How to secure Azure VM

Trying to gather resources that can help to secure Azure environment;

There are three most essential areas in Microsoft Azure, RBACStorage and Networking, everything in Azure depends on these three main pillars, and considering these areas, I identified the 3 topmost dangerous cyberattacks, below the TOP Parade:

  1. Privilege escalation to Azure PIM and the Global Admin Account;
  2. Ransomware Attack;
  3. Attack to the public and private IP addresses;

All these attacks are extremely dangerous and effective. However, the privilege escalation is the most dangerous because it can escalate a top-level, which means no more control in the entire cloud and company.

The three most effective and dangerous cyberattacks to Azure and countermeasures (part 1 – attack all the public and private IP addresses in Azure)

Another good one from linkedin;

https://www.linkedin.com/pulse/explain-example-vpn-gateway-expressroute-michelle-xie/

Azure DevOps Git Clone error

I have changed my user’s name in Azure DevOps. When I try to clone to repo, started getting this error;

I have no permission issues then what the heck?

It turns out that the issue is with the URL. Please don’t try to connect to url which is produced by portal, something that look like this;

https://project-account@dev.azure.com/project-name/apps/_git/chart

instead try to connect thru your GIT username and then use password;

https://username@dev.azure.com/project-name/apps/_git/chart

If you username has special characters, Git cmd/bash will trhough errors, so replace those with valid characters;

@ can be replaced with %40

+ can  be replaced with %2b

Something like;

https://username%40xyz.com@dev.azure.com/project-name/apps/_git/chart

what a waste of time…

One of my developer started getting Git Credential Manager for windows popup and received Authentication failure message. The work around was;

Check the Git for Windows in the Tools – Get Tools and Features…), go to “Individual Item” tab,  check “Git for Windows”, and click “Modify”. Then it will ask you to update vs2017 to latest version, for example 15.9.36.

Voila, it started working.

Resource

https://stackoverflow.com/questions/34837173/authentication-failed-for-azure-git

Connect your organization to Azure Active Directory

If your organization was created with a Microsoft account, connect your organization to your Azure Azure AD. Sign in to Azure DevOps Services with the same username and password that you use with your Microsoft services. Enforce policies for accessing your team’s critical resources and key assets.

There’s no downtime during this change, but users are affected. Let them know before you begin.

Sign in to your organization https://dev.azure.com/{yourorganization}

Select Organization settings -> Users.

Compare Azure DevOPS email list with your Azure AD email list. Create an Azure AD email address entry for every user who’s in the Azure DevOPS organization and not in the Azure AD.

Connect organization to Azure AD by selecting Azure Active Directory.

Click on Connect directory;

2 out of 6 members(s) are the members that doesn’t exist in Azure AD. They are guest developers using their hotmai/gmail account. If we want to allow them to use Azure DevOPS, we need to create their accounts as Guest in Azure AD.

Sign out of Azure DevOPS.

Sign in with your Azure AD account. If you click on Organization Settings -> Azure Active Directory, you will see this page;

Clicking on Download will download your organization info, Azure DevOPS info and Owner of Azure DevOPS environment and any errors in the connect. This ensures that Azure DevOPS is connected with Azure.

Make adam@{yourorganization}.onmicrosoft.com as “Project Collection Administrators”. This role perform all kind a operations.

Test your access on Azure DevOps and Visual Studio. You will be asked to enter your credentials and approval from Microsoft Authenticator.

Resource;

https://docs.microsoft.com/en-us/azure/devops/organizations/accounts/connect-organization-to-azure-ad?view=azure-devops

Prevent spam on your entry level Blog

The settings for controlling comments in WordPress is available under Settings > Discussion. Please note that this is the manual method of preventing/combating spam and is usually the most effective when you have a few comments every day. However, if you have over 1000 daily comments, it is more feasible to use an antispam plugin.

Let’s discuss certain ways to use these default WordPress settings to prevent spam. We will discuss one section at a time.

Default Article Settings

Simply disable trackbacks and pingbacks to save yourself from half the spam traffic. Only allow people to post comments on new articles.

Other Comment Settings

It is almost always necessary for the comment author to enter his name/email before commenting. WordPress enables this by default. If you require users to log in before leaving comments then this will cut down on a significant amount of spam This step might be a turn off for few legit readers who want to leave a comment but don’t want to sign in. Therefore you must carefully analyze before enabling this feature.

You should disable comments on posts older than 90 days in a fairly active blog. However, if you keep updating articles, make sure to change the published date so that the 90 days boundary doesn’t overlap. Keep Threaded comments to the default or increase it if required.

E-mail Me Whenever

You can use this feature if you don’t get thousands of comments on your posts. You will get email notifications for every comment that pops up and you can mark it spam right away cutting down on a section of spam comments.

Before a Comment Appears

Allowing readers who have previously left a comment, to leave a comment again without requiring any approval, will help you cut down the legit comments in the moderation queue. You’ll only have to focus on the remainder of users, mostly of which will be spam.

Comment Moderation

I suggest you use a value of 2. This ideally allows guest bloggers to leave at most one outgoing link (link bait) in their comment. Building an effective comment moderation blacklist is a very time-consuming process, with equally beneficial payoffs. However, you can leverage this setting as an effective profanity filter. Simply add the profane words to the list and all such comments will be added to the moderation queue.

Comment Blacklist

Comment Blacklist is stricter version of the Comment Moderation Blacklist, where if a comment contains a blacklisted word, it is sent to the spam queue, instead of the moderation queue. The benefit – saves your time.