Microsoft Azure

Azure security best practices and patterns This article contains security best practices to use when you’re designing, deploying, and managing your cloud solutions by using Azure. These best practices come from our experience with Azure security and the experiences of customers like you. The best practices are intended to be a resource for IT pros. This might include designers, architects, developers, and testers who build and deploy secure Azure solutions.

Azure AD Adoption Kits Adoption Kits are a collection of links, content and references to help customers implement or deploy a set of features to achieve a business outcome.

Removal of the 16-character limit for passwords in Azure AD Many of you have been reminding us that we still have a 16-character password limit for accounts created in Azure AD. While our on-premises Windows AD allows longer passwords and passphrases, we previously didn’t have support for this for cloud user accounts in Azure AD. So we have changed this limit, allowing you to set a password with up to 256 characters, including spaces. You can see more details on password requirements in our password policy documentation.

Three ways to get notified about Azure service issues Preparing for the unexpected is part of every IT professional’s and developer’s job. Although rare, service issues like outages and planned maintenance do occur. There are many ways to stay informed, but we’ve identified three effective approaches that have helped our customers respond quickly to service issues and mitigate downtime. All three take advantage of Azure Service Health, a free Azure service that lets you configure alerts to notify you automatically about service issues that might have an impact on your availability.

Windows Server

Windows Server version 1903 now generally available Windows Server, version 1903 brings innovation to areas that that matter to you, such as Containers, Edge Computing and App Compatibility. You can see these capabilities enabled across our suite of server products.

AD FS Help Portal AD FS Help provides simple, effective tools in one place for users and administrators to resolve authentication issues fast! Authentication issues can be very complex. AD FS Help makes it easy for you to navigate even complex scenarios using the guided troubleshooting walkthroughs and diagnostic tools.

Windows Client

Advancing Windows 10 as a passwordless platform Passwords can be frustrating, difficult to remember, and easily hacked or stolen. That’s why our vision for Windows is one of a passwordless platform—a world where users don’t have to deal with the pains of a password. With the release of Windows 10, version 1903, we’re bringing Windows 10 closer to delivering our passwordless user and security promises, with new features that we’re excited for you to try out.

New browser extensions for integrating Microsoft’s hardware-based isolation The hardware-based isolation technology on Windows 10 that allows Microsoft Edge to isolate browser-based attacks is now available as a browser extension for Google Chrome and Mozilla Firefox.

Security

Introducing the security configuration framework To help you prioritize your endpoint hardening work, Microsoft is introducing a new taxonomy for security configurations for Windows 10. In this initial preview, we are simply listing recommended hardware, policies, controls, and behaviors in order to gather feedback from more customers and security experts in order to refine the framework and prioritize opportunities to automate.

Securing the hybrid cloud with Azure Security Center and Azure Sentinel Azure Security Center provides unified security management by identifying and fixing misconfigurations and providing visibility into threats to quickly remediate them. Security Center has grown rapidly in usage and capabilities, and allowed us to pilot many new solutions, including a security information and event management (SIEM)-like functionality called investigations. While the response to the investigations experience was positive, customers asked us to build out more capabilities. At the same time, the traditional business model of Security Center, which is priced per resource such as per virtual machine (VM), doesn’t necessarily fit for SIEM. We realized that our customers needed a full-fledged standalone SIEM solution that stood apart from and integrated with Security Center, so we created Azure Sentinel. This blog post clarifies what each product does and how Azure Security Center relates to Azure Sentinel.

Security baseline (FINAL) for Windows 10 v1903 and Windows Server v1903 Microsoft is pleased to announce the final release of the security configuration baseline settings for Windows 10 version 1903 (a.k.a., “19H1”), and for Windows Server version 1903. Download the content from the Microsoft Security Compliance Toolkit (click Download and select Windows 10 Version 1903 and Windows Server Version 1903 Security Baseline.zip).

Demystifying Password Hash Sync This blog is part of a series of posts providing a behind-the-scenes look of Microsoft’s Detection and Response Team (DART). While responding to cybersecurity incidents around the world, DART engages with customers who are wary about using Password Hash Sync (PHS) or are not utilizing this service’s full capabilities. As customers can gain tremendous security benefits using the full capabilities of this service, we want to demystify PHS.

Announcing the all new Attack Surface Analyzer 2.0 The classic Attack Surface Analyzer 1.0 was released in 2012 to help software developers and IT professionals identify changes made to Windows operating systems during application installations. This year, we decided to rewrite the tool to take advantage of modern, cross-platform technologies like .NET Core and Electron. Attack Surface Analyzer 2.0 now runs on Windows, Linux, and macOS and is available as an open source project on GitHub.

Incident response at your fingertips with Microsoft Defender ATP live response Conducting a thorough forensic investigation of compromised machines is integral to incident response. However, it can be a challenging task because it requires the device to be in the corporate network and for additional software to be deployed, or for SecOps to have physical access to the device. In the modern workplace, employees often work beyond the corporate network boundary, at their homes or while traveling, where the risk for compromise is potentially higher. If, for example, an executive connects her laptop to a hotel wi-fi and is compromised, SecOps may be forced to wait until the executive is back in the office, leaving her high-value laptop exposed.

Uncovering Linux based cyberattack using Azure Security Center As more and more enterprises move to the cloud, they also bring their own set of security challenges. Today, almost half of Azure virtual machines (VMs) are running on Linux, and as the Linux server population grows, so are the attacks targeting them. As detection capabilities advance, attackers are using new and stealthier techniques to stay undetected and persist with their motives. Azure Security Center, Microsoft’s cloud-based cyber solution, helps customers safeguard their cloud workloads as well as protect them from these threats.

Building secure workstations Secured isolated workstations are critically important for the security of sensitive roles like administrators, developers, and operators of critical services. Many other security controls and assurances will fail or have no effect if the underlying client workstation security has been compromised. This document explains what it takes to build a secure client workstation with detailed step by step instructions, including how to set up starting security controls. This type of workstations at times is called a privileged access workstation (PAW), which this reference is used, and built upon. The guidance however looks to cloud-based technology to manage the service, and introduces security capabilities introduced starting in Windows 10RS5, Microsoft Defender ATP, Azure Active Directory, and Intune.

Onboard servers to the Microsoft Defender ATP service Microsoft Defender ATP extends support to also include the Windows Server operating system, providing advanced attack detection and investigation capabilities, seamlessly through the Microsoft Defender Security Center console.

Detect and investigate security incidents: top 10 actions to secure your environment Azure ATP is a service in the Microsoft Threat Protection solution, which integrates with Azure Identity Protection and Microsoft Cloud App Security and leverages your on-premises Active Directory signals to identify suspicious user and device activity with both known-technique detection and behavioral analytics. It protects user identities and credentials stored in Active Directory and allows you to view clear attack information on a simple timeline for fast triage. Integration with Windows Defender Advanced Threat Protection (Windows Defender ATP) provides a single interface to monitor multiple entry points.

Adaptive network hardening in Azure Security Center is generally available With the release of the adaptive network hardening feature, Azure Security Center learns the network traffic and connectivity patterns of your Azure workloads and provides you with NSG rule recommendations for your internet-facing virtual machines. This helps you better configure your network access policies and limit your exposure to attacks, even when there are already filtering rules in place, as the filtering rules may be too permissive or the actual traffic flowing through the NSG is a subset of the NSG rules defined. In this case, you can further improve the security posture by hardening the NSG rules, based on the actual traffic patterns.

Vulnerabilities and Updates

A Reminder to Update Your Systems to Prevent a Worm Microsoft is confident that an exploit exists for this vulnerability, and if recent reports are accurate, nearly one million computers connected directly to the internet are still vulnerable to CVE-2019-0708. Many more within corporate networks may also be vulnerable. It only takes one vulnerable computer connected to the internet to provide a potential gateway into these corporate networks, where advanced malware could spread, infecting computers across the enterprise. This scenario could be even worse for those who have not kept their internal systems updated with the latest fixes, as any future malware may also attempt further exploitation of vulnerabilities that have already been fixed.

Support Lifecycle

Prepare for SQL Server 2008 end of support On July 9, 2019, support for SQL Server 2008, 2008 R2 and 2016 SP1 will end. That means the end of regular security updates. Don't let your infrastructure and applications go unprotected. We're here to help you migrate to current versions for greater security, performance and innovation.

Windows 7 support will end on January 14, 2020 Microsoft made a commitment to provide 10 years of product support for Windows 7 when it was released on October 22, 2009. When this 10-year period ends, Microsoft will discontinue Windows 7 support so that we can focus our investment on supporting newer technologies and great new experiences. The specific end of support day for Windows 7 will be January 14, 2020. After that, technical assistance and automatic updates that help protect your PC will no longer be made available for the product. Microsoft strongly recommends that you move to Windows 10 sometime before January 2020 to avoid a situation where you need service or support that is no longer available.

Extended Security Updates for SQL Server and Windows Server 2008/2008 R2: Frequently Asked Questions (PDF) On January 14, 2020, support for Windows Server 2008 and 2008 R2 will end. That means the end of regular security updates. Don't let your infrastructure and applications go unprotected. We're here to help you migrate to current versions for greater security, performance and innovation.

Microsoft Premier Support News

With the On-boarding Accelerator (OA) for Always On VPN, you can plan and deploy Microsoft’s Always On VPN solution to provide mobile workers with secure access to your corporate network from domain-joined, nondomain-joined, or personally owned devices, based on robust authentication and strong encryption mechanisms. The on-boarding accelerator consists of a modular delivery structure that will speed up the deployment process and remove roadblocks.

We are excited to announce the release of a new service in Azure Management and Cost Optimization. As enterprise increase their cloud investments, efficient spending is becoming both crucial and an integrated part of day-to-day operations. Governing cloud infrastructure at scale requires solutions that enable you to capture and drive management while controlling and cloud costs. During this hands-on technical engagement, you will learn cost management best practices (such as tools, scripts, and policies) for managing and optimizing all aspects of services and applications in your Azure environment.

We are happy to announce the release of the 1-Day WorkshopPLUS – Security: Introduction to Modern Authentication which explains how applications utilize modern authentication and authorization protocols. The purpose of this one-day WorkshopPLUS is to provide application and infrastructure architects with understanding of how modern authentication and authorization protocols operate and how applications need to be architected to utilize them. The WorkshopPLUS covers both common architectural patterns, industry standard protocols and tools used to implement these. The tools and infrastructure aspects of the course are focused on Microsoft technology.