Security best practices for VMs

  1. Home
  2. Security best practices for VMs

Go back to AZ-500 Tutorials

In this tutorial, we will learn and understand about security best practices for VMs and operating systems.

However, the best practices depend on the consensus of opinion that works with current Azure platform capabilities and feature sets. As in most infrastructure as a service (IaaS) scenarios, Azure virtual machines (VMs) are the main workload for organizations that use cloud computing. This fact is obvious in hybrid scenarios where organizations want slow migration workloads for the cloud. For such scenarios, follow the general security considerations for IaaS, and apply security best practices to all your VMs.

Protecting VMs by using authentication and access control

The first important step in protecting your VMs is to ensure that only authorized users can set up new VMs and access VMs. Below we will discuss about the best practices, that includes:

Control VM access

In this, use Azure policies for establishing conventions for resources in your organization and create customized policies. Moreover, apply these policies to resources like resource groups. However, if an organization contains many subscriptions, then you may need a way for managing access, policies, and compliance for those subscriptions. For this, Azure management groups provide a level of scope above subscriptions. 

Reducing variability in the setup and deployment of VMs

In this, use Azure Resource Manager templates for strengthening your deployment choices and make it easier to understand and inventory the VMs in your environment.

Secure privileged access

In this, use a least privilege approach and built-in Azure roles for enabling users to access and set up VMs:

  • Firstly, virtual machine contributors manage VMs, but not the virtual network or storage account.
  • Secondly, classic virtual machine contributors manage VMs using the classic deployment model, but not the virtual network or storage account.
  • Then, security admin views security policies, security states, edit security policies, view alerts, and recommendations, dismiss alerts, and recommendations.
  • Lastly, DevTest labs users can view everything and connect, start, restart, and shut down VMs.
AZ-500 practice tests

Using multiple VMs for better availability

If your VM runs critical applications that require high availability then we recommend using multiple VMs. However, an availability set refers to a logical grouping that you can use in Azure for ensuring that the VM resources are isolated from each other while deploying in an Azure datacenter. Azure also ensures that the VMs you place in an availability set to run across multiple physical servers, compute racks, storage units, and network switches. And, if a hardware or Azure software failure occurs, only a subset of your VMs are affected, and your overall application continues to be available to your customers.

Managing VM security posture

For protecting VMs it is necessary to have monitoring capability that can detect threats, prevent unauthorized access for resources, trigger alerts, and reduce false positives. However, for monitoring the security posture of your Windows and Linux VMs, use Azure Security Center. In the Security Center, safeguarding VMs can be done by taking advantage of the capabilities like:

  • Firstly, apply OS security settings with recommended configuration rules.
  • Secondly, identify and download system security and critical updates that might be missing.
  • Thirdly, deploy recommendations for endpoint antimalware protection.
  • Then, validate disk encryption.
  • After that, assess and remediate vulnerabilities.
  • Lastly, detect threats.

The security Center can actively monitor for threats, and potential threats are exposed in security alerts. Correlated threats aggregated in a single view are referred to as security incidents. Moreover, the Security Center stores data in Azure Monitor logs that provide a query language and analytics engine that gives you insights into the operation of your applications and resources. And, the data collected from Azure Monitor, management solutions, and agents installed on virtual machines in the cloud or on-premises. 

Monitoring VM performance

Resource abuse can result in a  problem as VM processes consume more resources. However, the performance issues with a VM can lead to service disruption, that results in violating the security principle of availability. This is important for VMs that are hosting IIS or other web servers. As high CPU or memory usage might indicate a denial of service (DoS) attack. So, it is important to monitor VM access not only reactively while an issue is occurring, but also proactively.

Regarding this, we recommend that you use Azure Monitor to gain visibility into your resource’s health. Azure Monitor features:

  • Firstly, resource diagnostic log files that monitor your VM resources and identify potential issues that might compromise performance and availability.
  • Secondly, Azure Diagnostics extension that provides monitoring and diagnostics capabilities on Windows VMs.

Encrypting virtual hard disk files

Azure Disk Encryption helps you to encrypt your Windows and Linux IaaS virtual machine disks. Moreover, it uses the industry-standard BitLocker feature of Windows and the DM-Crypt feature of Linux for providing volume encryption for the OS and the data disks. In this, the solution is integrated with Azure Key Vault to help you control and manage the disk-encryption keys and secrets in your key vault subscription. 

Best practices for using Azure Disk Encryption includes:

Enabling encryption on VMs.

In this, Azure Disk Encryption generates and writes the encryption keys to your key vault. It manages encryption keys in your key vault requires Azure AD authentication as well as creates an Azure AD application for this purpose. However, for authentication purposes, you can use either client secret-based authentication or client certificate-based Azure AD authentication.

Using a key encryption key (KEK) for an additional layer of security for encryption keys. Add a KEK to your key vault.

This uses the Add-AzKeyVaultKey cmdlet for creating a key encryption key in the key vault. In this, you can also import a KEK from your on-premises hardware security module (HSM) for key management. And, when a key encryption key is specified, Azure Disk Encryption uses that key to wrap the encryption secrets before writing to Key Vault.

For ensuring the encryption secrets don’t cross regional boundaries, Azure Disk Encryption requires the key vault and the VMs to be located in the same region.

This creates and uses a key vault that is in the same region as the VM that is to be encrypted.

However, when you apply Azure Disk Encryption, you can satisfy the following business needs:

  • Firstly, IaaS VMs are secure through industry-standard encryption technology to address organizational security and compliance requirements.
  • Secondly, IaaS VMs start under customer-controlled keys and policies, and you can audit their usage in your key vault.
Restricting direct internet connectivity

Attackers continuously scan public cloud IP ranges for open management ports and attempt “easy” attacks like common passwords and known unpatched vulnerabilities. The lists best practices help protect against these attacks:

  • Firstly, preventing inadvertent exposure to network routing and security.
  • Secondly, identifying exposed VMs that allow access from “any” source IP address.
  • Thirdly, using Azure Security Center. 
  • Lastly, Restrict management ports (RDP, SSH).
Az-500 Online Course security best practices concept

Reference: Microsoft Documentation

Go back to AZ-500 Tutorials

Menu