Azure Introduction
Azure Pricing
Azure Threats
Enable Virtual Machine Access using Active Directory Authentication
More Info:
Ensure that your Microsoft Azure virtual machines (VMs) are configured to use Azure Active Directory (AAD) credentials for secure SSH/RDP access. Once enabled, you can use your corporate Active Directory credentials to log in to your virtual machines, enforce Multi-Factor Authentication (MFA), or enable access via RBAC roles.
Risk Level
Medium
Address
Security
Compliance Standards
CBP
Triage and Remediation
Remediation
To remediate the misconfiguration “Enable Virtual Machine Access using Active Directory Authentication” in Azure using the Azure console, follow the below steps:
- Login to the Azure portal (https://portal.azure.com/).
- Navigate to the Virtual Machine for which you want to enable Active Directory authentication.
- Click on the “Networking” tab in the left-hand menu.
- Scroll down to the “Inbound port rules” section and click on “Add inbound port rule”.
- In the “Add inbound security rule” window, provide the following details:
- Name: Enter a name for the rule.
- Priority: Enter a priority value for the rule. This value should be lower than any other existing rules.
- Source: Select “Any” or specify the IP address range from where the traffic should be allowed.
- Service: Select “RDP” or “SSH” depending on the protocol you want to enable.
- Destination port ranges: Enter the port number for RDP or SSH.
- Action: Select “Allow”.
- Protocol: Select “TCP”.
- Virtual machine: Select the virtual machine for which you want to enable Active Directory authentication.
- NIC: Select the network interface card associated with the virtual machine.
- Authentication type: Select “Azure Active Directory”.
- Click on “Add” to create the inbound security rule.
Once the above steps are completed, you have successfully enabled Virtual Machine Access using Active Directory Authentication for the selected Virtual Machine in Azure.
To remediate the misconfiguration “Enable Virtual Machine Access using Active Directory Authentication” in AZURE using AZURE CLI, follow the below steps:
Step 1: Login to AZURE CLI by running the command az login.
Step 2: Run the command az vm update to update the virtual machine.
Step 3: Add the --authentication-type all parameter to the command.
Step 4: Add the --admin-username <username> and --admin-password <password> parameters to specify the admin username and password.
Step 5: Add the --set osProfile.windowsConfiguration.enableAutomaticUpdates=true parameter to enable automatic updates.
Step 6: Add the --set osProfile.windowsConfiguration.provisionVMAgent=true parameter to provision the virtual machine agent.
Step 7: Add the --set osProfile.windowsConfiguration.winRM.listeners.protocol=https parameter to enable HTTPS protocol for WinRM listeners.
Step 8: Add the --set osProfile.windowsConfiguration.winRM.listeners.certificateUrl=<certificate-url> parameter to specify the certificate URL for WinRM listeners.
Step 9: Add the --set osProfile.windowsConfiguration.winRM.listeners.certificateThumbprint=<certificate-thumbprint> parameter to specify the certificate thumbprint for WinRM listeners.
Step 10: Add the --set osProfile.windowsConfiguration.winRM.listeners.allowedOrigins=<allowed-origins> parameter to specify the allowed origins for WinRM listeners.
Step 11: Finally, run the command az vm update with all the parameters mentioned above to remediate the misconfiguration “Enable Virtual Machine Access using Active Directory Authentication” in AZURE using AZURE CLI.
Note: Replace <username>, <password>, <certificate-url>, <certificate-thumbprint>, and <allowed-origins> with the actual values.
To enable Virtual Machine Access using Active Directory Authentication in Azure using Python, you can follow the below steps:
-
Install the Azure SDK for Python using the following command:
pip install azure -
Import the required libraries:
from azure.mgmt.compute import ComputeManagementClient from azure.common.credentials import ServicePrincipalCredentials -
Authenticate with Azure Active Directory using a Service Principal:
credentials = ServicePrincipalCredentials( client_id='<client_id>', secret='<client_secret>', tenant='<tenant_id>' ) -
Instantiate the ComputeManagementClient:
compute_client = ComputeManagementClient( credentials, '<subscription_id>' ) -
Get the Virtual Machine you want to enable AD Authentication for:
vm = compute_client.virtual_machines.get( '<resource_group_name>', '<vm_name>' ) -
Update the Virtual Machine’s OS Profile to enable AD Authentication:
vm.os_profile.windows_configuration.additional_unattend_content = [{ "passName": "Microsoft-Windows-Shell-Setup", "componentName": "OOBE", "settingName": "AutoLogon", "content": '<AutoLogon><Enabled>true</Enabled><Username>{0}</Username><Password><Value>{1}</Value><PlainText>true</PlainText></Password></AutoLogon>'.format( '<domain_username>', '<domain_password>' ) }]Replace
<domain_username>and<domain_password>with the Active Directory username and password you want to use for authentication. -
Update the Virtual Machine in Azure:
compute_client.virtual_machines.create_or_update( '<resource_group_name>', '<vm_name>', vm )This will update the Virtual Machine’s OS Profile and enable AD Authentication.
Note: Make sure that the Virtual Machine is joined to the domain and the Active Directory user has the necessary permissions to log in to the Virtual Machine.