Azure Bastian – Jump Box As a Service

Traditional management of Jump severs in cloud is painful and it involves lots of tasks to setup and for on-going management.

To avoid potential attacks from external threats, Jump servers need to be completely locked-down and hard, like enabling aggressive block-list of apps and IPs, implement 2FA, zero admin mode, auditing and if possible re-build jump server every alternative days using automation tools to make it more secure in cloud.

I know a lot of you out there rely on “jump servers.” and not much serious about Jump server day to day operation management tasks. Many SMB segment companies were attacked because of exploits through poorly managed jump servers and in order to overcome those problems and make security more controlled, Microsoft introduced Bastian host last year  as a replacement for traditional jump server architecture.

Azure bastion is a fully managed PaaS service that you provision inside your virtual network. It provides secure and seamless RDP/SSH connectivity to your virtual machines directly in the azure portal over SSL. This eliminates the need to expose the Virtual Machines RDP and SSH ports to the internet.  After the initial release, the solution is being adopted by various azure customers and received great feedback.

Moreover, bastion hosts are very easy to setup with few clicks and the service will be ready within few minutes after deployment. Bastian type services are also available in other clouds with different feature sets.

Azure Bastian key characteristics and what it can offer to azure customers:

  • No public required for VMs in Azure.
  • Remote Session over TLS and firewall traversal for RDP/SSH.
  • Agent-less and no additional software’s required on VMs.
  • Internally it’s a VM scale set and it can expand based on connections requirement.
  • Centrally hardened and protects against port scanning, zero-day exploits and malware.
  • Additional security layer can be leveraged using NSG on top of bastion host
  • Access to Windows Server VMs by Azure Bastion does not require an RDS CAL when used solely for administrative purposes.
  • As the name implies “Bastian” , it will act as true source of strength to enter into azure VM world.

High-level architecture:

This figure shows the architecture of an Azure Bastion deployment aligning to above  listed characteristics.

Bastian

Whats planned next – feature updates (not sure when but its under the pipeline):

  • Bastian host required to deployed under each vNet and currently doesn’t support vNet peering options. However, in upcoming product updates it should soon start supporting the peering options.
  • Azure AD SSO integration
  • Currently Bastian can only accessed through azure portal (via HTM5 browser) and its expected to start support of native RDP/SSH clients soon.
  • RDP full session recording for auditing usage.

 

Sources:

Bastian Overview – https://docs.microsoft.com/en-us/azure/bastion/bastion-overview

Bastian Pricing – https://azure.microsoft.com/en-us/pricing/details/azure-bastion/

Create an Bastian Host – https://docs.microsoft.com/en-us/azure/bastion/bastion-create-host-portal

 

PowerShell now officially supports macOS and Linux

Microsoft has made generally available PowerShell Core, its cross-platform version of the PowerShell command-line shell and scripting language.

This version of PowerShell is notable for being a cross-platform DevOps tool that’s available for Windows, Linux and macOS operating systems.

As per the Microsoft documentation,  PowerShell now officially supports macOS and Linux, including:+

  • Windows 7, 8.1, and 10
  • Windows Server 2008 R2, 2012 R2, 2016
  • Windows Server Semi-Annual Channel
  • Ubuntu 14.04, 16.04, and 17.04
  • Debian 8.7+, and 9
  • CentOS 7
  • Red Hat Enterprise Linux 7
  • OpenSUSE 42.2
  • Fedora 25, 26
  • macOS 10.12+

Link – https://docs.microsoft.com/en-us/powershell/scripting/whats-new/what-s-new-in-powershell-core-60?view=powershell-5.1

Installing PowerShell Core on Windows : https://docs.microsoft.com/en-us/powershell/scripting/setup/Installing-PowerShell-Core-on-Windows?view=powershell-6

 

 

 

WannaCry – Already Crying!! – if you cant patch!

Already the news is all over, internet of ransomware. Below are the quick steps to action if you cant get the downtime of machines or etc..etc reasons (It’s running Windows and it only affects Windows.).

And the most important phrase for few days – Trust no one. Literally never open attachments in emails from someone you don’t know.

  1. Disable SMB1.0 / CIFS file sharing support from the windows features. (since it targets through SMB)

GUI:

PowerShell:

Windows Powershell as Administrator

Note :

  • If infected and do not have backups for critical data ( (Disconnect the object from network immediately). DO NOT delete your encrypted files. A decryptor may be possible within a few days
  • As Microsoft download servers seem busy or overloaded DON’T make the mistake of downloading patches from blurry sites.

Ref:

In order to prevent infection, users and organizations are advised to apply patches to Windows systems as mentioned in Microsoft Security Bulletin MS17-010.

https://technet.microsoft.com/library/security/MS17-010