Microsoft Operational Security practices

Security is everyone’s job. Ensuring everyone understands the attacker’s perspective, their goals, and the art of the possible will help capture the attention of everyone and raise the collective knowledge bar. Developers, service engineers, and product managers must understand security basics and know how to build security into software and services to make products more secure while still addressing business needs and delivering user value.

Effective training will complement and re-enforce security policies, Operational Security practices, standards, and security requirements and be guided by insights derived through data or newly available technical capabilities.

Passwords can be stolen, and identities compromised. Requiring a second factor in addition to a password immediately improves security. Further, authenticating the identity of a user or administrator and verifying their authorization to perform an action are foundational controls that other security controls are built upon. It’s beneficial to standardize on an approach to both authentication and authorization.

Useful Links:

Azure Multi-Factor Authentication

It’s important to restrict and minimize the number of people in privileged roles who have access to secured information or resources. This reduces the chance of a malicious user getting that access, or an authorized user inadvertently compromising a sensitive resource. However, users still need to carry out privileged operations on a service and there is a need to understand what those operations are and to separate those roles such that there’s no easy opportunity for privilege escalation. The principle of “just enough administration” should be adopted to constrain the elevated privilege only to those functions the administrator requires to complete the task at hand and only on a "just-in-time" (JIT) basis and only for the minimum practical period.

The use of privileged access workstations (PAWs) also helps protect privileged users from internet attacks and threat vectors by providing a dedicated machine for sensitive tacks and separating these sensitive tasks and accounts from the daily use workstations.

Useful Links:

Azure AD Privileged Identity Management

Role Based Access Control

Privileged Account Workstations

Just Enough Administration

Encrypt and store application secrets and eliminate the need to include secrets and other sensitive configuration information in code or configuration files of the code. Never store passwords or other sensitive data in source code or configuration files or in plaintext files (documents, spreadsheets) stored in unprotected locations. Production secrets should not be used for development or testing.

Useful Links:

Azure Key Vault

Safe storage of app secrets in development

Managed Identities for Azure

Continuous Delivery Tools for Visual Studio (includes Credential Scanner Preview)

Minimize the number of features that can be attacked by a malicious party. A defense-in-depth approach should be adopted and the attack surface should be minimized at every level of the stack, including limiting and locking down the network ports available, implementing baseline server role configurations, and restricting the applications a server is allowed to run.

Useful Links:

Applocker

Securing SQL Server

Windows security baselines

Windows Server 2016 Security Guide

Device Guard

With the rise of mobile and cloud computing, it’s critically important to ensure all data—including security-sensitive information and management and control data—is protected from unintended disclosure or alteration when it’s being transmitted or stored. Encryption is typically used to achieve this. In the operational world, only use industry-vetted encryption libraries and only use strong versions of the encryption protocol. Also, be sure you understand the protections an encryption solution provides, especially when encrypting stored data.

Useful Links:

Microsoft SDL Cryptographic Recommendations

Qualys SSL Labs

It is critically important to be able to detect, respond to, and recover from attacks. Well-designed application, system, and security log files are the fundamental data sources that inform automated security information and event management (SIEM) systems alerting, and that support forensic analysis in the event of an incident.

Useful Links:

Azure Security Center

Attackers often exploit previously discovered vulnerabilities for which updates have been published, before the systems they affect are patched. To help address this, all systems must be continuously monitored and updated with the latest security updates. For operating system and software packages, only use currently supported software versions and ideally the latest versions. In addition, to help detect and prevent malware infections, servers should be required to run anti-malware software which will block and remediate potential infections before they can cause damage.

Useful Links:

How to keep your Windows computer up-to-date

Enterprise Mobility + Security Documentation

Distributed denial of service (DDoS) attacks are some of the largest availability and security concerns facing cloud applications, because any endpoint that's publicly reachable over the internet can be targeted. To address this, at a minimum traffic must be continually monitored and real-time mitigations must be provided for common network-level attacks. However, as DDoS attacks become more sophisticated and targeted, it may also be necessary to provide DDoS mitigations to protocol and application layer attacks.

Useful Links:

Azure DDoS Protection Standard overview

Website and application scanning is a critical part of maintaining a highly secure operations environment for online services. Regularly validate that websites and web applications are configured optimally to prevent common web attacks and to use secure versions of transport protocols, and have opted into security-relevant options. Scans using authenticated credentials will typically produce more valuable results and any issues found should be remediated immediately.

Useful Links:

Web application security scanners (Wikipedia)

The objective of the penetration test is to uncover potential vulnerabilities resulting from coding errors, system configuration faults, or other operational deployment weaknesses. It is performed by a dedicated “red team” of security experts who simulate real-world attacks at the network, platform, and application layers—challenging the ability of cloud services “blue team”, a dedicated team of security responders, to detect, protect against, and recover from security breaches. Every Red Team breach is followed by full disclosure between the Red Team and Blue Team to identify gaps, address findings, and significantly improve breach response.   

Useful Links:

Attack Surface Analyzer

SDL Security Bug Bar Sample

Learn more about live site penetration testing

Red vs. Blue: Internal security penetration testing of Microsoft Azure