click on [encryption].

Perform these instructions:
1. Use your own password.
2. Select Key Vault
3. Choose a Key Vault storage or create a new one. See section [3.1.2.4
Cryptographic key protection] of this guide.
4. Select the encryption key.
Note: You can create a new key or use an existing one.
82
3.1.2.3 Protection of cryptographic keys

Azure Key Vault is a cloud service used to manage cryptographic keys, secrets and
certificates.
Key Vault also allows keys and secrets to be securely stored and protected with an HSM1.
The HSMs used have been certified according to FIPS 140-2 Level 3 and eIDAS Common
Criteria EAL4+ standards.
In addition, Key Vault records the access attempts and the use of its secrets to provide
a complete audit trail for compliance.
Azure Key Vault will help you solve the following problems:
1. Secret Management: Azure Key Vault can be used to securely store and strictly
control access to tokens, passwords, certificates, API keys and other secrets.
1
Hardware Security Module
83
2. Key Management: Azure Key Vault can also be used as a key management
solution. Azure Key Vault makes it easy to create and control the encryption keys
used to encrypt data.
3. Certificate Management: Azure Key Vault is also a service that allows you to easily
provision, manage and deploy public and private Secure Sockets Layer and
Transport Layer Security (SSL/TLS) certificates for use with Azure and its connected
internal resources.
4. Secrecy storage based on hardware security modules: keys and secrets can be
protected by software or HSM devices.
Key Vault Terms

Below are several important aspects that need to be known:
Warehouse Owner: A storage owner can create a password store and obtain full access
and control over it. The warehouse owner can also set up an audit to record who
accesses to secrets and keys. Tenant administrators can control the key's life cycle,
revert to a new version of the key, back up the key, and perform other related tasks.
Managed identities: Azure Key Vault provides a way to securely store credentials and
other keys and secrets, but the code has to authenticate itself in Key Vault to retrieve
them. The use of a managed identity allows this problem to be solved more easily, by
providing Azure's services with an automatically managed identity in Azure AD. You can
use this identity to authenticate Key Vault or any service that supports Azure AD
authentication, without needing credentials in the code.
Authentication Methods
To perform any operation with Key Vault, you need to authenticate yourself. It is
recommended that you use the following method.
Azure Managed Resource Identities: When you deploy an application to a virtual
machine in Azure, you can assign an identity to the virtual machine that has access to
Key Vault. You can also assign identities to other Azure resources. The advantage of this
approach is that the application or service does not manage the rotation of the first
secret.
Roles of Key Vault

With a subscription to Azure you can create and use instances of Key Vault. While Key
Vault benefits developers and security administrators, a Tenant administrator who
manages other Azure services can implement and manage it.
 Create or import a key or a secret
 Revoke or remove a key or secret
 Authorize users or applications to access the keystore so they can manage or use
their keys and secrets
 Configure the use of keys (e.g. for signing or encryption)
 Monitor key usage
84
Redundancy and availability

Azure Key Vault has several layers of redundancy to ensure the availability of keys
and secrets for its application, even if individual service components fail.
The content of the keystore is replicated within the region and in a secondary region
at least 241 km away but within the same geographical location. This is how the
availability of keys and secrets is maintained.
If an error occurs in any individual component within the keystore service, the
alternative components in the region are responsible for handling the request to
ensure that no functionality is lost. No action is required. It takes place automatically
and is transparent to the user.
In the exceptional event that an entire Azure region becomes unavailable, requests
made to Azure Key Vault from that region are automatically sent (a process known as
failover) to a secondary region. When the primary region becomes available again,
requests are routed back to it (failback). It should be stressed that no action is
required, as this process performs automatically.
In this high-availability design, Azure Key Vault requires no downtime for maintenance
activities.
Below are the instructions to be followed.
Creation of Azure Key Vault from the Portal

1. Search for Key Vault.
2. Click on [add].
3. On the general tab complete the following information:
85
 Resource group: A new resource group is recommended. When you click on

create, you will be asked to define it with a name.
 Key Warehouse Name: Define a name for the warehouse.
 Region: Northern Europe
 Rate plan: Select Premium which includes HSM support.
4. Click on the [Access Policy] tab.
5. Enable all three accesses.

 Azure virtual machines for implementation: Specifies whether Azure Virtual
Machines are allowed to retrieve certificates stored as secrets from the key
vault.
 Azure Resource manager for the implementation of templates: Specifies if
Azure Resource Manager is allowed to retrieve secrets from the key vault.
 Azure Disk Encryption for Volume Encryption: Specifies if Azure Disk Encryption
is allowed to retrieve secrets from the storage.
86
6. Click on [add access policy].
Access policies assign defined roles to administrators who manage keys, secrets,
and certificates.
Configure from a template: Azure Key Vault comes with predefined templates for
assigning roles in management groups.
87
Key permissions: Define key management operations.
Secret permissions: Define secret management operations.
Certified Permits: Define certificate management operations.
88
Select Security Entity: Assign an Azure Active Directory management group to

manage Azure Key.
Authorized Application: Authorize this application to execute the specified
permissions on behalf of the user or group.
7. Click on the [Virtual Network] tab.
Allow access from: Click on Selected networks.

Virtual Network: Select the Network/Networks that have access to the key vault.
Exception: More information about Key Vault's firewall and virtual network
configurations can be found at https://docs.microsoft.com/es-es/azure/key-
vault/key-vault-network-security.
8. Click on the [labels] tab.
89
Name: Define a name for the entire storage of Key Vault.

Value: The value to be used is Production.

11. Click on [go to resource] to see the newly created resource.
90
Creation of Azure Key Vault from Powershell

1. From the Powershell console.
 Connect-AzAccount
In the browser pop-up window, enter the username and password for your Azure
account. Azure PowerShell obtains all subscriptions associated with this account.
PowerShell uses the first one by default.
You may need to specify the subscription that was used to create the key vault.
To view your account subscriptions, type the following command:
 Get-AzSubscription
2. Then, to specify the subscription associated with the key vault to be

registered, type:
 Set-AzContext -SubscriptionId < subscription ID>
Note: Making PowerShell work on the right subscription is an important step, especially
if you have multiple subscriptions associated with your account.
Although you can use an existing storage account for your records, you must
create a storage account that is dedicated to the Key Vault logs.
 $sa = New-AzStorageAccount -ResourceGroupName CNN-ResourceGroup -Name
cnnkeyvaultlogs -Type Standard_LRS -Location 'North Europe'
3. Then, execute.
 $kv = Get-AzKeyVault -VaultName 'ccnKeyVault
4. Enable the log. To do this, use the Set-AzDiagnosticSetting cmdlet, along

with the variables that have been created for the new storage account and
key vault. You must also set the -Enabled flag to $true and set the category
in AuditEvent.
 Set-AzDiagnosticSetting -ResourceId $kv.ResourceId -StorageAccountId
$sa.Id -Enabled $true -Category AuditEvent
Optionally, a retention policy can be set for logs so that older logs are
automatically deleted.
For example, setting the retention policy by configuring the -RetentionEnabled
mark in fbb$true and setting the -RetentionInDays number of days parameter,
91
Microsoft recommends 90, so that records older than 90 days are automatically
deleted.
 Set-AzDiagnosticSetting -ResourceId $kv.ResourceId -
StorageAccountId $sa.Id -Enabled $true -Category AuditEvent -
RetentionEnabled $true -RetentionInDays 90
Access to logs
Key Vault logs are stored in the insights-logs-auditevent container of the provided
storage account. All access and access attempts to Azure Key Vault are stored in these
logs. To view the logs, you have to download the blobs.
Blobs store text and binary data, up to about 4.7 TB. Blobs are composed of data
blocks that can be managed individually.
First, a variable is created for the name of the container. This variable is used in the
rest of this guide.
1. From the PowerShell console.
 $container = 'insights-logs-auditevent
2. To display a list of all the blobs in this container, type:

 Get-AzStorageBlob -Container $container -Context $sa.Context
3. Create a folder to download the blobs

 New-Item -Path 'C:\Users\username\CcnKeyVaultLogs' -ItemType
Directory -Force
4. Next, obtain a list of all the blobs

 $blobs = Get-AzStorageBlob -Container $container -Context
$sa.Context
5. Channel this list through Get-AzStorageBlobContent to download the blobs

to the destination folder
 Get-AzStorageBlobContent -Destination
C:\Users\username\CcnKeyVaultLogs''
The following are step-by-step instructions for configuring Azure Key Vault firewalls
and virtual networks to restrict access to the key vault.
1. Login to Azure Powershell
2. The list of available virtual network rules is displayed. If no rule has been set
for this key vault location, the list is empty.
 (Get-AzKeyVault -VaultName "mykeyvault").NetworkAcls
3. Enable a service connection point for Key Vault on an existing virtual network
and subnet.
92
 Get-AzVirtualNetwork -ResourceGroupName "myresourcegroup" -Name

"myvnet" | Set-AzVirtualNetworkSubnetConfig -Name "mysubnet" -
AddressPrefix "10.1.1.0/24" -ServiceEndpoint "Microsoft.KeyVault" |
Set-AzVirtualNetwork
4. Add a network rule for a virtual network and subnet.

 $subnet = Get-AzVirtualNetwork -ResourceGroupName "myresourcegroup" -
Name "myvnet" | Get-AzVirtualNetworkSubnetConfig -Name "mysubnet
 Add-AzKeyVaultNetworkRule -VaultName "mykeyvault" -
VirtualNetworkResourceId $subnet.Id
5. Add a range of IP addresses from which traffic will be allowed.

 Add-AzKeyVaultNetworkRule -VaultName "mykeyvault" -IpAddressRange
"16.17.18.0/24
6. If any trusted service needs to access this key vault, the bypass option is set
in AzureServices.
 Update-AzKeyVaultNetworkRuleSet -VaultName "mykeyvault" -Bypass
AzureServices
7. Activate the network rules by setting the default action to Deny.

 Update-AzKeyVaultNetworkRuleSet -VaultName "mykeyvault" -
DefaultAction Deny
Using the Key Vault panel

1. From the Azure's portal search Key Vault.
2. Next, select your Key Vault.
Creation of keys
3. Click on [keys].
93
4. Click on [generate or import].
Options: A key can be generated, imported or restored.

Name: Define a name for the new key.
Type: Key Vault supports only RSA and elliptic curve keys.
EC: "soft" elliptic curve key.
EC-HSM: "strong" elliptic curve key.
RSA: "soft" RSA key.
RSA-HSM: RSA key "strong".
94
RSA Key Size: Key Vault supports RSA keys with sizes of 2048, 3072 and 4096.
Key Vault supports elliptical curve key types p-256, p-384, p-521 and P-256K
(SECP256K1).
For the selection of the key types and their size, it must comply with the
requirements specified in the guide CCN-STIC-807 Cryptologic of Employment in
the National Security Framework. For this reason, for information systems
categorized as ENS High, the use of RSA-2048 key sizes is not allowed, since they
have a cryptological strength of 112 bits, which is lower than the 128 required.
Note: More key types are available at: https://docs.microsoft.com/es-

es/azure/key-vault/about-keys-secrets-and-certificates
Optionally, an activation and expiration date can be set.

5. Finally, click on [create].
Creation of secrets
1. Click on [secrets].
2. Click on [Generate or import].
95
3. Next, complete the following fields.
Name: Write a name for this secret.

Value: Set a value. Example: Pa$$hVFkk965BuUv.
Type of content: Define a usage name for this secret.
Optionally, an activation date can be set.
4. Click on [Create].
Certificate creation
1. Click on [certificates].
2. Click on [Generate or import].
96
3. Then fill in these fields.
Certificate creation method: Can be generated or imported.

Certificate Name: Define the name of the certificate.
Certification Authority (CA) Type: In this case, select Auto Signature.
[On the menu you have two more options]
Subject: Distinctive name of X.500. Example CN=mydomain.com

DNS name: Signatory Alternative Names (SANs) can be specified as DNS names.
Period of validity in months: 12 months by default.
Content type: In the certificate combination are supported two formats based on PEM.
Or you can combine a single certificate encoded in PKCS #8 or a P7B file encoded in
base64. ----- BEGIN CERTIFICATE----- ----- END CERTIFICATE-----
97
Duration action type: Select automatic renewal.

[More options available]
Percentage of duration: The percentage varies depending on the renewal option. In this
case it is defined as 80.
Advanced policy configuration: Optionally, a policy can be defined for this certificate.
Encryption in storage accounts

The storage service encryption protects the data at rest. The Azure Storage service
encrypts data as it is written in the data Centres and automatically decrypts them when
they are accessed.
Your storage account is encrypted by default with a Microsoft managed key. Key Vault
should be used to generate the encryption keys.
To do so, perform these steps.
1. From the Azure portal click on [all resources]. Then, choose the storage account
of any application or virtual machine you have deployed.
98
2. Click on [encryption].
3. Click on [select from Key Vault] and then press on [select].
4. A new warehouse is created and used centrally for all storage accounts.
99
Name: Write a name for this warehouse.

Resource group: It is recommended to create a new one, which will be used for
all storage account keys.
Rate plan: There are two rates, A1 and P1.
Access policies: These access policies define policy administrators. For more
information, see section [3.1.1.1 access requirements] of this guide.
Virtual Network Access: It is recommended to choose the network where the
storage account is located.
6. Click on [select an encryption key].
7. Click on [create a new key].
100
8. Select the key type. More information is available in section [4.3.8 Creating a key]
of this guide.
Limitations
The table below represents the number of key transactions, the maximum number of
transactions allowed in 10 seconds per warehouse and region.
Service limits in Key Vault serve to prevent the misuse of resources and ensure the
quality of service for all Key Vault customers. When a service threshold is exceeded,
Key Vault limits the successive requests from that client over a period of time. When
this happens, Key Vault returns HTTP 429 status code (too many requests) and a
request error. In addition, failed requests that return a 429 code count towards the
limitation that Key Vault tracks.
In the HTTP 429 error code, start the client limiting by using an exponential backward
approach:
1. Wait 1 second, retry the request.

2. If you are still limited, wait 2 seconds, retry the request.
101
HSM key HSM key Software key Software key

Key type
CREATE Key The remaining transactions CREATE Key The remaining transactions
2048 bits of RSA 5 1000 10 2.000
3072 bits of RSA 5 250 10 500
4096 bits of RSA 5 125 10 250
ECC P-256 5 1000 10 2.000
ECC P-384 5 1000 10 2.000
ECC P-521 5 1000 10 2.000
ECC SECP256K1 5 1000 10 2.000
3.1.3 Continuity of service
3.1.4 Continuity plan
Azure Site Recovery ensures service continuity by keeping applications running during
outages.
Workloads executing on physical and virtual machines are replicated from a primary site
to a secondary location. When an outage occurs at the primary site, it is mistakenly
switched to the secondary location. Once the primary location is running again, the
failback can be performed.
With Site Recovery you can manage the replication of:
 Azure virtual machines that replicate between different regions.
 Local virtual machines, Azure Stack virtual machines and physical servers.
The following steps are necessary for the correct configuration of ASR:
Virtual Machine Replication

Before creating a disaster recovery plan, the virtual machine should be replicated. To do
this, perform the following steps:
1. From the Azure panel click on [all resources].
102
2. Click on a virtual machine.

3. Click on [disaster recovery].
Note: The virtual machines can be replicated in another region of Azure to cover your continuity
and disaster recovery needs. Periodic disaster recovery scans are recommended to ensure that
compliance needs are met. The VM is replicated with the specified configuration in the selected
region, so that your applications can be recovered in case of outages in the source region.
4. Select the region where you want to perform the replication.
5. Click on [advanced settings].
103
Virtual Machine Resource Group: This new group is used to perform failover.
Virtual Network: A new virtual network is created for failover.
Availability: Select the type of availability in the region of destination. You can only
select "Availability Zone" if the region of destination supports availability zones. If the
destination availability type is "Availability Set" and you are protecting a VM with
managed disks, you can only view and select a managed availability set for VMs with
managed disks and an unmanaged availability set for VMs without managed disks.
Storage configuration
 Cache account: The cache account is in the region of origin. It is used as a temporary
data store before replicating changes to the region of destination. By default, one
cache account per deposit is created and reused. You can select a different cache
account if you want to customize the cache account used for this virtual machine.
 Source Managed Disk: Data that is replicated from the source VM is stored on the
replicated managed disks in the region of destination. For each managed disk in the
source VM, a managed disk is created as a replication and used in the target region.
Replication configuration
 Warehouse Subscription: Select the Azure subscription in which the Recovery
Services store exists. Only the metadata corresponding to the WVs are stored in
104
this store. The real data on the discs never leaves the source and destination
regions.
 Recovery Services Warehouse: The Recovery Services Warehouse contains the
configuration of the target virtual machine and organizes replication. In the event
of an outage and the source virtual machine is not available, a failover can be made
from the Recovery Services Warehouse.
 Warehouse resource group: Recovery Services warehouse resource group.
 Replication policy: The replication policy defines the configuration of the recovery
point retention record and snapshot frequency consistent with the application.
Extension configuration
Azure Virtual Machine (VM) extensions are small applications that provide configuration
and automation tasks after the deployment in Azure virtual machines.
Update configuration: Site Recovery manages extensions to all replicated items
associated with the warehouse and keeps them updated. You can also choose to update
the extensions manually. This does not require any reboot or affects the ongoing
replication of the virtual machines.
Automation Account: Site Recovery uses this automation account to update the Site
Recovery extension on all the replicated machines associated with the warehouse.
6. Click on [review and start replication].

7. Replication can be checked from the virtual machine itself under the [disaster
recovery] option.
105
There is the panel with the synchronization status.
Database replication
Active geographic replication is the feature of Azure SQL Database that allows you to
create secondary databases on a SQL Database server in the same or a different data
center (region).
The following steps create another secondary database replicated in another geographic
region of Azure.
1. Click from the Azure portal on [SQL Database].
106
2. Select your database.
3. Click on [geographical replication].
4. Select the region where the replication takes place.
107
 Click on [destination server].

 Click on [create a new server].
5. Define a name for this server.

6. Create an administrator account for the virtual machine
7. It is recommended to use a complex password.
8. Remove the option to allow other Azure servers to access the server.
9. Click on Accept.
10. Finally, you have the option of a rate plan.
Optionally, virtual cores can be expanded as a storage expansion.
11. Finally, click on [accept].
108
Service replication
This is done using the Site Recovery service: Site Recovery ensures service continuity by
keeping business applications and workloads up and running during outages. Replicates
workloads executing on physical and virtual machines from a primary site to a secondary
location.
When an outage occurs at the primary site, the secondary location is mistakenly
switched and applications are accessed from there. When the main location becomes
available again, the recovery switching can be performed there.
The first thing to do is to create a recovery services warehouse.
1. From the Azure portal search for recovery services warehouses.
2. Click on [add].
3. Then, the fields that request the creation of the warehouse must be completed.
Project details
109
 Subscription: Select your subscription.

 Resource group: Create a new resource group.
 Details of the instance
 Warehouse Name: Create a name for the new warehouse.
 Region: Select North Europe.
Tags
4. Identify this service with a label.
5. Click on Review and create.
Note: Once we have created the warehouse, configure the continuity plan for the applications.
6. Click on [go to the resource].
In this general panel, disaster recovery plans should be created.
110
7. Click on [Site recovery].
8. Click on [replicate application].
Origin: You can select local or Azure. In this case it is Azure.

Source Location: Choose the source location of the virtual machine.
Machine implementation model: In this case we chose Resource Manager.
More information on implementation models can be found at the following link:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-manager-
deployment-model
Source Subscription: Choose the subscription where your virtual machine is located.
111
Source Resource Group: Choose the resource group where the virtual machine is
located.
9. Click on [Accept].
10. Select the virtual machine and click on [Accept].
11. The replication policy can be customized.

12. Click [create destination resource].
13. Click on [enable replication].

Note: Initially it is a process that usually takes time until replication is enabled.
14. The replication status can be viewed from the panel by clicking on [site recovery].
112
Recovery plans
1. From the Site Recovery panel click on Manage Recovery Plans.
2. Click on [recovery plans].
3. In this step choose the source and destination region that the recovery plan is
created.
113
 Name: Choose a name for

the recovery plan.
 Source: Select the source of
the virtual machine.
 Destination: Select the
destination where the
replication is located.
 Allow items with an
implementation model: Select
Resource Manager.
 Select elements: Select the
virtual machine to be replicated
geographically.
3.1.5 Periodic testing
Check failover.
From Azure you can perform periodic tests of the replicated services in different regions.
Test failover is executed to validate the replication and disaster recovery strategy
without any data loss or downtime. Test failover does not impact ongoing replication,
or the production environment.
1. From the Azure portal click on [virtual machines].
114
2. Click on the virtual machine.
3. Click on [disaster recovery].
115
4. Click on [test failover].
5. Now select the switching simulation.
 Recovery point
116
 Azure's Virtual Network.
The switching process takes a few minutes.
Note: At the end, the result of the test failover between regions is displayed.
Test failover via powershell

You can perform the same checks using the PowerShell console.
To do this, perform the following steps:
1. From the PowerShell console.
 $ReplicationProtectedItem = Get-ASRReplicationProtectedItem -
FriendlyName "AzureDemoVM" -ProtectionContainer $PrimaryProtContainer
 $TFOJob = Start-ASRTestFailoverJob -ReplicationProtectedItem
$ReplicationProtectedItem -AzureVMNetworkId $TFONetwork -Direction
PrimaryToRecovery
2. Wait for the end of the test failover.

 Get-ASRJob -Job $TFOJob
3. After the test is completed in the virtual machine that was switched by
test fail, clean the test copy by a clean test failover. This operation
removes the test copy of the virtual machine that was created by the test
failover.
117
 $Job_TFOCleanup = Start-ASRTestFailoverCleanupJob -
ReplicationProtectedItem $ReplicationProtectedItem
 Get-ASRJob -Job $Job_TFOCleanup | Select State
3.1.6 System monitoring
3.1.6.1 Intrusion detection

For intruder detection it is recommended to use Azure AD Identity protection. This
service allows to create login risk policies for Active directory users.
Follow these instructions.
1. Search in the Azure's portal.
Three policies should be configured on this panel.

 User risk policy.
 Login risk policy.
 MFA log policy.
User risk policy.

118
2. Select all users.
3. Click on [Done] when finished.

5. Click on [select a risk level].
6. Select [Add].
119
7. Click on [Select to finish].

Note: More information on user risk levels can be found at the link:
https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview#what-
is-a-user-risk-level
8. Click on [Controls].
9. Click on [Allow access] and [Require change of password].
10. To finish, click on [Select].

11. Click on [Activate policies].
120
Login Risk Policy

1. Click on [Login Risk Policy].
121

5. Click on [conditions].
6. Click on [Select a risk level] and select [High].
7. To finish, click on [Select/Done].

8. Click on [Access].
122
9. Click on [Allow Access/Check with MFA].
10. Finally, click on [Select].

123
9. Click on [MFA Registration Policy].
124

13. Click on [access].
14. Click on [Require Azure MFA log].
15. Finally, click on [select].

125
From the panel you can view real-time risk reports on logins or risk detections.
At the end of the panel you can configure alerts that will come via email or a weekly
summary with the detections found.
In addition, the Authentication Mechanisms can be found in section [3.1.1.4 Conditional
Access Policies] of this Guide.
To find out more: https://docs.microsoft.com/es-es/azure/active-directory/identity-

protection/overview
126
3.1.6.2 Metric system

To define metrics within Azure you must configure it in Azure monitor.
These metrics can be platform metrics, custom metrics, popular Azure Monitor logs
converted to metrics, and Application Insights.
Metrics alerts are evaluated on a regular basis to check whether the conditions of one
or more time series for the metrics are true and to be notified when the evaluations are
met. Since metrics alerts have a status, they only send notifications when that status
changes.
Network Watcher
Network Watcher is a set of tools to monitor, diagnose and view log metrics in a virtual
network in Azure.
Creating a virtual network in a subscription is automatically enabled in the virtual
network region (VNET). This does not affect resources or associated charges.
Supervision
 Monitoring communication between a machine
Network Watcher monitors communication at regular intervals by reporting
changes in availability, latency and topology between a virtual machine and
another connection point, such as another virtual machine.
 Viewing resources in a virtual network
Network Watcher generates a diagram of the resources that contain a virtual
network and the relationships between the various resources.
To generate the diagram, the following steps are carried out:
1. Search Network Watcher
2. Click on [topology].
127
3. Select Subscription, resource group and the virtual network from which you
will generate the diagram.
Diagnosis
Network Watcher allows to detect problems in the following scenarios:
 In network traffic towards a virtual machine or a gateway
 In network routing from a virtual machine
 On outgoing connections from a virtual machine
 Determine latencies between different regions of Azure and Internet providers
In addition, it allows you to capture packets to and from a virtual machine.
Metrics
The metrics option allows to control the limits in Azure for all resources. To see it you
have to follow the next steps:
1. Search for Network watcher.
2. Click on [Use and quotas].
128
3. Select subscription, all resources the to be analyzed for quotas, the resource
regions and display all items. The example shows the quotas of all the network
elements for the Northern Europe region.
Logs
Network watcher allows to analyze traffic that has passed through an NSG. To do this,
perform the following configuration:
2. Click on [Traffic Analysis].
129
3. Click on [configure].
4. Enable the NSGs where traffic is analyzed. To do this, click on the NSGs and
enable the option.
You must have a storage account created exclusively for saving the logs.
Depending on the amount of information required, it is possible to use either version 1

or version 2 of the flow logs. Version 1 shows all incoming and outgoing IP traffic logs.
Version 2 also provides transmitted bytes and packets. A work area for log analytics is
also requested, which creation is explained in the section on log analytics.
130
In addition, it is necessary to define the processing interval of the traffic analysis. You
can set it on every 10 minutes or every hour. By default, it will be set to every hour,
unless a very thorough analysis is required.
Package capture.
In the event that it is necessary to capture all the network traffic passing through a
specific machine, the Network Watcher packet catcher can be used.
For the configuration, the following steps are performed:
2. Click on [Capture Packets/Add].
131
3. Fill in the following fields:
 Subscription in which the machine is located.

 Group of resources in which the machine is located.
 Target virtual machine where you want to analyze the traffic.
 Name of the packet capture.
 Capture settings: Where the file is saved, the storage account for logs is used.
 Maximum number of bytes per packet/per session and time limit is left by default.
Filtering: It is also possible to filter by the source of the packets, the port through
which the traffic arrives. This part is optionalService Health
Provides a status of Azure's services, providing personalized guidance and support when
problems arise.
132
It is made up of three smaller independent services:

- State of Azure: Reports on service outages in Azure. It is a global view of the state of
all services and regions of Azure.
Note: To visit the state of Azure use this link: https://status.azure.com/es-es/status
 Service Health: Provides a personalized view of the status of Azure services and
regions being used.
 Resource Health: Reports on the status of individual cloud resources, such as a
virtual machine instance, firewall, etc.
The Service Health can be consulted as Resource Health:
1. Search Service Health
2. For Service Health click on [Service Problems], select subscription, region and the
service you want to check. In the example, SQL is checked.
133
3. For resource Health click on [Resource Status]. Select subscription and resource
type.
Azure Monitor
Azure Monitor is the solution that allows you to collect, analyze and manage telemetric
data both in the cloud and in local environments. It allows you to proactively identify
the issues that affect them and the resources on which they depend.
All data collected by Azure Monitor can be classified as one of the two fundamental
types: metrics and logs. Metrics are numerical values that describe some aspect of a
system at a given time.
The log data collected by Azure Monitor can be analyzed with queries that quickly
retrieve, consolidate and analyze the collected data.
Azure Monitor collects data from each of the following levels:
 Application monitoring data: data on the performance and functionality of the code
written, regardless of the platform
 Guest operating system monitoring data: data on the operating system on which the
application is running. The application can be executed in Azure, in another cloud or
in the local environment.
 Monitoring of resources with DMV: data on the operation of an Azure resource.
 Azure's subscription monitoring data: data on the operation and administration of
an Azure subscription, as well as on the status and operation of Azure itself.
 Azure's tenant monitoring data: data on the performance of Azure's services at the
tenant level, such as Azure Active Directory
134
The log data collected by Azure Monitor can be analyzed with queries that quickly
retrieve, consolidate and analyze the collected data. You can create and test queries
using Log Analytics.
Azure monitor can be accessed by following these guidelines:
1. From the Azure portal in the search engine type Azure monitor.
Note: You can consult the documentation in the link https://docs.microsoft.com/es-

es/azure/azure-monitor/overview
Azure's Metric Explorer.

Azure Monitor's Metrics Explorer is a component of Microsoft Azure Portal that allows
to plot graphs, visually correlate trends, and investigate hills and valleys in metric values.
Use the Metrics Explorer to investigate the status and utilization of resources.
To do this, perform the following steps:
1. Select a resource and a metric to display a basic graph. The time interval can be
modified. The example uses the metrics of a virtual machine.
2. You can change the time interval by clicking on:
135
3. Select the appropriate time range and click on [apply].
Alerts
Alerts allow to identify and fix problems before users can see them.
The key attributes of the alert rules are:
 Destination resource: Defines the scope and available signals for the alerts. A
destination can be any Azure resource, such as a virtual machine or a log analytics
workspace.
 Signal: It is emitted by the destination resource. The signals can be of the following
types:
o Metrics: For more information see [3.1.6.2 Metrics Systems/Azure
Monitor/Metrics Explorer].
o Activity Log: These are alerts that are activated when an event in the activity
log meets the conditions specified in the alert.
Activity log alerts are usually created when
 Specific operations take place in Azure's resources.
 A service maintenance event occurs.
136
When an alert from the activity log is activated, a group of actions is used to
generate actions or notifications. A group of actions is a reusable set of
notification recipients.
o Log: Log alerts consist of rules created for Azure Monitor or Application
Insights logs, to automatically execute specified log queries at regular
intervals. If the query results match certain criteria, an alert log is created.
As an example, an alert is created that sends a notification via mail when there is an
event in Service Health. To create the alert, perform the following steps:
1. Search Service Health, click on [Status Alerts/Create Service Health Alert].
2. Select subscription, services, regions and type of event. Select only those regions
where there is a resource created.
Type of event can be:
 Service problem
 Planned maintenance
 Status messages
Once selected, in actions click on create action group.
137
3. Name the action group, give a short name that is part of the mail when the alert
fires, select subscription and resource group where the action group is saved.
Once done, we configure the action, write the name, press on the type and press on
edit details.
4. Select email, and add the desired email, only one per action is allowed. If you want
to send it to more recipients, add more actions.
138
5. Once the actions have been defined, the section Details of the alert is completed.
Name the alert, description (optional) and click on resource group.
Azure Security Center

Azure Security Center is a unified infrastructure security management system that
strengthens the security position of data centers and provides advanced threat
protection for all the workloads in the cloud.
This service is already integrated in the Tenant and allows you to follow the security
recommendations for all your services.
Architecture
Since Security Center is a native part of Azure, Azure's PaaS services (such as Service
Fabric, SQL databases, and storage accounts) are monitored and protected by Security
Center without any implementation.
139
Ongoing evaluations
Security Center is always detecting new resources that are deployed to workloads and
evaluating if they are configured according to recommended security procedures. If not,
they are marked and the user receives a list of recommendations ranked in order of
priority of what to correct in order to protect their services.
Initial Setup
1. Initially, Azure Security Center is configured, to do so, from Azure's portal search
Security Center.
2. Then, click on [prices and settings].
3. Click on your subscription.
4. Click on [threat detection] and check both boxes.
140
Note: More information on threat detection can be found at: https://docs.microsoft.com/es-

es/azure/security-center/security-center-alerts-service-layer#azure-management-layer-azure-
resource-manager-preview
5. Click on [data collection].
Activate automatic provisioning and define the Work Area.

Remember that Azure security center creates a new area. You can also use an existing
one for event collection.
6. Finally, click on [Mail Notifications].
Note: You can set up an email account where all the notifications will arrive, or a phone number
where messages will be sent to you.
Search for recommendations

1. Search for Security Center.
141
2. Click on [recommendations].
Note: This panel shows all the recommendations found for your services.
3. Click on one of the recommendations.
4. Select the set of machines and click on [correct].
142
4. Select a Work Area where the actions performed are recorded.
5. Click on [correct].
143
Note: This process can be performed for all your services.
Virtual machines
1. Click on [Process and applications].
Note: In this panel you can follow the recommendations for each virtual machine Data and
Storage.
2. Click on [data and storage].
144
3. From this panel you can review the recommendations of the databases and
storage accounts.
Azure Sentinel
Azure Sentinel is a scalable, native security information management and automated
response solution in Azure. This service provides security analysis and intelligence
against threats, being a solution that allows to detect alerts, threats and offer a
response.
Azure Sentinel natively incorporates Log Analytics and Logic Apps.
145
Collect data in the cloud: From applications, devices, users and the entire infrastructure,
both local and in different clouds.
Detect threats and reduce false positives through Microsoft's threat analysis and
intelligence
Investigate threats with artificial intelligence to look for suspicious activities by taking
advantage of Microsoft's cyber security work.
Respond with integrated orchestration and automation of common tasks.
Connection with data sources.

To do this, they must be connected to the safety sources. Connectors for Microsoft
solutions are available immediately and provide real-time information, such as Azure
AD.
In addition, there are connectors for non-Microsoft solutions.
To view the connectors, follow the steps below:
1. Search for Azure Sentinel
2. Click on [data connectors].
146
Workbooks
Once the data sources are connected, the data can be monitored through the
integration with Azure Monitor's books, providing versatility when creating custom
books.
Azure Sentinel allows you to create personalized books in the data, including also
integrated book templates that allow you to quickly get information from the data.
To view the workbooks (Books in the Portal), the following steps are taken:
2. Click on [Books].
Analysis
Azure Sentinel analyzes the alerts so that they are related to the incidents. Incidents are
groups of related alerts, which together create a potential threat that can be
investigated and resolved.
In addition, automatic learning rules are provided to map network behavior and search
resource anomalies.
To view the analysis rules, follow these steps:
2. Click on [Analysis].
147
Automation and orchestration

With Azure Sentinel, tasks can be automated to simplify the security orchestration with
strategy notebooks integrated with Azure's services. It is built on a logic App which
provides an extensible architecture that allows scalable automation as new technologies
and threats emerge.
To create a strategy notebook, you can choose it from a growing gallery of integrated
strategy notebooks, which include more than 200 connectors for Azure's services.
Research
Azure Sentinel's in-depth research tools are currently in draft form and help to
understand the scope of a potential security threat. You can choose an entity in the
interactive graphic to explore in depth the entity and its connections to reach the main
cause of the threat.
To consult this section, follow these steps:
2. Click on [Incidents] and select the incident to view the analysis.
Community
The Azure Sentinel community is a very effective resource for threat detection and
automation. New books, strategy notebooks, search for queries in a GitHub repository
are added. (https://github.com/Azure/Azure-Sentinel)
148
For more information about Azure Sentinel, please visit:

https://docs.microsoft.com/es-es/azure/sentinel/
3.2 PROTECTIVE MEASURES
3.2.1 Protection of communications
3.2.1.1 Network Segregation

A VNET is a private network in Azure which, in addition, provides the advantages of the
infrastructure in Azure, such as scalability, availability and isolation.
Creation of VNET and subnetworks from Azure's portal

1. In the menu press [Virtual Networks/Add].
2. Then fill in the following fields:

 Name: Name of the VNET.
 Address space: VNET address range.
 Subscription: Subscription in which the VNET is created.
 Resource Group: Group of resources where the VNET is created, if there is not
an existing one it can be created from the same window.
 Location: As for the resource group, geographic region of Azure.
 Subnet:
 Name: Name of the subnet.
 Address range: Address range that has to be within the VNET address
space.
 DDoS protection: Select the desired plan, DDoS is explained in section
[3.2.6 Service protection] of this guide.
 Service connection points: Connection with Azure services, disabled by
default, for more information see https://docs.microsoft.com/es-
es/azure/virtual-network/virtual-network-service-endpoints-overview
 Firewall: Disabled by default, Azure Firewall is a cloud based managed
network security service that protects Azure Virtual Network
resources. It is a stateful, full-service firewall that incorporates high
availability and unrestricted scalability to the cloud.
149
Note: For more information see https://docs.microsoft.com/es-

es/azure/firewall/
Creation of Networks and Subnetworks by PowerShell

1. Establish the variables that define the subnetworks.
 $subnet1 = New-AzVirtualNetworkSubnetConfig -Name 'GatewaySubnet' -
AddressPrefix 10.1.255.0/27
 $subnet2 = New-AzVirtualNetworkSubnetConfig -Name 'Frontend' -
AddressPrefix 10.1.0.0/24
2. Create the VNET with the subnets that were defined in the previous step.
 New-AzVirtualNetwork -Name VNet1 -ResourceGroupName CCNVPN `
 -Location ' North Europe'' -AddressPrefix 10.1.0.0/16 -Subnet $subnet1,
$subnet2
3. If you already have a virtual network, follow these steps to add a gateway
subnet
1. Select the VNET to which the subnet will be added
 $vnet = Get-AzVirtualNetwork -ResourceGroupName CCNVPN -Name VNet1
2. Create the gateway subnet.

 Add-AzVirtualNetworkSubnetConfig -Name 'GatewaySubnet' -
AddressPrefix 10.1.255.0/27 -VirtualNetwork $vnet
3. Set the configuration.
150
 Set-AzVirtualNetwork -VirtualNetwork $vnet
Local and Virtual Network Gateway

The local network gateway (LNG) usually refers to the local location. It is not the same
as a network gateway. Assign a name to the site that Azure can reference, and then
specify the IP address of the local VPN device with which it creates a connection. Also
specify the IP address prefixes that are routed through the VPN gateway to the VPN
device. The VPN connection is created in [3.2.3.1 VPN] in this guide.
Use the following values:
 GatewayIPAddress is the IP address of the local VPN device.
 AddressPrefix is the local address space.
Creating local network gateways from the portal

1. Click on [Local Network Gateways/Add].
2. Then fill in the following fields:
151
 Name: Name of the gateway.

 IP address: IP of the local VPN.
 Address space: Local address space.
 Subscription: Subscription where it is created.
 Resource group: Group of resources where it is created.
 Location: Geographical region of Azure.
3. Creating a virtual network gateway, this connection is used to connect an
Azure local network with a VPN or ExpressRoute connection.
1. Search for virtual network gateway.
2. Click on [add] and fill in the fields:
152
3. Add connection to the virtual gateway, which is then used for the
VPN.
To do this, enter the gateway created previously, click on

[Connections/Add].
153
The following data are requested:

 Name of the connection.
 Connection type
 Virtual network gateway explained previously.
 Local network gateway explained previously.
 Shared key that connects to our local device.
Note: The shared keys must have a sufficient level of entropy to present the required
level of strength in accordance with the provisions of CCN-STIC-807 Cryptology of
Employment in the ENS.
 Group of resources in which it is created.
 Geographical location of Azure.
Creating a local network gateway from Powershell

1. To add a local network gateway with a single address prefix run
 New-AzLocalNetworkGateway -Name Site1 -ResourceGroupName CCNVPN `
 -Location 'East US' -GatewayIpAddress 'IpVPNLocal' -AddressPrefix
'10.101.0.0/24
2. To add a local network gateway with multiple address prefixes run

 New-AzLocalNetworkGateway -Name Site1 -ResourceGroupName CCNVPN `
 -Location ' North Europe' -GatewayIpAddress 'IpVPNLocal' -AddressPrefix
@('10.101.0.0/24','10.101.1.0/24')
3. Create the IP addressing configuration of the gateway.

 $vnet = Get-AzVirtualNetwork -Name VNet1 -ResourceGroupName CCNVPN
 $subnet = Get-AzVirtualNetworkSubnetConfig -Name 'GatewaySubnet' -
VirtualNetwork $vnet
 $gwipconfig = New-AzVirtualNetworkGatewayIpConfig -Name gwipconfig1 -
SubnetId $subnet.Id -PublicIpAddressId $gwpip.Id
4. Create the VPN gateway.
154
 New-AzVirtualNetworkGateway -Name VNet1GW -ResourceGroupName ccnvpn `

 -Location 'North Europe' -IpConfigurations $gwipconfig -GatewayType Vpn
`
 -VpnType RouteBased -GatewaySku VpnGw1
Public IP
A VPN gateway must have a public IP address. The IP address resource is first requested
and then referred to when creating the virtual network gateway. The IP address is
dynamically assigned to the resource when the VPN gateway is created.
Creating a public IP from the portal

1. Click on [Public IP Addresses/Add].
 Then you must fill in the following fields:

 IP version: IPv4 is used.
 SKU: The basic one is used.
 Name: Name of the resource.
 IP address allocation: It is used dynamically, it is the only
one compatible with VPN.
 Idle Timeout: The value of 4 minutes is used.
 DNS name label: Use the DNS name of your domain, in
case it is left blank a default Azure is used.
 Subscription: Subscription where the Public IP is created.
 Resource Group: Group of resources where the Public IP is
created.
 Location: Geographical region of Azure.
155
Creating a public IP from Powershell

 $gwpip= New-AzPublicIpAddress -Name VNet1GWPIP -ResourceGroupName
CCNVPN -Location 'North Europe' -AllocationMethod Dynamic
3.2.1.2 Secure perimeter
Securing Subnets
Introduction to NSGs
This is performed through the NSGs. Network Security Groups (NSGs) are a firewall of
layer 4, since source and destination ports can be filtered by protocol (TCP/UDP/ICMP),
but not by content. They can be applied at two levels:
 NIC: The rules only affect the machine on which the NSG is applied. They can also
be applied to machines with various NICs (Multi-Hommed)
 Subnet: The rules affect all the machines on the subnet.
All created NSGs have six default rules established, 3 inbound and 3 outbound. These
rules cannot be modified or deleted. They have very high priorities so that they are
always the last to be implemented.
The incoming rule with priority 65000 allows machines on the same VNet to
communicate with each other. The incoming rule with priority 65001 allows access to
the machine from an Azure Load Balancer.
Finally, we have an incoming 65500 rule that blocks any other traffic that has not been
explicitly allowed in a rule with a lower priority value.
As for outbound rules, it is allowed the traffic from the virtual machine to any other
machine in the same VNet and also from the virtual machine to the Internet.
To see the activity log, see the monitoring section.
How an NSG works

To explain the operation, two entry rules are added to the previous example, one to
allow traffic through port 80, and another through 3389.
156
When a package arrives at the NSG, the rules are applied in increasing order of priority.
The first rule whose conditions are met applies the action and the rest of the rules are
not applied to that package.
The behavior of any package passing through the NSG would be as follows:
1. If a packet arrives on port 80 with source IP 10.10.0.22 and destination IP
10.10.0.50, the entry is allowed. Otherwise, the next rule applies.
2. If the packet is addressed to port 3389 it is allowed to enter. Otherwise,
the next rule applies.
3. If the package comes from an Azure Load Balanced, it is allowed to enter.
Otherwise, the next rule applies.
4. If the package does not meet any of the conditions of the rules above, the
last rule is met, access is denied.
As soon as a package complies with a rule, it does not continue processing and the rule
is met.
NSG Rules
An NSG may have zero rules or as many as necessary as long as they are within the limits
of Azure. Each rule has the following properties:
- Name: Unique within the same NSG. 80 characters limit. You cannot use the
characters dash, underscore, period, comma.
- Priority: Values between 100-4096. The rules are processed in order of priority,
from the lowest to the highest priority number.
- Origin and destination: It can be any (*), an individual IP, an IP range or a service
tag.
- Protocol: They can be TCP, UDP, ICMP or any other.
- Direction: Both incoming and outgoing traffic is applied.
- Port Range: You can specify an individual port (80) or a port range (10000-
10005).
157
- Action: Can be Allowed or Denied

Note: For more information: https://docs.microsoft.com/es-es/azure/virtual-network/security-
overview
Effective NSG rules

As mentioned in the introductory section an NSG can apply to both NIC and Subnet so
one machine can be affected by two NSGs at the same time.
To see the effective rules that affect a server you can use the option "Current security
rules" within the NSG that we want to check.
In virtual machines you see the machines in which you have applied this NSG, choose
what you are going to check. To display the rules, the machine must be switched on.
You can also see the effective rules if you go to the virtual machine, to the networking
option, it shows server´s effective rules, and that NSG is applying it.
NSG limits
The default limits that exist by subscription are:
Resource Default limit
158
Virtual Networks (VNet) 1000
Subnets by VNet 3000
Peerings by VNet 100
DNS by VNet 20
Private IPs by VNet 65536
Private IPs by Network Interface (NIC) 256
Private IPs by virtual machine 256
TCP or UDP flows by NIC 500K
Network Interfaces 65536
Network Security Groups (NSG) 5000
Rules by NSG 1000
Source/Destination IPs and IP ranges 4000
Application security groups 3000
Application security groups by NIC 20
Application security groups that can be applied within an NSG 100
Route tables 200
Routes by route tables 400
Point-to-Site VPN Certificates 20
Virtual network TAPs 100
Note: For more information see: https://docs.microsoft.com/es-es/azure/azure-subscription-

service-limits?toc=%2fazure%2fvirtual-network%2ftoc.json#networking-limits
Deployment of an NSG.
An NSG is then deployed from both the Azure and Powershell portals:
1. Access Azure's portal, search for "network security groups"
159
2. Click on [Add].
3. Complete the following parameters:

3. Name: Name assigned to the NSG.
4. Subscription: Subscription where the resource is created.
5. Resource group: Group of resources where the resource is created.
6. Location: Geographical region of Azure.
To deploy an NSG from Powershell:

1. It connects to the Tenant:
2. Declare the variables where the name of the NSG is defined and the group of
resources where it is created.
160
 $Name = "CCN-NSG-Backend"
 $RG = Get-AzResourceGroup -Name "CCN-RG-NSGs"
3. The NSG is created. This NSG is created with the default rules.
 New-AzNetworkSecurityGroup -Name $Name -ResourceGroupName
$rg.ResourceGroupName -Location "northeurope"
Adding rules to an NSG

To add new rules to an NSG from the portal
1. Search the name of the NSG to which the rule is added
2. Click on the menu on [entry or exit security rules], depending on the rule, in
the example an entry rule is created, add.
3. Complete the form, fill in the following fields:

7. Source, Source port range, destination, destination port range, protocol,
action, priority, name and description. These fields are explained under
NSG Rules.
161
To add a new rule from Powershell, follow these steps:

1. Connects to the Tenant
2. The variables are declared to know which NSG is going to be modified and
the name and port parameters of the rule.
 $rgname="CCN-RG-NSGs"
 $port=80
 $rulename="AllowHTTP"
 $nsgname="CCN-NSG-Backend"
3. You get the resource you are going to modify and add the rule
 # You get the NSG
 $nsg = Get-AzNetworkSecurityGroup -Name $nsgname -
ResourceGroupName $RGname
 # You add the rule
 $nsg | Add-AzNetworkSecurityRuleConfig -Name $rulename -
Description "Allow app port" -Access Allow `
 -Protocol * -Direction Inbound -Priority 1000 -
SourceAddressPrefix "*" -SourcePortRange * `
 -DestinationAddressPrefix * -DestinationPortRange $for
 It is updated so that changes are applied.
 #The NSG is updated.
 $nsg | Set-AzNetworkSecurityGroup
Update NSG rules

To update the rules of an NSG from the portal:
1. Search for the name of the NSG to be modified.
162
2. Click on the rule to be modified.
3. Change parameters you desired.

The origin field is modified to add a new source. Click on save.
Azure Firewall
Previously, the guide showed the default option used to control traffic between
different networks.
There is another tool in Azure called Azure Firewall. Unlike the NSG Azure Firewall, it is
a firewall that is presented as a service that provides network and application level
protection in all the subscriptions and virtual networks.
In addition, it incorporates the following features:
163
 High availability. This feature avoids having to set up any additional load balancers
and there is no need to set anything up manually.
 Scalability. It can be vertically scaled as much as necessary to accommodate the
required network flows.
 Areas of availability. You can cover several availability zones and thus increase
availability to 99.99% uptime. (It is produced with two or more availability zones).
The standard service time is 99.95%.
 Threat information. You can enable a threat intelligence-based filtering to make the
firewall alert and deny traffic to and from malicious domains and IP addresses. This
information comes from Microsoft's Threat Intelligence source.
 All events are integrated with Azure Monitor, allowing logs to be archived in a
storage account.
 Allows integration with NSGs to provide greater security. Azure firewall applied to
the subnet and NSG applied to machine.
Configuration
To deploy Azure Firewall through the portal:
1. Search for Firewalls:
2. Click on [Add].
3. Fill in the following fields:

 Subscription
 Resource group: It must be the same place where the vnet is.
 Name
 Region: Geographical region of Azure
 Availability zone: If we want to have high availability, select the zones.
Note: For more information on high availability.
https://docs.microsoft.com/es-es/azure/availability-zones/az-overview
 Virtual Network: It must contain a subnet called AzureFirewallSubnet
where the Firewall is located.
 Public IP address: Associate a public IP in order to apply the NAT rules
explained below.
164
4. Create the resource in Azure.
Azure Firewall Rules

1. Network rules: Network filtering rules to allow or deny by source and
destination IP address, port and protocol.
2. Application rules: They are made through FQDN tags, which represent
the service in Azure, allow traffic from an Azure service through the
Firewall. For more information: https://docs.microsoft.com/es-
es/azure/firewall/fqdn-tags
165
3. NAT rules: All outgoing IP addresses of virtual network traffic are

converted to public Azure Firewall IP addresses. Traffic that originates in
the virtual network and is directed to remote Internet destinations can
be identified and allowed.
Create/modify Azure Firewall rules

For the modification or creation of any type of rule there are the following steps in
common:
1. Search for Firewall
2. Click on the [Firewall/Rules] button
Depending on the type of rule you need to click on NAT Rule Collection, Network Rule
Collection, Application Rule Collection.
NAT Rule
In the example below, NAT is performed for all the packets leaving the 10.80.10.0/24
network to the outside.
The required fields are:
 Name of the rule collection
 Priority: Between 100 and 65000
166
 Rules:
1. Name of the rule
2. Protocol
3. Source addresses
4. Destination Addresses: Must be the IP of the Firewall's Public IP
5. Destination Ports
6. Translated address: It is advisable to use a specific IP address of the
firewall subnet
7. Port translated
Network rules
In the example, rules are configured for communication between machines in the same
network. We allow access to Azure Monitor and Azure Backup services to machines in
the 10.80.10.0/24 and 10.80.20.0/24 networks. In addition, the machines in the
10.80.10.0/24 network are allowed to have an SSH connection to the machines in the
10.80.20.0/24 network and the ping is enabled between them.
Application rules
A rule is created to allow updates to machines from Windows Update.
167
3.2.1.3 Protection of confidentiality.
VPN
This guide explains how to create a site-to-site VPN gateway connection from the local
network to the virtual network.
This type of connection requires a local VPN device that has a public IP address assigned.
Before starting the configuration, check that the following criteria are met:
1. Have a qualified compatible VPN device (included in the Virtual Private Networks
family of the CCN-STIC-105 Guide Information and Communication Technologies
Security Products Catalogue). For the list of compatible devices, please see
https://docs.microsoft.com/es-es/azure/vpn-gateway/vpn-gateway-about-vpn-
devices
2. Check that you have an external public IPv4 address for the VPN device.
Site-to-site connections to a local network require a VPN device. In this step, the VPN
device must be configured. To configure the VPN device, you need the following items:
 A shared key. This is the same shared key that is specified when creating the site-
to-site VPN connection. (Point 4 Gateway and local network)
 The public IP address of the virtual network gateway. You can see the public IP
address, to view it from the portal:
1. Search for the public IP name or search for public IPs to see all existing
ones.
168
2. Click on the public IP to see the assigned IP.
To view the address via PowerShell.

 Get-AzPublicIpAddress -Name CCN-VPNCONNECTION-ResourceGroupName CCNVPN
Creating the VPN connection

Next, the site-to-site VPN connection must be created between the virtual network
gateway and the VPN device.
To create the VPN connection from the portal:
1. Search connections
2. Add a new connection.

1. To start, the connection type is requested, it must use vnet to vnet,
subscription in which the connection is created, resource group and location.
169
2. Next, two virtual networks gateways are needed, to work in case one fails,
name of the two connections and the key that was created in the local
network gateway.
3. Create the resource.
170
To create the connection from Powershell:

1. Set the variables.
 $gateway1 = Get-AzVirtualNetworkGateway -Name VNet1GW -
ResourceGroupName CCNVPN
 $local = Get-AzLocalNetworkGateway -Name Site1 -ResourceGroupName
ccnvpn
2. Create the connection.

 New-AzVirtualNetworkGatewayConnection -Name VNet1toSite1 -
ResourceGroupName CCNVPN `
 -Location 'North Europe' -VirtualNetworkGateway1 $gateway1 -
LocalNetworkGateway2 $local `
 -ConnectionType IPsec -RoutingWeight 10 -SharedKey '
QTuKYdZi7lEZtfNT2K5U '
Checking the VPN connection

To check if the connection was performed correctly by using the "Get-
AzVirtualNetworkGatewayConnection" cmdlet, with or without "-Debug".
 Get-AzVirtualNetworkGatewayConnection -Name VNet1toSite1 -
ResourceGroupName CCNVPN
3.2.1.4 Protection of authenticity and integrity

For authenticity and integrity protection, follow the steps in this guide since it is
important to implement various services offered by Microsoft in your Tenant.
Azure Security Center: Unify the management and enable advanced threat protection
for workloads in the cloud. The recommendations can be found in this guide in section
[3.6.1.2 Security Center Recommendations].
Azure Multi-Factor Authentication: An authentication method must be created where
conditions can be configured through a policy for users. More information can be found
in section [3.1.1.4 Authentication Methods] of this guide
171
Azure DDoS Protection: To protect your applications against distributed denial of

service (DDoS) attacks. More information can be found in section [3.2.3.1 Protection
from Denial of Service] of this guide
3.2.2 Protection of information
3.2.2.1 Rating of information

Azure resource tags are closely linked to resource nomenclature and classification
standards. As resources are added to subscriptions, it becomes increasingly important
to logically classify them for billing, management and operational purposes.
After applying the tags, all subscription resources with that name and tag value can be
retrieved. Tags allow you to retrieve related resources that are in different resource
groups.
It is important to relate the tag to the application displayed. To do this, follow these
instructions.
1. From the Azure portal click on Resource Group.
2. Then click on [tag].

Note: For example, in name it can be defined as the service.
Name: Backup
Value: Production
3. To finish, click on [save].

From General Information you can click on Backup: Production and all the resources that
have the defined tag will be shown.
172
In addition, you can see all the tags from Azure's search engine writes tags.
Below are some guidelines that can be followed using the Powershell console.
To view the existing tags of a resource group, use:
 (Get-AzResourceGroup -Name examplegroup).Tags
To view the existing tags of a resource that has a specified resource identifier, use
 (Get-AzResource -ResourceId /subscriptions/<subscription-
id>/resourceGroups/<rg-
name>/providers/Microsoft.Storage/storageAccounts/<storage-
name>).Tags
Or, to see the existing labels for a resource that has a specified name and resource
group, use:
173
 (Get-AzResource -ResourceName examplevnet -ResourceGroupName

examplegroup).Tags
To get resource groups that have a specific tag, use:

 (Get-AzResourceGroup -Tag @{ Dept="Finance" }).ResourceGroupName
To get resources that have a specific tag, use:

 (Get-AzResource -Tag @{ Dept="Finance"}).Name
To add tags to a resource group without existing tags, use:

 Set-AzResourceGroup -Name examplegroup -Tag @{ Dept="IT";
Environment="Test" }
To add tags to a resource group that already has tags, retrieve the existing tags, add the
new one, and reapply all of them:
 $tags = (Get-AzResourceGroup -Name examplegroup).Tags
 $tags.Add("Status", "Approved")
 Set-AzResourceGroup -Tag $tags -Name examplegroup
To add tags to a resource without tags, use:

 $r = Get-AzResource -ResourceName examplevnet -ResourceGroupName
examplegroup
 Set-AzResource -Tag @{ Dept="IT"; Environment="Test" } -ResourceId
$r.ResourceId -Force
3.2.2.2 Encryption
Information with a high level of confidentiality must be encrypted, both at rest and
during transmission.
What is the encryption at rest?
Encryption of stored data is called encryption at rest. Azure's standby encryption
procedures use symmetric encryption to quickly encrypt or decrypt large amounts of
data according to a simple conceptual model.
As described above, the purpose of encryption at rest is to encrypt the data stored on
the disk with a secret encryption key. To achieve the creation of a secure key, the system
needs to provide storage, access control and management of the encryption keys. To do
this, it is recommended to use the following services from Azure.
 Azure Key Vault
Azure Key Vault is the recommended key storage solution and provides a routine
management experience for services.
Note: More information on Azure Key Vault key management can be found in the section [3.1.2.3
Protecting Cryptographic Keys] of this guide.
3.2.2.3 Backup
The Azure Backup service backs up data to the Microsoft Azure cloud. Local workloads
and machines as well as Azure virtual machines can be backed up.
174
Setting up backups in virtual machines

1. To do this, from the Azure portal, search for [Recovery Services Warehouses].
2. Then click on [add].
3. Create a new resource group and a name that identifies the storage.
4. On the labels tab fill in a name and a value.
175
5. To finish, click on [review and create].
Then, follow the instructions for backing up your virtual machines.

1. From the Azure portal click on [all resources] and write a backup.
2. In Backup, click on [backup].
176
3. From here you can back up an entire virtual machine, an Azure resource or a virtual
server with SQL Server.
4. Once the virtual machine is selected, click on [backup].
5. The first Azure Backup assistant asks for the copy frequency and the retention.
177
5. Click on the policy and select create a new one.
Choose a name for the new policy and define a frequency.

Instantaneous restore: If the most recent snapshot is the only available instantaneous
restore point, it is retained until the next successful backup is completed, regardless of
the snapshot retention defined in the backup policy.
178
Recommendations:
 The recommended retention period is 180 days.
 Set the copy points on a daily or monthly basis.
 In addition, it is recommended that you select annual copy point retention.
7. When you have finished this configuration, click on [accept].
Then choose the virtual machine you want to back up.
8. Click on [accept].
9. To enable the backup, click on [Enable Backup].
To check if a machine is protected by Azure Backup, perform the following steps:
 Search Azure Backup
 Click on [Backup Items].
179
 In addition, you can view and create new policies. To do this, click on backup
policies.
Creating instant copies on virtual disks

1. Azure allows you to make instant copies of disks. To do this, go to all resources and
select a disk.
2. Click on create [Snapshot].
180
3. Choose a name and select the Backup resource group.

Note: It is recommended that you select zone redundancy since you can choose from Azure's
managed disk types to support workloads.
4. To finish, click on [Create].
A new disk is created as a backup.
Database backups
Also, from an Azure SQL Database server, a copy of the database can be made.
1. To do this, click on [all resources] and then select the database.
181
2. Select [Manage backups/Select database].
3. Click on [Set retention].
182
Below are the retention options.

 Weekly LTR backups: All backups are saved during the set retention period.
 Monthly LTR backups: The first backup of each month is saved during the
established retention period.
 Annual LTR backups: The backup created during the week of the specified year
is stored for the set retention period.
3.2.3 Protection of services
3.2.3.1.1 Protection against denial of service

Azure provides continuous protection against attacks and denial of service. This
protection is integrated into the Azure platform using Azure DDoS Protection
DDoS Protection takes advantage of the scalability and elasticity of Microsoft's global
network to provide massive DDoS mitigation functionality across all regions of Azure.
Microsoft's DDoS Protection service cleans traffic on Azure's perimeter network before
it can affect the service availability to protect Azure's applications.
Creating a VNET requires a plan for applying DDoS:
 Basic: This is the default option, at no additional cost.
 Standard: Improved functionalities of the basic version. Add attacks notification,
telemetry, etc.
Note: For more information please consult the official Microsoft documentation:
https://azure.microsoft.com/es-es/blog/azure-ddos-protection-for-virtual-networks-generally-
available/
The actions to be taken for service activation and the recommended configuration are
described below.
DDOS Protection Deployment

1. From the Azure portal search for DDOS.
2. Click on [add].
183
3. Choose a name and select the group of resources where you have the
virtual networks.

Then associate DDOS in the virtual networks. To do this, go to all resources and then to
each of your virtual networks.
1. Click on DDOS Protection and select Standard
184
2. Then, deploy the plan and choose the plan you previously set up.
The DDOS panel shows the VNETs in which the plan is applied.
This step is done with every VNET you have.

Note: It is recommended that these steps are applied to the public IPS you have in Azure.
Once applied, your protected network can be viewed from the main DDOS panel.
185
Configuring alerts for DDoS protection metrics

Any of the available DDoS protection metrics can be selected to receive alerts when
there is an active mitigation during an attack by configuring Azure Monitor alerts. When
the conditions are met, an alert email is sent to the specified address:
1. From Azure Monitor click on alerts.
2. Click on [create rule] and select the public IP.
3. Then, add the condition Under DDoS attack or not
186
Set the following variable.
Static threshold uses a user-defined threshold value to evaluate the rule, while dynamic
thresholds use automatic learning algorithms to continuously learn the metric behavior
pattern and calculate thresholds automatically.
A new action group should be created to execute this alert.
187
At group creation, you can optionally create a condition to be notified by email.
 Action Group name: Name of the Action Group.

 Short name: Identifying short name for notifications.
 Subscription: Your Azure subscription.
 Resource group: Choose the resource group
If you want to set up the email alert, please follow these instructions.
188
Finally, add a name to the alert and click on [Create Alert Rule].
189
4. GLOSSARY AND ABBREVIATIONS

The following describes several safety terms, acronyms and abbreviations used in this
guide:
Term Definition
AAD Azure Active Directory
AD DS Active Directory Domain Services
Resource Group Container that stores the resources related to an Azure solution.
The resource group includes the resources you want to manage as
a group.
Azure AD Azure Active Directory.
RBAC RBAC is an authorization system based on Azure Resource Manager

that provides specific access management to Azure resources.
JSON Acronym for JavaScript Object Notation, is a simple text format for
data exchange.
OAuth OAuth 2.0 protocol to authorize access to applications and web

APIs on your Tenant de Azure AD
CSP Cloud Service Provider
DDoS Distributed Denial of Service, carried out by generating a large flow

of information from several connection points to a single
destination point.
ENS National Security Framework.
MFA Multifactor Authentication. Security system that requires more

than one way to authenticate, for example through an app, sms,
etc.
Log Analytics Azure Log Analytics, formerly known as Microsoft Monitoring

Agent (MMA) or OMS Linux agent, was developed to achieve
complete management on local machines, on the computers
monitored by System Center Operations Manager and on virtual
machines in any cloud. Windows and Linux agents are associated
with Azure Monitor and store log data collected from different
sources in the Log Analytics workspace.
Replication: RA- It replicates the data to another data center in a secondary region,
GRS but that data is available to be read-only if Microsoft initiates a
failover from the primary region to the secondary region.
190
Key Vault Azure Key Vault is a tool for securely storing and accessing secrets.
A secret is anything to which you want to closely control access,
such as certificates, passwords or API keys. A warehouse is a logical
set of secrets.
HSM It offers cryptographic key storage in Azure. Dedicated HSM meets

the strictest security requirements. It is the ideal solution for clients
who need FIPS 140-2 level 3 validated devices and a complete and
unique control of the HSM device.
Azure Disk It uses the industry standard BitLocker on Windows and DM-Crypt
Encryption on Linux to provide system-based encryption solutions that
integrate with Azure Key Vault.
ASR Azure Site Recovery is used for disasters recovery of local machines
and workloads in Azure and Azure VM virtual machines in a
secondary Azure region.
Network It allows to monitor and diagnose the status and performance of

Watcher the network. Network Watchers' diagnostic and visualization tools
help you to, for example, capture packets in a virtual machine,
validating whether an IP stream is allowed or denied.
Service Health Azure Service Health informs you of service incidents and scheduled
maintenance work at Azure, allowing you to take action to mitigate
downtime.
Azure A command line interface to manage Azure's services through a

PowerShell command line
CLI A command line interface that can be used to manage Azure

services from Windows, OSX, and Linux
5. SUMMARY TABLE OF SECURITY MEASURES

The following is a summary table of configurations to be applied for the protection of
the service, where the organization will be able to evaluate which measures of the
proposals are fulfilled
191
ENS Control Configuration Status
op Operational Framework
op.acc Access Control
op.acc.1 Identification
The use of Azure Active Directory It applies: It complies:

accounts and groups for Tenant
management has been Yes No Yes No
configured.
Evidence collected: Comments:
Yes No
op.acc.2 Entry Requirements
The access requirement has been It applies: It complies:

set up using the RBAC role
application. Yes No Yes No
Conditional access has been set up
by delimiting geographical areas
and/or IP ranges. (important
and/or)
Recommended: Yes No
- Restricted access to the Azure
portal
- Azure AD Identity Protection
op.acc.3 Segregation of functions and tasks
Roles have been designed, created It applies: It complies:

and applied to user groups.
Yes No Yes No
192
The roles Owner, Collaborator,

Reader and User Access Manager
must be applied. Evidence collected: Comments:
Yes No
op.acc.5 Authentication mechanism
Multi-Factor Authentication (MFA) It applies: It complies:

has been enabled for users in the
organization connecting from Yes No Yes No
networks outside the
organization.
Yes No
op.acc.6 Local access
Conditional access policies have It applies: It complies:

been configured so that users and
devices connecting from the Yes No Yes No
organization's networks have less
restrictive access than those
connecting from the Internet,
correctly identifying the source IP Evidence collected: Comments:
addresses and networks.
Yes No
op.acc.6 Remote Access
Additional access control It applies: It complies:

mechanisms have been enabled
for those users or devices that Yes No Yes No
connect from the Internet (outside
193
the organization's networks).

These mechanisms may include
conditional access by delimiting Evidence collected: Comments:
geographical areas, IP address
ranges, double authentication Yes No
factor or linking the device to
Azure AD, among other
requirements.
op.exp Exploitation
op.exp. 8 Recording user activity
It has been verified that the Audit It applies: It complies:

log is activated and capturing
events. Yes No Yes No
Yes No
op.exp. 10 Protection of activity records
An activity record retention of at It applies: It complies:

least 365 days has been enabled.
Yes No Yes No
Yes No
Op-exp.11 Protection of cryptographic keys
It applies: It complies:
194
The Key Vault has been

Yes No Yes No
configured, limiting access to
administrative users only.
Yes No
Op.cont.2 Continuity plan
Azure Site Recovery has been It applies: It complies:

configured to replicate the virtual
machines and database in order Yes No Yes No
to create a recovery plan.
Yes No
Op.cont.3 Periodic testing
A failover has been performed for It applies: It complies:

the virtual machines.
Yes No Yes No
Yes No
Op.mon.1 Intrusion detection
195
Azure Monitor has been deployed

Yes No Yes No
creating alerts for the production
services and the integration of
Azure Security Center following
the recommendations of the Evidence collected: Comments:
guide.
Yes No
Op.mon.2 Metric system
Azure Monitor has been It applies: It complies:

configured by applying the
popular logs and the Network Yes No Yes No
Watcher deployment following
the recommended metrics
configuration in this guide.
Yes No
Mp.com.1 Secure perimeter
The NSG / Azure Firewall It applies: It complies:

deployment has been configured
applying the recommended rules Yes No Yes No
for Azure services.
Yes No
Mp.com.2 Confidentiality Protection
196
The VPN service (Site to site) has

Yes No Yes No
been deployed.
Yes No
Mp.com.3 Protection of authenticity and integrity
To cover this measure, it is necessary to It applies: It complies:

apply all the services of:
Azure Security Center Yes No Yes No
Azure Multi-Factor Authentication
Azure DDoS Protection
Yes No
Mp.com.4 Network Segregation
VNETS have been configured for It applies: It complies:

network isolation.
Y No Yes No
e
s
Yes No
Mp.info.2 Rating of information
Tags have been configured for all Azure It applies: It complies:

services.
Yes No Yes No
197
Yes No
Mp.info.3 Encryption
Encryption at rest has been set up. It applies: It complies:
Yes No Yes No
Comments:
Mp.info.9 Backup
A backup plan has been set up for It applies: It complies:

Azure's services.
Yes No Yes No
Yes No
Mp.s.8 Protection against denial of service
DDOS has been configured on those It applies: It complies:

VNETs exposed to potential external
attacks.
Yes No Yes No
Yes No
198

CCN-STIC-884A-Secure Configuration Guide For Azure

Uploaded by

Copyright:

Available Formats

CCN-STIC-884A-Secure Configuration Guide For Azure

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CCN-STIC-884A-Secure Configuration Guide For Azure

Uploaded by

Copyright:

Available Formats

ICT Security Guide

Secure Configuration Guide for Azure

2.5.4.13=Qualified Certificate: AAPP-

 National Cryptologic Centre, 2019

Date of Edition: December 2019

The current national and international scenario is dominated by developments in

Felix Sanz Roldan

3.2.2 PROTECTION OF INFORMATION .....................................................................172

1. SECURE CONFIGURATION GUIDE FOR AZURE

1.1 DESCRIPTION OF THE USE OF THIS GUIDE

1.2 SERVICE DEFINITION

1.3 FUNCTIONALITIES OF THE AZURE SERVICE

2. SECURE DEPLOYMENT FOR AZURE

2.1 Using the Powershell Console

2. An email account and password are requested from the Tenant's

Certificate based authentication

To do this, execute the following Powershell command.

Note: More information can be found at https://docs.microsoft.com/es-es/azure/cosmos-

Changing the active subscription

2.2 Access to the Azure Portal from a browser.

Note: Your email account and password are required.

1. Click on the set icon described below.

3. Set the language and region.

4. The view of the main panel can be customized.

2. To finish, click on [Customization Complete].

2. To finish, click on [Publish].

4. Click on [Add/Add Role Assignment].

6. Finally, click on [Save].

Using the Cloud Shell Console

1. Click on the icon that shows the image.

Note: Pressing the terminal will validate your credentials.

From this console you can execute PowerShell commands.

 Set your preferred subscription.

2.3 Resource management in Azure

Creation from the Portal

2. Next, the following fields must be completed:

3. Click on [review and create].

Creating from PowerShell

Creating a storage account

Account Name: Define an account name.

6. In the advanced options tab follow these guidelines.

Security: Click on enabled.

8. Click on [review and create].

3. SECURE CONFIGURATION FOR AZURE

3.1 OPERATING FRAMEWORK

3.1.1 Access Control

Creation of user accounts.

2. Complete the required fields for the invitation.

3. At the end, click on invite.

Note: A notification is sent to the invited account.

User account deletions.

2. The option to delete is shown below.

Edit user account profile.

2. Then fill in all the available fields.

Creating Active Directory groups.

2. Then click on [new group].

To delete a group, select the group and then click on [delete].

3.1.1.1 Access requirements

Restricted access to Azure's portal.