Category: Security

All about security and compliance for example Azure FedRamp compliance

How to re-generate Azure QR Code

Log in to Azure portal -> Active Directory -> Users.

Add user phone under Authentication contact info. Click on “Require re-register multifactor authentication. Reset password. Send email to user to login here ;

https://azure.microsoft.com/en-us/features/azure-portal/

User will be able to change the temp password. Next step will be the wizard that will re-register multifactor authentication on user phone in Microsoft Authentication App.

Windows security settings

Instructions to setup screen saver and strengthen the password;

Screensaver Settings

  1. Open your start menu and search for Change Screen Saver
  • Set the screen saver to blank, set the time to 15, and tick the box next to On resume, display login screen. Apply the settings. Your computer will now lock the screen after 15 minutes of inactivity.

Password Settings

  1. Open your start menu and search for Edit group policy.
  • In the left pane navigate to Computer Configuration/Windows Settings/Security Settings/Account Policies/Password Policy
  • Double click on each policy listed below to open the menu. Change the policy to match what is listed below. Apply the change and close the window.
    • Enforce password history: 12 passwords remembered
    • Maximum password age: 90 days
    • Minimum password age: 1 day
    • Minimum password length: 12 characters
    • Password must meet complexity requirements: Enabled
  • Open a file explorer window. Right-click on This PC and choose Manage
  • In the left pane, navigate to System Tools/Local Users and Groups/Users
  • Find your account in the list of users. Double click your account to open the settings menu
  • In the list of settings, make sure Password never expires is NOT checked. If it is, remove the check and Apply the changes.
  • Hit CTRL+ALT+DEL to bring up the system menu. Choose Change a password to change your password to a new one that meets the requirements.

Protected web api configuration

Like web apps, the ASP.NET and ASP.NET Core web APIs are protected because their controller actions are prefixed with the [Authorize] attribute. The controller actions can be called only if the API is called with an authorized identity.

Consider the following questions:

  • Only an app can call a web API. How does the API know the identity of the app that calls it?
  • If the app calls the API on behalf of a user, what’s the user’s identity?

Read more here;

https://docs.microsoft.com/en-us/azure/active-directory/develop/scenario-protected-web-api-app-configuration

Server is ethernet connected on LAN, means exposed to the internet?

You may have an Internet connection, but you are almost certainly behind a NAT router, not directly connected to the Internet.  Normally, that NAT router is the only machine that faces the Internet, has a direct connection, and is under constant attack by numerous bots roaming the IP’s of the Internet. 

You only have a local IP for your local network.  Only the router has your true IP that is seen on the Internet.  When your browser or NTP service (or other Internet need you may have) needs to see something on the Internet, it makes a connection to an Internet server, and your router notes that connection and allows that server to respond, using the associated ports of your connection.  The router will route those responses back to your machine, and not any other. 

The outside bots and servers cannot attack or connect to your machine, because they can’t even see it, and they don’t know your local IP.  The only contact that outside machines can have with your machine is strictly through connections your machine initiates first, through your router.

Now if you *did* want to put your server directly on the Internet, most routers have a setting where they can put any machine into a ‘DMZ’, a special unprotected zone, which means the Internet is directly connected to any machine you choose!  And the router won’t block any Internet traffic then, but allow all of it to come through to you. 

I would strongly advise you to first disconnect ALL of your drives, and backup your boot drive, because you will be very rapidly attacked!  Never use the DMZ unless you have a lot of security experience!

Manage another user (service account) credentials for network access

I have a Windows account that is used for running services (i.e. it’s not intended that any person should log in as that account). Turns out one of the services needs to access a remote network share that’s on a machine in a different Windows domain, and so needs to supply remote credentials to get to that share.

Now if it was me needing to access the remote share, I would simply open Credential Manager, and save the required credentials. But it’s not me, and my understanding of credential manager is it only saves credentials to be used by the logged in user.

I can of course solve this problem. I temporarily elevate the privileges of the service account to allow interactive logins, then I login as that user and use credential manager to store the correct remote credentials. Then I remove the interactive login privileges. But that feels very hacky and not the kind of thing I ought to be doing.

The work around is to log in with your normal user account and then run following in an elevated command prompt;

runas /user:serviceaccountname "%windir%\system32\cmdkey.exe /add:server.domain.com /user:username /pass:password"

For example, if service account need permission on Azure storage then;

runas /user:yourUserName.onmicrosoft.com "%windir%\system32\cmdkey.exe /add:{storageAccountName}.file.core.windows.net /user:Azure\{storageAccountName} /pass:sharedkeyofthestorageaccount=="

You will be prompted for credential. Put in your service account name and password. The credential for the service account will be stored in credential manager and you will be good to go;

Resource

https://superuser.com/questions/537697/manage-another-users-credentials-for-network-access