Upload
nguyencong
View
220
Download
0
Embed Size (px)
Citation preview
Azure Security and Compliance – Practical Exercises
Overview
This course includes optional practical exercises where you can try out the technologies described in the course for yourself. This guide lists the steps for the individual practical exercises. See the Overview page under Practical Exercises in your course for information about getting started.
Setup
If you already have a Microsoft Azure subscription, you can skip this section. Otherwise, follow these steps to create a free trial subscription. You will need to provide a valid credit card number for verification, but you will not be charged for Azure services – for more information, see the frequently asked questions on the Azure sign-up page.
1. If you already have a Microsoft account that has not already been used to sign up for a free Azure trial subscription, you’re ready to get started. If not, don’t worry, just create a new Microsoft account.
2. After you’ve created a Microsoft account, create your free Microsoft Azure account. You’ll need to sign-in with your Microsoft account if you’re not already signed in. Then you’ll need to:
Enter your cellphone number and have Microsoft send you a text message to verify your identity.
Enter the code you have been sent to verify it.
Provide valid payment details. This is required for verification purposes only – your credit card won’t be charged for any services you use during the trial period, and the account is automatically deactivated at the end of the trial period unless you explicitly decide to keep it active.
Install Azure PowerShell (if needed)
In this exercise, you will install Azure PowerShell.
Note: If you have already installed Azure PowerShell you can skip this exercise.
1. From your computer, open an elevated PowerShell prompt.
Cmdlets for Resource Manager
2. Run the Install-Module AzureRM command. This will install the AzureRM module which
represents resource management.
3. If you get prompted to install and import the NuGet provider, Type Y and then press the
Enter key.
4. If you are notified that the repository is untrusted, confirm that you want to install the
modules by typing Y and then pressing the Enter key. The installation process will take
several minutes as packages are downloaded and installed.
5. After the download and installation is finished, run the Import-Module AzureRM command.
6. Note: If you receive a message about running scripts on your computer has been disabled,
temporarily change the execution policy:
Set-ExecutionPolicy Unrestricted
After the import command is complete, return the execution policy to restricted.
Set-ExecutionPolicy Restricted
Cmdlets for Service Manager (Classic) – also includes basic cmdlets such as subscription
management
1. Run the Install-Module Azure command. This will install the Azure module which
represents service management.
2. If you are notified that the repository is untrusted, confirm that you want to install the
modules by typing Y and then pressing the Enter key.
3. Once the download and installation is finished, run the Import-Module Azure command.
Explore storage cmdlets and update the Help pages
1. Run Get-Command *azurestorage* to view storage cmdlets you can use in this course.
2. This is a good time to run Update-Help so you have the latest help pages. Don’t be
concerned if some libraries don’t update. You can always find the Help pages on TechNet.
If you have trouble installing the PowerShell modules from the PowerShell gallery, you can try the WebPI method instead. Visit http://aka.ms/webpi-azps to download and install the
modules.
Module 2 – Key Vault
Create a Key Vault (Portal)
In this exercise, you will create a new key vault in the Azure portal.
1. Navigate to the Azure portal and sign in. 2. On the Hub menu, click More Services. 3. Type key vault in the filter to reveal the available option for managing cryptographic
information in the Azure Portal. Mark Key vaults as a favorite to pin it to your Hub menu.
4. Click Key vaults. If you have any existing key vaults they will appear in this list. 5. On the Key vaults blade, click Add. 6. On the Create Key Vault blade, fill in the following values to create a new key vault. Click
Create when you are finished entering the information.
Name: KeyVault-<RandomAlphaNumericString> where <RandomAlphaNumericString> is a random assortment of letters and numbers to make the name unique across Azure.
Subscription: <YourSubscription>
Resource Group: Create a new resource group named KeyVaultRG
Location: <YourLocation>
Pricing tier: P1 Premium
Access policies: Leave as default
Advanced access policy: Enable all options 7. On the menu bar, monitor the alerts for progress as the new key vault is created. 8. On the Hub menu, click Key vaults. Confirm that the new key vault has been created. 9. Select your key vault. 10. Take a few minutes to explore the various configuration options that are available. For
example, Access control (IAM), Keys, Secrets, Access policies, and Advanced access policies. These areas will be explored the following labs for this module.
Add Security to the Key Vault
In this exercise, you will create a new group and assign key and secret permissions.
1. Navigate to the Azure Portal and sign in. 2. On the Hub menu, click Azure Active Directory. 3. On the Azure Active Directory blade, click Users and groups. 4. On the Users and groups blade, under MANAGE, click All groups. 5. Click + Add to create a new group with the following information:
Name: Network Operations Team
Description:<YourDescription>
Membership type: Assigned
Members:<Add yourself to the group> 6. Click Create to create the new Azure Active Directory group. 7. On the Dashboard, navigate to your key vault. 8. On the Key vault blade, under SETTINGS, click Access policies. 9. Click Add new to create a new Access policy with the following information:
Select principal: Network Operations Team
Configure from template (optional): <leave as default value>
Key permissions: Get and List
Secret permissions: Get and List
Authorized application: None selected 10. Click OK to add the key vault access policy. 11. On the Key vault blade, under SETTINGS, click Access control (IAM). 12. Click + Add and review the Roles that are available. Specifically, notice the Reader and
Key Vault Contributor roles. 13. Select Reader and Network Operation Team as a user. 14. Confirm the Network Operation Team the Key Vault Contributor role.
Create a Key (Portal)
In this exercise, you will create a new key using the Azure portal and PowerShell.
Create a key in the portal
1. Navigate to the Azure portal and sign in. 2. Navigate to your key vault. 3. Under Assets, click Keys. 4. On the Keys blade, click + Add. 5. Notice the three options to create a key: Generate, Upload, and Restore Backup. 6. On the Create a key blade, fill in the following values to create a new key. Click Create
when you are finished entering the information.
Options: Generate
Name: Key1
Key Type: Software key
Set activation date: Unchecked
Set expiration date: Unchecked
Enabled: Yes 7. On the menu bar, monitor the alerts for progress as the new key is created. 8. Confirm the key was added to the key vault.
Create a key using PowerShell
1. Open an elevated PowerShell cmd prompt. 2. Login to Azure. In the Sign in to your account window, enter your Azure administrative
credentials and then click Sign in. Complete your authentication as needed (for example, if you have two-factor authentication enabled, you might be prompted for the second authentication factor). Login-AzureRmAccount
3. Generate a software key and store it in a variable. $key2 = Add-AzureKeyVaultKey -Name Key2 -VaultName <your key vault> -Destination software
4. View the URI for the key. $key2.id
5. Return to the portal and confirm your new key was created. Notice the Key Identifier URI.
6. Notice that all the operations are permitted.
7. Return to PowerShell and disable the key. Set-AzureKeyVaultKeyAttributes -Name Key2 -VaultName <your key vault> -Enable $false
8. Verify in the portal that the key is disabled. You may need to Refresh the page.
Create a Secret (Portal and PowerShell)
In this exercise, you will create a new secret using the Azure portal and PowerShell.
Create a secret in the portal
1. Navigate to the Azure portal and sign in. 2. Locate your key vault. 3. Under Assets, click Secrets. 4. On the Secrets blade, click + Add. 5. Notice the upload options: Certificate and Manual. 6. On the Create a secret blade, fill in the following values to create a new secret. Click
Create when you are finished entering the information.
Options: Manual
Name: DBConnectionString1
Value: Pa$$w0rd
Content type: Leave blank
Set activation date: Unchecked
Set expiration date: Unchecked
Enabled: Yes 7. On the menu bar, monitor the alerts for progress as the new secret is created. 8. Confirm the secret was added to the key vault.
Create a secret using PowerShell
1. Open an elevated PowerShell cmd prompt. 2. Login to Azure. In the Sign in to your account window, enter your Azure administrative
credentials and then click Sign in. Complete your authentication as needed (for example, if you have two-factor authentication enabled, you might be prompted for the second authentication factor). Login-AzureRmAccount
3. Create a secure string for the secret value. This is a connection string to the Northwind database. $SecretValue = ConvertTo-SecureString 'Data Source=.\;Initial Catalog=Northwind;Integrated Security=True' -AsPlainText –Force command.
4. Create the secret and store it in a variable. $Secret = Set-AzureKeyVaultSecret -VaultName '<YourKeyVault>' -Name 'DbConnectionString2' -SecretValue $SecretValue
5. You can now reference the secret that you added to Azure Key Vault by using its URI. $secret.Id
6. View the secret. Get-AzureKeyVaultSecret -VaultName <YourKeyVault>
7. Return to the portal and confirm your secret was created.
Key Vault Diagnostic Logging (Portal and PowerShell)
In this exercise, you will learn about Key Vault logging. Explore diagnostic logging
1. Navigate to the Azure portal and sign in. 2. Locate your key vault. 3. Select Diagnostic Logging and notice the logging is Off.
Enable diagnostic logging
4. Open an elevated PowerShell cmd prompt. 5. Login to Azure. In the Sign in to your account window, enter your Azure administrative
credentials and then click Sign in. Complete your authentication as needed (for example, if you have two-factor authentication enabled, you might be prompted for the second authentication factor). Login-AzureRmAccount
6. Create a storage account for the diagnostic logs. The name must be unique, and you should use the same datacenter location as your key vault. This may take a minute to complete. $sa = New-AzureRmStorageAccount -ResourceGroupName <your resource group> -Name keyvaultlogs -Type Standard_LRS -Location <YourLocation>
7. Retrieve the key vault name. $kv = Get-AzureRmKeyVault -VaultName <YourKeyVaultName>
8. Enable diagnostic logging. Set-AzureRmDiagnosticSetting -ResourceId $kv.ResourceId -StorageAccountId $sa.Id -Enabled $True -Categories AuditEvent
9. The output will deplay the details of the StorageAccountId and log retention settings. 10. Return to the portal and verify Diagnostics Logs is now On. Notice your storage account
name. 11. Now that diagnostics have been enabled, you can do further exploration on your own.
Begin by creating some secrets and keys. 12. View the diagnostic log using the Get-AzureStorageBlob cmdlet or by browsing to the
insights-logs-auditevent container in the storage account (you’ll need to browse all the way down to the JSON file). To view the JSON file download the file and open in Visual Studio or a text editor.
Module 3 – Security Center
Enable Azure Security Center
In this exercise, you will enable the Security Center in the Azure portal and then
configure some of the basic settings.
1. Navigate to the Azure portal and sign in.
2. In the left pane, click Security Center.
3. On the Security Center – Welcome screen, click Yes! I want to Launch Azure
Security Center.
4. You will notice a blue information message stating Security Center is starting and
analyzing your data for the first time. This might take a couple of minutes.
5. You may receive a prompt to enable data collection for your subscription(s) to
enable all security controls. Click the message at the top of the Security Center
blade. On the Security policy blade, ensure Data collection is set to On.
6. Under Policy components, click Prevention policy and review the listed
recommendations. For example, you can enable or disable recommendations for
System updates or OS vulnerabilities by turning them on or off.
7. Under Policy components, click Email notifications.
8. Enter your contact email address and phone number information.
9. Under Send me emails, set the Send me emails about alerts option to On and
then click OK.
10. Under Policy components, click Pricing tier.
11. Click Standard – Free Trial and click Select. The standard tier adds additional
features, such as advanced threat detections and is free for 90 days.
12. On the Security policy blade, click Save.
13. On the menu bar, monitor the alerts for progress as settings are processed.
14. On the Security Center – Security policy blade, pin the blade to your dashboard.
Deploy Resources for Use with the Security Center
In this exercise, you will deploy several resources in Azure for the purpose of generating
data for the Azure Security Center. Once the resources are fully deployed, the Security
Center can then scan the resources and provide recommendations that an administrator
can take action upon to enhance their security profile.
The goal of this exercise is to generate data and resources for Security Center. You
might need to take further action to generate security related information and alerts.
If you already have other resources deployed in your subscription, you might have
alerts being generated already. As a follow-on to these practical exercises, consider
leaving the resources running for an extended period of time to further explore
Security Center.
1. Navigate to the Azure portal and sign in.
Create a Windows 2016 Datacenter virtual machine
2. Create a new virtual machine running Windows Server 2016 Datacenter with the
following settings:
Name: SERVER-01
VM disk type: HDD
User name: <YourFirstName>
Password: Pa$$w0rd12345
Subscription: <YourSubscription>
Resource group: Create a new one named “Server2016-RG”
Location: <YourLocation>
Size: A0 Basic (note that you might need to View all of the available sizes so
that you can use the A0 Basic size)
3. On the settings blade, review the default options for storage, network, extensions,
high availability, and monitoring and then click OK.
4. On the Summary blade, review the configuration and then click OK.
5. On the menu bar, monitor the alerts for progress as the new virtual machine is
created.
Create a second Windows Server 2016 Datacenter virtual machine
6. Create a second virtual machine named SERVER-02 by using the same settings
as you used for SERVER-01.
Create a SQL database
7. In the left pane, click SQL databases.
8. On the SQL databases, click + Add
9. Create the SQL database with the following settings and then click Create.
Database name: Sample
Subscription: <YourSubscription>
Resource group: Use the existing resource group named Server2016-RG
Select source: Sample
Select sample: AdventureWorksLT [V12]
Server: Click Configure required settings, click Create a new server, and
then create a new SQL server with the following information:
i. Server name: SQL-<YourName>
ii. Server admin login: Admin-<YourName>
iii. Password: Pa$$w0rd12345
iv. Confirm password: Pa$$w0rd12345
v. Location: <YourLocation>
Pricing tier: Basic
Collation: <LeaveAsDefault>
Create a Red Hat Linux virtual machine
10. In the left pane, click + New.
11. Click Compute, click Red Hat Enterprise Linux 7.2, and then click Create.
12. Create a virtual machine menu in the Basics blade using the following settings:
Name: Linux
VM Disk type: HDD
User name: Admin-<YourLastName>
Authentication type: Password
Password: Pa$$w0rd12345
Confirm password: Pa$$w0rd12345
Subscription: <YourSubscription>
Resource group: Use the existing resource group named Server2016-RG
Location: <YourLocation>
Size: A0 Basic (note that you might need to View all of the available sizes so
that you can use the A0 Basic size)
13. On the menu bar, monitor the alerts for progress as the new resources are deployed.
Use the Security Center
In this exercise, you will use the Azure Security Center to review security health and
recommendations. Once the scans are run and the recommendations are available, you
will walk through some of the remediation steps.
1. Navigate to the Azure Portal and sign in.
2. On the Dashboard, click Security Center.
3. On the Security Center – Overview blade, under Prevention, you will be presented
with a high level status of all resources containing both High Severity and Low
Severity indicators.
4. You will notice a Recommendations graphic that encompasses all resources. Click
Recommendations to review the list. When viewing the recommendations for
the first time, it may take a few minutes for Azure to generate the list.
Your list of recommendations may be different. That is okay, just remediate the
ones you have. Feel free to explore others that are not listed here.
Remediate Endpoint Protection
5. On the Recommendations blade, you will see a recommendation to Install
Endpoint Protection on two virtual machines with a High Severity designation.
Click Install Endpoint Protection.
6. On the Install Endpoint Protection blade, click Install on 2 VMs.
7. On the Select Endpoint Protection blade, click Microsoft Antimalware then click
Create.
8. On the Install Microsoft Antimalware blade, click OK.
9. On the menu bar, monitor the alerts for progress as endpoint protection is being
installed to your two Windows virtual machines.
Remediate Next Generation Firewall
10. Return to the Recommendations blade and click Add a Next Generation
Firewall for your endpoints.
11. On the Add a Next Generation Firewall blade, click Linux-ip and then click Create
New.
12. On the Create a New Next Generation Firewall, click Barracuda Networks, Inc.
then click Create.
13. On the Create virtual machine menu, on the Basics blade, configure the virtual
machine with the standard configuration and click OK.
14. On the Purchase blade, click Purchase to purchase the Barracuda NextGen
Firewall F-Series then click Create.
15. On the menu bar, monitor the alerts for progress as the next generation firewall
virtual machine is being deployed.
Remediate Data Encryption
16. On the Recommendations blade, click Enable Transparent Data Encryption for
the Sample database.
17. On the Enable Transparent Data Encryption on SQL databases blade, click
Sample.
18. On the Transparent data encryption blade, select On then click Save.
19. You can review the Encryption status in real time on this blade. After a few
moments, encryption will be enabled.
Filter and continue to resolve
20. On the Recommendations blade, you will eventually see that some of the items
have an updated state showing that they have been resolved.
21. Click Filter under Recommendations and uncheck the Resolved status.
22. In the background, you will see some of the recommendations disappear.
23. Close the Filter blade to return to the Recommendations menu.
24. Once you receive the alert that the Next Generation Firewall solution has been
successfully provisioned, click Add a Next Generation Firewall on the
Recommendations blade.
25. You should have two previously deployed Windows Server 2016 virtual machines.
Click SERVER-01-ip.
26. Select the Barracuda Networks, Inc. Next Generation Firewall from this menu and
click OK.
27. Repeat the steps for SERVER-02-ip.
28. Explore the partner solutions (optional) by clicking Partner solutions on the
Security Center blade. This will enable you to view all partner solutions connected
to Azure Security Center. It also provides recommendations for resources that are
linked to this partner solution.