How To: Harden your IaaS workload

Securing your IaaS workload to comply to the baseline used by Azure Security Center

by | Jul 5, 2018 | General, Security

Introduction

One of the security policies in Azure Security Center is, OS security configuration, previously called OS recommendations. The security configuration is a feature which is available in the free pricing tier of Azure Security Center. Azure Security Center monitors this security configurations using a set of over 150 recommended rules for hardening the Windows OS and over 80 rules for hardening the Linux OS. These rules include rules related to firewalls, auditing, password policies, and more. If a machine is found to have a vulnerable configuration, Security Center generates a security recommendation.

In this blogpost I will explain how you can harden your IaaS workload by using the standard that Microsoft uses.

Common Computer Enumeration (CCE) standard

Azure Security Center uses CCE (Common Configuration Enumeration) to assign unique identifiers for configuration rules. The Common Configuration Enumeration, or CCE, assigns unique entries (also called CCEs) to configuration guidance statements and configuration controls to improve workflow by facilitating fast and accurate correlation of configuration issues present in disparate domains.

The current CCE list is hosted on this website.

Center for Internet Security (CIS)

Center for Internet Secuirty is a nonprofit organization, formed in October, 2000. The mission of the organization is to “identify, develop, validate, promote, and sustain best practice solutions for cyber defense and build and lead communities to enable an environment of trust in cyberspace. The organization is headquartered in East Greenbush, New York, with members including large corporations, government agencies, and academic institutions. CIS employs a closed crowdsourcing model to identify and refine effective security measures, with individuals developing recommendations that are shared with the community for evaluation through a consensus decision-making process. At the national and international level, CIS plays an important role in forming security policies and decisions by maintaining the CIS Controls and CIS Benchmarks, and hosting the Multi-State Information Sharing and Analysis.

Azure Security Center baseline rules

As stated earlier Azure Security Center uses a baseline to compare the current state of a IaaS virtual machine to their baseline. If there is a difference between the baseline and the current state, Azure Security Center will recommend to change the failed rules. The baseline rules Azure Security Center uses can be downloaded from technet.

Recommendations

As statet earlier, if a computer does not match the baseline, Azure Security Center will recommend to change the failed rules. If you want to view to failed rules for a specific computer you must go in Azure Security Center to Compute >VMs and Computers > Select the Computer > Select “Remediate XX Security Configurations”. This wil open up a log analytics search window with the query for the specific SourceComputerID. The query will show the failed rules without the CCEID’s, ordered by RuleSeverity. You can use the following search query:

SecurityBaseline
| where AnalyzeResult == “Failed” and Computer == “[COMPUTERNAME]”
| summarize AggregatedValue = dcount(BaselineRuleId) by BaselineRuleId, RuleSeverity, CceId, Description
| order by RuleSeverity asc
| limit 1000000000

If you execute the query you have an overview of all the failed rules including the CCEID’s. If you want to see what remediation belongs to the CCEID you can use Scaprepo, on this website you can easily search by CCEID.

Remediation

For remediation you can use several ways, one way is to download and maintain a CIS image from the Azure Marketplace. Another way is to search every failed rule and create a GPO. I will explain the last option as I used this one. For the operating systems Windows Server 2012 R2 and Windows Server 2016 I created a GPO by checking every rule and search for every remediation. This was very time consuming but it was worth it.

After the GPO is created I exported it using the Group Policy Management Tool on a domain controller. When your computers are in a domain it is easy to deploy the GPO to them, but when your computers are in a workgroup you have to be creative.

I have two GPOs, one for Windows Server 2012 R2 and one for Windows Server 2016. From these two I created a ZIP file including a little tool called LGPO.exe. This tool is a part of the Microsoft Security Compliance Toolkit 1.0 and can be downloaded here. My VMs are running in Azure so I can use the custom script extension to deploy the ZIP file and execute a Powershell script to create a local GPO to the VMs.

This Powershell script will let you choose your subscription, your VM and will deploy a custom script extension to that VM.

After the custom script extension is deployed there is a local GPO applied. If the custom script extension fails there are two folders to monitor.  The outputlog folder – C:\WindowsAzure\Logs\Plugins\Microsoft.Compute.CustomScriptExtension and the Download dir – C:\Packages\Plugins\Microsoft.Compute.CustomScriptExtension\1.*\Downloads\

Recommendations

As statet earlier, if a computer does not match the baseline, Azure Security Center will recommend to change the failed rules. If you want to view to failed rules for a specific computer you must go in Azure Security Center to Compute >VMs and Computers > Select the Computer > Select “Remediate XX Security Configurations”. This wil open up a log analytics search window with the query for the specific SourceComputerID. The query will show the failed rules without the CCEID’s, ordered by RuleSeverity. You can use the following search query:

SecurityBaseline
| where AnalyzeResult == “Failed” and Computer == “[COMPUTERNAME]”
| summarize AggregatedValue = dcount(BaselineRuleId) by BaselineRuleId, RuleSeverity, CceId, Description
| order by RuleSeverity asc
| limit 1000000000

If you execute the query you have an overview of all the failed rules including the CCEID’s. If you want to see what remediation belongs to the CCEID you can use Scaprepo, on this website you can easily search by CCEID.

Conclusion

Altough the CIS images are easy to deploy from the Azure Marketplace, they are not free. They cost € 0,02 per hour which is €14,60 per month per VM and after deployment you still have to keep this images up-to-date by some kind of mechanism. Deploying security recommendations is not easy but to be in control of what will be adjusted to your VMs and to have to update mechanism built by yourself gives a good feeling.