Azure VM Security: Antivirus, Patching & Endpoint Protection. Azure virtual machines (VMs) are a popular choice for businesses of all sizes. They offer a scalable and reliable platform for hosting workloads. However, it is important to take steps to secure your Azure VMs from malware and other threats. This blog post discusses several key ways to secure your Azure VMs.
We are focusing on native solutions, however many third party providers offer similar services.
Key Principles for Azure VM Security:
Layered Security Approach: Implementing a multifaceted security paradigm is critical. Utilize antivirus software, endpoint protection, patch management, and network security groups (NSGs) to fortify VMs against evolving threats.
Patch Management: Regularly update VMs with the latest security patches. Timely installations mitigate vulnerabilities and deter potential exploits, especially for critical and high-severity vulnerabilities.
Access Control Measures: Strengthen access controls by utilizing robust passwords, SSH keys, and Azure Active Directory (AzureAD) identities. Employ Azure Role-Based Access Control (RBAC) alongside perimeter firewalls and NSGs to restrict unauthorized access.
Centralized Identity Management: Leverage AzureAD identities for centralized management and heightened auditing capabilities, bolstering the VMs’ security posture.
Restriction of VM Access: Prioritize limiting VM access exclusively to authorized users and applications. Employ a combination of perimeter firewalls, NSGs, and Bastion to curtail the attack surface and mitigate remote connectivity risks.
Monitoring and Alert Systems: Implement Microsoft Defender for Cloud to monitor VMs proactively. Detect suspicious activities and receive security alerts to pre-emptively counter potential threats, including malware and viruses.
Now we have the main points, let’s dive further.
Antivirus/ Endpoint Protection Response (EDR)
Antivirus software is essential for protecting your Azure VMs from malware, however most attacks are no longer able to be detected/prevented by standard methods. This is why many are moved to EDR capabilities. Microsoft Azure native offering for this is Microsoft Defender for cloud.
Microsoft Defender offers 2 plans.
- Plan 1 is suitable if you are simply trying to secure your VM from common threats.
- Plan 2 is suitable for those wanting more. Plan 2 offers vulnerability management (Powered by Qualys), more network capabilities (Threat detection), and automation controls (Just-In-Time Access).
In some cases, Plan 1 also is acceptable, as Plan 2 has overlap with current tools/processes. It’s also important to be aware of the price model. The costing is per $X/server/month: https://azure.microsoft.com/en-gb/pricing/details/defender-for-cloud/
Enabling Defender For Servers
Within Microsoft Defender for Cloud, click Environment Settings. Under Subscriptions, select the Subscription to configure coverage.
From here you can enable Defender for Servers. After clicking the On toggle, you need to configure both monitoring and plan, else the default settings are enabled. Whilst this may be ok for some, it’s worth reviewing.
Firstly, you want to confirm your plan. Plan 2 is enabled by default, however if you wish to downgrade, click Change Plan and select Plan 1.
Once your plan is configured, select Settings under Monitoring Coverage.
Here you have a few options. For now, we are focused on the endpoint protection aspect, and cover the vulnerability management piece later. In your environment, you may have multiple standards, so it’s preferred that you configure the log analytics workspace to meet your requirements (Before you select it). If you don’t, a “default” workspace is created.
For more information: https://learn.microsoft.com/en-us/azure/defender-for-cloud/tutorial-enable-servers-plan
Try our Active Directory & Office 365 Reporting & Auditing Tools
Try us out for Free. 100’s of report templates available. Easily customise your own reports on AD, Azure AD & Office 355.
Software vulnerabilities are exploited by attackers to gain access to your Azure VMs. It is important to keep your VMs up to date with the latest security patches. Azure provides a various tools to help you automate the patching process.
If you don’t have a defined strategy, it’s worth reviewing frameworks and guidance from organisations such as NIST: https://csrc.nist.gov/pubs/sp/800/40/r4/final
The Ground Work
Prior to running a tool, you need to first define what your patch cycles are going to be. This would include frequency, timing and severity. You may also need to stage patches, into development, staging and production. This is a great way to validate if patches interrupts normal service, causing incidents.
Although vendors test before they release patches, there is no guarantee that it won’t cause issues, due to them not being able to replicate your environment.
On the flip to this, some people take too much care and are late to patch. This brings more risk, so an acceptable balance is needed (Security/business).
For Azure, Azure Update Manager is the native solution to centralize your VMs operating system patches. In just a matter of minutes, you have full control of your patching cycles with its ease of use deployment.
Let’s take a look…
Using Azure Update Manager
Before you run the tool, It’s important to also be aware of support. You need to ensure your VM operating systems are listed here: https://learn.microsoft.com/en-gb/azure/update-manager/support-matrix?tabs=azurevm%2Cazurevm-os&WT.mc_id=Portal-Microsoft_Azure_Automation#supported-operating-systems
As you see below, once you have supported VMs they appear in the list.
Automatic assessment should be enabled, either via this pane, or Azure policy. This allows Azure to frequently check if updates are available.
If you’re in a rush, you also run on-demand checks by selecting Check For Updates.
Once complete, it highlights what updates are available. To see more detail, click the Updates pane, and see the status.
Remember, patching isn’t just for operating systems. You need to cover software patches for third party applications. This is often covered by a vulnerability management scanner such as Qualys.
Running Vulnerability Management is key for any organizations. Malicious actors thrive on exploits and weaknesses. If these are not visible or managed correctly, it’s game over.
Those who aren’t running VMDR tools such as Qualys or Rapid7 may want to use the native option. With Microsoft Defender for Servers Plan 2, Qualys is included. For those who are running Qualys already, you may want to review the BYO license models listed here: https://learn.microsoft.com/en-us/azure/defender-for-cloud/deploy-vulnerability-assessment-vm
It’s important to note, that if you are running web interfaces, Defender may not cover these. You may need a vulnerability scanner that runs an assessment externally.
To view vulnerabilities flagged by Defender, you simply navigate to the Microsoft Defender for Cloud Portal. Here, click Recommendations and select Machines should have vulnerability findings resolved.
This helps to identify what VMs have outstanding vulnerabilities.
As you see below, this VM has several findings that needs to be addressed. Most organisations will try to address critical/high findings at minimum.
Thank you for reading Azure VM Security: Antivirus, Patching & Endpoint Protection. We shall conclude.
Azure VM Security: Antivirus, Patching & Endpoint Protection Conclusion
In conclusion, securing Azure Virtual Machines (VMs) is a multi-faceted endeavor crucial for safeguarding against evolving cyber threats. By implementing robust patch management, reliable endpoint protection, and proactive vulnerability management, businesses fortify their VMs against potential exploits. Embracing these proactive measures not only mitigates risks but also ensures a resilient defence posture in the ever-changing landscape of cybersecurity. Stay vigilant, keep systems updated, and employ a layered security approach to protect your Azure VMs and bolster your overall cyber resilience.
For more recommendations from Microsoft, do read: https://learn.microsoft.com/en-us/azure/security/fundamentals/iaas
Try InfraSOS for FREE
Try InfraSOS Active Directory, Azure AD & Office 365 Reporting & Auditing Tool