Mark Minasi's Tech Forum
Register Calendar Latest Topics
 
 
 


Reply
  Author   Comment   Page 1 of 2      1   2   Next
Pieter

Avatar / Picture

Senior Member
Registered:
Posts: 161
Reply with quote  #1 
Recently I was advised to always use a firewall for servers (services ?) in Azure, just like for on-premise servers.

I'm interested in Azure AD. Should I deploy a firewall too in Azure for that ?

__________________
Pieter Demeulemeester
0
wkasdo

Avatar / Picture

Administrator
Registered:
Posts: 197
Reply with quote  #2 
Hi Pieter,

Azure AD is not a server. It's a service with public endpoints, and you cannot firewall it even if you wanted to because the endpoints are not yours.

__________________
[MSFT]; Blog: https://blogs.technet.microsoft.com/389thoughts/
0
Pieter

Avatar / Picture

Senior Member
Registered:
Posts: 161
Reply with quote  #3 
Thanks Willem,
That brings me to the next question : is it safe ? I guess you will answer "yes", so I'll give my 3e question right away : why is it safe ?

I'd like to set up Azure AD so I can logon to FB, twitter, LinkedIN etc... with a domain account. But I have to persuade our CISO.
Can you point me to some articles that descibe why Azure AD is safe to use ?

__________________
Pieter Demeulemeester
0
donoli

Senior Member
Registered:
Posts: 529
Reply with quote  #4 
4 of the first results of a google search will give you the links that you want.  The problem is that they are all technet blogs.  Beyond that, there a links that say the opposite.  Below is one of each.

https://blogs.technet.microsoft.com/enterprisemobility/2016/09/07/azuread-identity-protection-azure-ad-privileged-identity-management-and-azure-ad-premium-p2-will-be-generally-available-sept-15th/

http://readwrite.com/2013/02/22/microsofts-rotten-friday-hack-revealed-as-azure-halo-go-down/
0
jsclmedave

Administrator
Registered:
Posts: 446
Reply with quote  #5 
(WARNING!  I am paraphrasing a bit since I am still learning)  

Look at it like Access Rules or DAC...  That is configured and those "rules" are fed into a switch/router granting access per person machine etc to the end points.  VERY granular...

Joe is helping me grasp this whole concept now...

__________________
Tim Bolton @jsclmedave
Email: [string](0..20|%{[char][int](32+('527377347976847978324785847679797514357977').substring(($_*2),2))}) -replace ' '  

New to the forum? Please Read this
0
Pieter

Avatar / Picture

Senior Member
Registered:
Posts: 161
Reply with quote  #6 
I think I didn't make myself clear.
I have no doubt that Azure is safe. But even then, I do expose my (or at least some) users to the Internet for validating on third party applications. I'm pretty sure that passwords are not sent in clear text over the internet. And I gues the validation isn't with Kerberos like on the LAN.
But how does that validation work ?
Are passwords stored in the AD database on Azure ?



__________________
Pieter Demeulemeester
0
wkasdo

Avatar / Picture

Administrator
Registered:
Posts: 197
Reply with quote  #7 
Nice specific questions, that is what we like! You are quite right that passwords are never exposed in any way. Let's for a moment assume that you want uses to use the same password as in the on-prem AD.  There are two (soon three) major ways how this will work:

1. You use AADConnect to sync accounts and password hashes (not cleartext passwords) to Azure. This is used for AAD logon.
2. you use ADFS and AADConnect to sync accounts but NO password hashes. ADFS will handle authentication ending up at your own local AD. 

There is much more to it of course. Research AADConnect to get started, and pick the simplest solution that fits your needs ...
 

__________________
[MSFT]; Blog: https://blogs.technet.microsoft.com/389thoughts/
0
JetzeMellema

Still Checking the Forum Out
Registered:
Posts: 6
Reply with quote  #8 
The password in Azure AD are stored in the same way as they are on your on-premises domain controller. That is an encrypted 'hash' of the passwords that cannot be reversed, the passwords are not stored in plain-text. The only difference is that Microsoft's servers are way more secure, physical security (what if someone broke in and stole your server?), intrusion detection, firewalling, strict processes, regular auditing.

Quote:
Originally Posted by wkasdo
1. You use AADConnect to sync accounts and password hashes (not cleartext passwords) to Azure.

In fact it is a hash of the hash. [smile]
0
donoli

Senior Member
Registered:
Posts: 529
Reply with quote  #9 

Quote:
The only difference is that Microsoft's servers are way more secure, physical security (what if someone broke in and stole your server?), intrusion detection, firewalling, strict processes, regular auditing.


How do we know that?
0
cj_berlin

Avatar / Picture

Senior Member
Registered:
Posts: 243
Reply with quote  #10 
Quote:
Originally Posted by donoli

How do we know that?


We do not. But we do know just how chronically insecure your typical SMB's on-premises infrastructure is so, compared to that, something that passed the PCI-DSS certification is bound to be "way more secure".

__________________
Evgenij Smirnov

My personal blog (German): http://www.it-pro-berlin.de/
My stuff on PSGallery: https://www.powershellgallery.com/profiles/it-pro-berlin.de/
0
JamesNT

Senior Member
Registered:
Posts: 142
Reply with quote  #11 
How secure or insecure any network is depends on two things:

1.  Who the IT person is. 

2.  Management.

For the typical SMB, if someone like me is the IT person they have pretty good security assuming 2, management, is willing to go along.  The biggest problem with SMB security from what I've seen is always management.  They don't want to spend the money or commit the resources.  And where MS needs to be careful is having a large wheel-and-spoke problem where all of these little insecure networks are tied into their cloud.

JamesNT

__________________
I miss Windows NT 4.0 Service Pack 4.
0
donoli

Senior Member
Registered:
Posts: 529
Reply with quote  #12 
Maybe it's just a control thing.  I always tell people don't depend on others for your security.  That goes for any kind of security including remote data storage.  I still go by the old saying, if you want it done right, do it yourself. 
0
ukinahan

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 19
Reply with quote  #13 
So perhaps in your case (to the original question from Pieter) think about how would you do this On-Prem? Same principles apply, you just cannot see or touch the servers.
You would protect you assets by use of a firewall right? so for that there are a wide range of security solutions available on the Marketplace or if your adventurous build your own [smile]
You will only ever be as secure as you make yourself.
Lock down the firewall to allow nothing and work forward from there.
0
donoli

Senior Member
Registered:
Posts: 529
Reply with quote  #14 
Quote:
or if your adventurous build your own [smile]


We can forget about that idea.

Quote:
Lock down the firewall to allow nothing and work forward from there.


That idea has been around since the beginning of firewalls.  Hopefully, it's as good now was it was then.

0
Pieter

Avatar / Picture

Senior Member
Registered:
Posts: 161
Reply with quote  #15 
Quote:
Originally Posted by wkasdo
There are two (soon three) major ways how this will work... 


Come on Willem, don't tease us, what's the 3e way ?

__________________
Pieter Demeulemeester
0
Previous Topic | Next Topic
Print
Reply

Quick Navigation:

Easily create a Forum Website with Website Toolbox.