Aug 2019 updates
This commit is contained in:
Chris Givens
Родитель
c19b644999
Коммит
2632208081
|
|
@ -379,7 +379,26 @@
|
|||
"apiVersion": "2017-06-01",
|
||||
"location": "[resourceGroup().location]",
|
||||
"properties": {
|
||||
"securityRules": [ ]
|
||||
"securityRules": [
|
||||
{
|
||||
"name": "DenyAll",
|
||||
"properties": {
|
||||
"provisioningState": "Succeeded",
|
||||
"protocol": "*",
|
||||
"sourcePortRange": "*",
|
||||
"destinationPortRange": "*",
|
||||
"sourceAddressPrefix": "*",
|
||||
"destinationAddressPrefix": "*",
|
||||
"access": "Deny",
|
||||
"priority": 1000,
|
||||
"direction": "Inbound",
|
||||
"sourcePortRanges": [],
|
||||
"destinationPortRanges": [],
|
||||
"sourceAddressPrefixes": [],
|
||||
"destinationAddressPrefixes": []
|
||||
}
|
||||
}
|
||||
]
|
||||
},
|
||||
"dependsOn": [ ]
|
||||
},
|
||||
|
|
@ -399,7 +418,26 @@
|
|||
"apiVersion": "2017-06-01",
|
||||
"location": "[resourceGroup().location]",
|
||||
"properties": {
|
||||
"securityRules": [ ]
|
||||
"securityRules": [
|
||||
{
|
||||
"name": "DenyAll",
|
||||
"properties": {
|
||||
"provisioningState": "Succeeded",
|
||||
"protocol": "*",
|
||||
"sourcePortRange": "*",
|
||||
"destinationPortRange": "*",
|
||||
"sourceAddressPrefix": "*",
|
||||
"destinationAddressPrefix": "*",
|
||||
"access": "Deny",
|
||||
"priority": 1000,
|
||||
"direction": "Inbound",
|
||||
"sourcePortRanges": [],
|
||||
"destinationPortRanges": [],
|
||||
"sourceAddressPrefixes": [],
|
||||
"destinationAddressPrefixes": []
|
||||
}
|
||||
}
|
||||
]
|
||||
},
|
||||
"dependsOn": [ ]
|
||||
},
|
||||
|
|
|
|||
|
|
@ -9,7 +9,7 @@ Before the hands-on lab setup guide
|
|||
</div>
|
||||
|
||||
<div class="MCWHeader3">
|
||||
March 2019
|
||||
August 2019
|
||||
</div>
|
||||
|
||||
|
||||
|
|
@ -45,9 +45,9 @@ Microsoft and the trademarks listed at <https://www.microsoft.com/en-us/legal/in
|
|||
|
||||
2. A machine with the following software installed:
|
||||
|
||||
- Visual Studio 2017
|
||||
- SQL Management Studio 2017
|
||||
- Power BI Desktop
|
||||
- [Visual Studio 2019](https://visualstudio.microsoft.com/downloads/)
|
||||
- [SQL Management Studio 2017](https://docs.microsoft.com/en-us/sql/ssms/download-sql-server-management-studio-ssms)
|
||||
- [Power BI Desktop](https://powerbi.microsoft.com/en-us/downloads/)
|
||||
|
||||
3. An Office 365 email account or other email-based account
|
||||
|
||||
|
|
@ -59,7 +59,7 @@ Synopsis: In this exercise, you will set up your environment for use in the rest
|
|||
|
||||
### Task 1: Download GitHub resources
|
||||
|
||||
1. Open a browser window to the cloud workshop GitHub repository (<https://github.com/Microsoft/MCW-Azure-Security-Privacy-and-Compliance>).
|
||||
1. Open a browser window to the cloud workshop GitHub repository (<https://github.com/microsoft/MCW-Security-baseline-on-Azure>).
|
||||
|
||||
2. Select **Clone or download**, then select **Download Zip**.
|
||||
|
||||
|
|
|
|||
|
|
@ -9,7 +9,7 @@ Hands-on lab step-by-step
|
|||
</div>
|
||||
|
||||
<div class="MCWHeader3">
|
||||
March 2019
|
||||
August 2019
|
||||
</div>
|
||||
|
||||
Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
|
||||
|
|
@ -278,12 +278,14 @@ Synopsis: In this exercise, attendees will utilize Azure SQL features to data ma
|
|||
|
||||
|
||||
|
||||
3. Update the web.config (line 72) to point to the **Insurance** database created in Task 2. You should only need to update the server name to point to your Azure SQL Server.
|
||||
3. Update the web.config (line 77) to point to the **Insurance** database created in Task 2. You should only need to update the server name to point to your Azure SQL Server.
|
||||
|
||||
|
||||
|
||||
4. Run the **InsuranceAPI** solution and press **F5**.
|
||||
|
||||
> **Note** If you get an error, right-click the project, select **Clean**, then right-click the project and select **Rebuild**
|
||||
|
||||
5. In the browser window that opens, browse to [http://localhost:portno/api/Users/E91019DA-26C8-B201-1385-0011F6C365E9](http://localhost:portno/api/Users/E91019DA-26C8-B201-1385-0011F6C365E9) you should see a json response that shows an unmasked SSN column.
|
||||
|
||||
> **Note**: Depending on your browser, you may need to download to view the json response.
|
||||
|
|
@ -298,7 +300,7 @@ Synopsis: In this exercise, attendees will utilize Azure SQL features to data ma
|
|||
|
||||
3. Select the **Insurance** database.
|
||||
|
||||
4. In the menu, select **Dynamic Data Masking**, then select **+Add Mask**.
|
||||
4. Under **Security**, select **Dynamic Data Masking**, then select **+Add Mask**.
|
||||
|
||||
|
||||
|
||||
|
|
@ -382,7 +384,7 @@ Synopsis: In this exercise, attendees will utilize Azure SQL features to data ma
|
|||
|
||||
25. Select **Finish**, and the configured will start.
|
||||
|
||||
> **Note**: You may receive a "wrapKey" error. If so, ensure that your account has been assigned those permissions in the Azure Key Vault.
|
||||
> **Note**: You may receive a "wrapKey" error. If so, ensure that your account has been assigned that permission in the Azure Key Vault.
|
||||
|
||||
|
||||
|
||||
|
|
@ -414,8 +416,6 @@ Synopsis: In this exercise, attendees will utilize Azure SQL features to data ma
|
|||
|
||||
|
||||
|
||||
<!-- -->
|
||||
|
||||
26. Select **Close**.
|
||||
|
||||
27. Right-click the **User** table, and select **Select top 1000 rows**.
|
||||
|
|
@ -442,37 +442,33 @@ Synopsis: In this exercise, attendees will learn how to migrate web application
|
|||
|
||||
### Task 1: Create an Azure Key Vault secret
|
||||
|
||||
1. From the extracted GitHub directory, open the **\\Hands-on lab\\WebApp\\InsuranceAPI\_KeyVault\\InsuranceAPI.sln** solution.
|
||||
1. Switch to your Azure Portal.
|
||||
|
||||
>**Note**: Be sure you open the correct solution (there are two).
|
||||
|
||||
2. Switch to your Azure Portal.
|
||||
|
||||
3. Select **Key Vaults**, then select your Azure Key Vault.
|
||||
1. Select **Key Vaults**, then select your Azure Key Vault.
|
||||
|
||||
|
||||
|
||||
4. Select **Secrets**, then select **+Generate/Import**.
|
||||
1. Select **Secrets**, then select **+Generate/Import**.
|
||||
|
||||
|
||||
|
||||
5. For the **Upload Options**, select **Manual**.
|
||||
1. For the **Upload Options**, select **Manual**.
|
||||
|
||||
6. For the **Name**, enter **InsuranceAPI**.
|
||||
1. For the **Name**, enter **InsuranceAPI**.
|
||||
|
||||
7. For the **Value,** copy the connection string information from the InsuranceAPI solution web.config file in Exercise 2.
|
||||
1. For the **Value,** copy the connection string information from the InsuranceAPI solution web.config file in Exercise 2.
|
||||
|
||||
8. Select **Create**.
|
||||
1. Select **Create**.
|
||||
|
||||
9. Select **Secrets**.
|
||||
1. Select **Secrets**.
|
||||
|
||||
10. Select **InsuranceAPI**.
|
||||
1. Select **InsuranceAPI**.
|
||||
|
||||
11. Select the current version.
|
||||
1. Select the current version.
|
||||
|
||||
|
||||
|
||||
12. Copy and record the secret identifier URL for later use:
|
||||
1. Copy and record the secret identifier URL for later use:
|
||||
|
||||
|
||||
|
||||
|
|
@ -482,33 +478,33 @@ Synopsis: In this exercise, attendees will learn how to migrate web application
|
|||
|
||||
|
||||
|
||||
2. Select **+** **New application registration**.
|
||||
1. Select **+New application registration**.
|
||||
|
||||
3. For the name, type **AzureKeyVaultTest**.
|
||||
1. For the user-facing display name, type **AzureKeyVaultTest**.
|
||||
|
||||
4. For the Sign-on URL, type <http://localhost:12345>.
|
||||
1. For the supported accounts, select **Accounts in this organization directory only...**
|
||||
|
||||
1. For the Redirect URL, type <http://localhost:12345>.
|
||||
|
||||
|
||||
|
||||
5. Select **Create**.
|
||||
1. Select **Register**.
|
||||
|
||||
6. Select the new **AzureKeyVaultTest** application.
|
||||
|
||||
7. Copy and record the **Application ID** for later use.
|
||||
1. Copy and record the **Application ID** for later use.
|
||||
|
||||
|
||||
|
||||
8. Select **Settings**.
|
||||
1. Select **Certificates and secrets**.
|
||||
|
||||
9. Select **Keys**.
|
||||
1. Under **Client secrets**, click **New client secret**.
|
||||
|
||||
10. For the description, enter **InsuranceAPI**.
|
||||
1. For the description, enter **InsuranceAPI**.
|
||||
|
||||
11. For the Expires, select **In 1 year**.
|
||||
1. For the Expires, select **In 1 year**.
|
||||
|
||||
12. Select **Save**.
|
||||
1. Select **Add**.
|
||||
|
||||
13. Copy and record the key value for later use.
|
||||
1. Copy and record the key value for later use.
|
||||
|
||||
### Task 3: Assign Azure Active Directory application permissions
|
||||
|
||||
|
|
@ -516,29 +512,33 @@ Synopsis: In this exercise, attendees will learn how to migrate web application
|
|||
|
||||
2. Select **Access Policies**.
|
||||
|
||||
3. Select **+ Add New**.
|
||||
3. Select **+ Add Access Policy**.
|
||||
|
||||
|
||||
|
||||
4. Select **Select principal**, type **AzureKeyVaultTest**.
|
||||
|
||||
5. Select the application service principal, select **Select**.
|
||||
|
||||
6. Select the **Secret permissions** drop-down, check the **Get** and **List** permissions.
|
||||
5. Select the **Secret permissions** drop-down, check the **Get** and **List** permissions.
|
||||
|
||||
|
||||
|
||||
7. Select **OK**.
|
||||
6. Select the application service principal, select **Select**.
|
||||
|
||||
7. Select **Add**.
|
||||
|
||||
8. Select **Save**.
|
||||
|
||||
### Task 4: Install or verify NuGet Package
|
||||
|
||||
1. Close the previous Visual Studio solution, then from the extracted GitHub directory, open the **\\Hands-on lab\\WebApp\\InsuranceAPI\_KeyVault\\InsuranceAPI.sln** solution.
|
||||
|
||||
>**Note**: Be sure you re-open the correct solution.
|
||||
|
||||
1. Switch to **Visual Studio**.
|
||||
|
||||
2. In the menu, select **View-\>Other Windows-\>Package Manager Console**.
|
||||
1. In the menu, select **View-\>Other Windows-\>Package Manager Console**.
|
||||
|
||||
3. In the new window that opens, run the following commands:
|
||||
1. In the new window that opens, run the following commands:
|
||||
|
||||
a. Install-Package Microsoft.CodeDom.Providers.DotNetCompilerPlatform
|
||||
|
||||
|
|
@ -548,17 +548,17 @@ Synopsis: In this exercise, attendees will learn how to migrate web application
|
|||
|
||||
> **Note**: These already exist in the project but are provided as a reference.
|
||||
|
||||
4. From **Solution Explorer**, double-click the **web.config** file to open it.
|
||||
1. From **Solution Explorer**, double-click the **web.config** file to open it.
|
||||
|
||||
Notice the **appSettings** section has some token values:
|
||||
|
||||
|
||||
|
||||
5. Replace the **ClientId** and **ClientSecret** with the values from Task 2.
|
||||
1. Replace the **ClientId** and **ClientSecret** with the values from Task 2.
|
||||
|
||||
6. Replace the **SecretUri** with the Azure Key Vault secret key Uri from Task 1.
|
||||
1. Replace the **SecretUri** with the Azure Key Vault secret key Uri from Task 1.
|
||||
|
||||
7. Save the file.
|
||||
1. Save the file.
|
||||
|
||||
### Task 5: Test the solution
|
||||
|
||||
|
|
@ -574,7 +574,12 @@ Synopsis: In this exercise, attendees will learn how to migrate web application
|
|||
|
||||
|
||||
|
||||
4. Press **F5**, and navigate to [http://localhost:portno/api/Users](http://localhost:portno/api/Users), you should get an error. Because you encrypted the column in the previous exercise, EntityFramework is not able to retrieve the value. You would need to add the [AzureKeyVaultProvider for Entity Framework](https://blogs.msdn.microsoft.com/sqlsecurity/2015/11/10/using-the-azure-key-vault-key-store-provider-for-always-encrypted/) reference to the project and then register the provider code in order for .NET to handle the encrypted column and add the "Column Encryption Setting=Enabled" to the connection string.
|
||||
4. Press **F5** to continue the program
|
||||
|
||||
5. Navigate to [http://localhost:portno/api/Users](http://localhost:portno/api/Users), you should get an error. Because you encrypted the column in the previous exercise, EntityFramework is not able to retrieve the value. You would need to:
|
||||
|
||||
- Run the **\\Hands-on lab\\Database\\02\_PermissionSetup.ps1** script
|
||||
- Add the [AzureKeyVaultProvider for Entity Framework](https://blogs.msdn.microsoft.com/sqlsecurity/2015/11/10/using-the-azure-key-vault-key-store-provider-for-always-encrypted/) reference to the project and then register the provider code in order for .NET to handle the encrypted column and add the "Column Encryption Setting=Enabled" to the connection string.
|
||||
|
||||
## Exercise 4: Securing the network
|
||||
|
||||
|
|
@ -590,21 +595,25 @@ Synopsis: In this exercise, attendees will utilize Network Security Groups to en
|
|||
|
||||
> **Note**: Default username is **wsadmin** with **p\@ssword1rocks** as password and you may need to request JIT Access if you have taken a break between exercises.
|
||||
|
||||
3. In the **PAW-1** virtual machine, open **PowerShell ISE as administrator**.
|
||||
3. In the **PAW-1** virtual machine, open **Windows PowerShell ISE** as **administrator**.
|
||||
|
||||
4. Run the following command:
|
||||
- Click **Windows** icon
|
||||
|
||||
- Right-click **Windows PowerShell ISE**, click **More** then select **Run as Administrator**
|
||||
|
||||
4. Copy and run the following command:
|
||||
|
||||
```PowerShell
|
||||
Set-ExecutionPolicy -ExecutionPolicy Unrestricted
|
||||
```
|
||||
|
||||
5. In the popup, click **Yes**.
|
||||
5. In the dialog, click **Yes**
|
||||
|
||||
6. Select File-\>Open, browse to the extracted GitHub directory and open the **\\Hands-on lab\\Scripts \\PortScanner.ps1**.
|
||||
6. Select **File-\>Open**, browse to the extracted GitHub directory and open the **\\Hands-on lab\\Scripts \\PortScanner.ps1**.
|
||||
|
||||
> **Note**: You would have downloaded the [GitHub repo](https://github.com/Microsoft/MCW-Azure-Security-Privacy-and-Compliance) and extracted this in the setup steps. If you did not perform those steps, perform them now. You can also choose to copy the file from your desktop to the VM.
|
||||
|
||||
7. Review the script. It does the following:
|
||||
7. Review the script. Notice that it does the following:
|
||||
|
||||
a. Installs NotePad++
|
||||
|
||||
|
|
@ -614,7 +623,7 @@ Set-ExecutionPolicy -ExecutionPolicy Unrestricted
|
|||
|
||||
c. Executes port scans
|
||||
|
||||
8. Run the script, and press **F5.** You should see the following (the Azure ARM Template created a default rule to block all traffic):
|
||||
8. Press **F5** to run the script. You should see the following (the Azure ARM Template created a default rule to block all traffic):
|
||||
|
||||
a. Port scan for port 3389 (RDP) to **DB-1** and **WEB-1** is unsuccessful from the **PAW-1** machine.
|
||||
|
||||
|
|
@ -630,9 +639,11 @@ Set-ExecutionPolicy -ExecutionPolicy Unrestricted
|
|||
|
||||
|
||||
|
||||
> **Note** The ARM template deploys a Deny All rule. If you were to simply create a Network Security Group from the UI, you would not experience this behavior.
|
||||
|
||||
### Task 2: Configure network security groups
|
||||
|
||||
1. Switch to the Azure Portal.
|
||||
1. Switch to the [Azure Portal](https://portal.azure.com).
|
||||
|
||||
2. Configure the database server to only allow SQL Connections from the web server:
|
||||
|
||||
|
|
@ -674,7 +685,7 @@ Set-ExecutionPolicy -ExecutionPolicy Unrestricted
|
|||
|
||||
h. Select **Add**.
|
||||
|
||||
> **Note**: In some rare cases it may take up to 15 minutes for your Network Security Group to change is status from **Updating**. You won't be able to add any other rules until it completes.
|
||||
> **Note**: In some rare cases it may take up to 15 minutes for your Network Security Group to change its status from **Updating**. You won't be able to add any other rules until it completes.
|
||||
|
||||
4. Configure both the database and web server to only allow RDP connections from the PAW machine:
|
||||
|
||||
|
|
@ -700,7 +711,7 @@ Set-ExecutionPolicy -ExecutionPolicy Unrestricted
|
|||
|
||||
a. Select **Network security groups.** For each NSG (DBTrafficOnly and WebTrafficOnly), do the following:
|
||||
|
||||
- In the content menu, select **Diagnostic logs**, and then select **Turn on diagnostics**.
|
||||
- In the content menu, select **Diagnostic logs**, and then select **Add diagnostic setting**.
|
||||
|
||||
|
||||
|
||||
|
|
@ -722,7 +733,7 @@ Set-ExecutionPolicy -ExecutionPolicy Unrestricted
|
|||
|
||||
1. Switch back to the **PAW-1** virtual machine.
|
||||
|
||||
2. Run the script, press **F5**, and you should see the following:
|
||||
2. Press **F5** to run the **PortScan** script. You should see the following:
|
||||
|
||||
a. Port scan for port 3389 (RDP) to **DB-1** and **WEB-1** is successful from the **PAW-1** machine.
|
||||
|
||||
|
|
@ -764,13 +775,13 @@ Set-ExecutionPolicy -ExecutionPolicy Unrestricted
|
|||
|
||||
1. In the main Azure Portal menu, select **Monitor**.
|
||||
|
||||
2. In the context menu, select **Network**.
|
||||
2. In the context menu, under **Insights** select **Network**.
|
||||
|
||||
|
||||
|
||||
3. Select the **Overview** link.
|
||||
|
||||
4. Expand the subscription region item.
|
||||
4. Expand the subscription item you are running your labs in.
|
||||
|
||||
5. For the **East US** region (or whatever region you deployed your VMs too), select the ellipses, then select **Enable Network Watcher**.
|
||||
|
||||
|
|
@ -822,7 +833,7 @@ Synopsis: In this exercise, you will setup Azure Sentinel to point to a logging
|
|||
|
||||
3. In the blade, click **+Add**, select the Log Analytics resource for your resource group, then click **Add Azure Sentinel**
|
||||
|
||||
4. In the blade, select **Dashboards**
|
||||
4. In the blade, under **Threat Management**, select **Dashboards**
|
||||
|
||||
5. In the list of dashboards, select **Azure AD Audit logs**, select **Install**
|
||||
|
||||
|
|
@ -830,7 +841,7 @@ Synopsis: In this exercise, you will setup Azure Sentinel to point to a logging
|
|||
|
||||
6. In the list of dashboards, select **Azure Network Watcher**, select **Install**
|
||||
|
||||
7. Click **View Dashboard**, take a moment to review your new dashboard
|
||||
7. Click **View Dashboard**, take a moment to review your new dashboards
|
||||
|
||||
### Task 2: Create an Analytics alert
|
||||
|
||||
|
|
@ -906,7 +917,7 @@ Synopsis: In this exercise, you will setup Azure Sentinel to point to a logging
|
|||
|
||||
|
||||
|
||||
4. Select **Create**, the **Logic Apps Designer** will load.
|
||||
4. Select **Create**, after a few moments, the **Logic Apps Designer** will load.
|
||||
|
||||
5. Select the **Send notification email** template.
|
||||
|
||||
|
|
@ -940,7 +951,7 @@ Synopsis: In this exercise, you will setup Azure Sentinel to point to a logging
|
|||
|
||||
|
||||
|
||||
3. The Azure Notebooks page will open, on the page, select **Import**.
|
||||
3. The Azure Notebooks page will open, if prompted, login, then select **Import**.
|
||||
|
||||
|
||||
|
||||
|
|
@ -964,7 +975,7 @@ Synopsis: In this exercise, you will setup Azure Sentinel to point to a logging
|
|||
|
||||
2. Expand the **LogManagement** node, notice the various options available.
|
||||
|
||||
3. In the query window, type **AzureDiagnostics**, then click the **eye** icon.
|
||||
3. In the schema window, select **AzureDiagnostics**, then click the **eye** icon.
|
||||
|
||||
4. In the top right, select **Export**, then select the **Export to Power BI (M Query)** link.
|
||||
|
||||
|
|
@ -994,13 +1005,16 @@ Synopsis: In this exercise, attendees will learn to navigate the Azure Policy an
|
|||
|
||||
|
||||
|
||||
3. For the scope, ensure the proper subscription is selected, then select **ASC Default**.
|
||||
3. For the scope, ensure the proper subscription is selected, then select **ASC Default (subscrition...**.
|
||||
|
||||
4. In the **Initiative compliance** blade, review your compliance metrics.
|
||||
|
||||
5. Scroll to the results area and select the **Non-compliant resources** tab.
|
||||
|
||||
|
||||
|
||||
6. In the filter search box, type **PAW-1** and select it when displayed.
|
||||
|
||||
7. With the **Policies** tab selected, review the policies that the resource is non-complying against.
|
||||
|
||||
|
||||
|
|
@ -1013,7 +1027,7 @@ Synopsis: In this exercise, attendees will learn to navigate the Azure Policy an
|
|||
|
||||
### Task 2: Review and create Azure Blueprints
|
||||
|
||||
1. In the Policy blade, select **Definitions**. These are a list of all defined policies which can be selected to be assigned to your subscription resources.
|
||||
1. In the Policy blade, select **Definitions**. These are a list of all defined policies which can be selected for assignment to your subscription resources.
|
||||
|
||||
|
||||
|
||||
|
|
@ -1035,7 +1049,7 @@ Synopsis: In this exercise, attendees will learn to navigate the Azure Policy an
|
|||
|
||||
9. Select **Next: Artifacts**.
|
||||
10. Click **+Add artifact**.
|
||||
11. For the Artifact Type, select **Policy Assignment**, review all the policies available to you (at the time of this writing you would see 151 policies).
|
||||
11. For the Artifact Type, select **Policy Assignment**, review all the policies available to you (at the time of this writing you would see 283 policies).
|
||||
12. In the search box, type **unrestricted**, browse for the **Audit unrestricted network access to storage accounts**.
|
||||
|
||||
|
||||
|
|
@ -1057,13 +1071,16 @@ Synopsis: In this exercise, attendees will learn to navigate the Azure Policy an
|
|||
### Task 3: Secure Score
|
||||
|
||||
1. In the Azure Portal, select **All Services**, then type **Security**, select **Security Center**.
|
||||
|
||||
2. In the Security Center blade, select **Secure score**.
|
||||
|
||||
3. Review your overall secure score values and then notice the category values.
|
||||
|
||||
|
||||
|
||||
4. Select your subscription, you will be presented with the items that have failed resource validation sorted by the score value that is assigned to that particular recommendation item.
|
||||
5. Select the **Provision an Azure AD administrator for SQL Server**, on the recommendation blade, you will be presented with information about how to remediate the recommendation to gain the impact value to your score.
|
||||
|
||||
5. Select the **An Azure Active Directory administrator should be provisioned for SQL Servers**, on the recommendation blade, you will be presented with information about how to remediate the recommendation to gain the impact value to your score.
|
||||
|
||||
|
||||
|
||||
|
|
@ -1101,15 +1118,11 @@ Synopsis: In this exercise, attendees will learn to navigate the Azure Policy an
|
|||
|
||||
|
||||
|
||||
12. Scroll to the top of the web page and in the top navigation, select **Service Trust Portal**, then scroll to the bottom of the page. Notice the two other sections of the trust center called:
|
||||
12. On the top menu, click **Trust Documents**, then select **Audit Reports**
|
||||
|
||||
13. Select **Audit Reports**.
|
||||
13. Notice the various tabs that you can select from, select **FedRAMP Reports**.
|
||||
|
||||
|
||||
|
||||
14. Notice the various tabs that you can select from, select **FedRAMP Reports**.
|
||||
|
||||
15. These are all the FedRAMP reports sorted by date that have been performed and publicly posted for Azure customer review. Select the item displayed and briefly review the document.
|
||||
14. These are all the FedRAMP reports sorted by date that have been performed and publicly posted for Azure customer review. Select the item displayed and briefly review the document.
|
||||
|
||||
|
||||
|
||||
|
|
@ -1138,61 +1151,4 @@ In this exercise, attendees will deprovision any Azure resources that were creat
|
|||
|
||||
1. If you are using a hosted platform, make sure you shut it down or delete it.
|
||||
|
||||
You should follow all steps provided *after* attending the Hands-on lab.
|
||||
|
||||
## Appendix A
|
||||
|
||||
Appendix A outlines the detailed steps involved in manually creating the resources provisioned by the Lab ARM template. The ARM template creates virtual networks, virtual machine, storage accounts, and a SQL Azure database.
|
||||
|
||||
### Task 1: Create storage account
|
||||
|
||||
- Create a single storage account for VMs and other resource to utilize.
|
||||
|
||||
### Task 2: Create virtual networks
|
||||
|
||||
- Create the following Virtual Networks:
|
||||
|
||||
- dbVnet -- subnet of 10.1.0.0
|
||||
|
||||
- mainVnet-- subnet of 10.0.0.0
|
||||
|
||||
- webVnet-- subnet of 10.2.0.0
|
||||
|
||||
- Ensure that virtual network peerings exist:
|
||||
|
||||
- Db\<-\>Main
|
||||
|
||||
- Web\<-\>Main
|
||||
|
||||
### Task 3: Create virtual machines
|
||||
|
||||
- Create the following Virtual Machines:
|
||||
|
||||
- PAW-1 -- A2 instance, Windows Server
|
||||
|
||||
- DB-1 -- A2 instance, Windows Server with SQL Server -- be sure to open the windows firewall for port 1433 traffic
|
||||
|
||||
- WEB-1-- A2 instance, Windows Server -- Install IIS
|
||||
|
||||
### Task 4: Create network security groups
|
||||
|
||||
- Create the following NSGs:
|
||||
|
||||
- DbTrafficOnly -- assigned to the DB-1 nic
|
||||
|
||||
- Paw-1-nsg -- assigned to the PAW-1 nic
|
||||
|
||||
- WebTrafficOnly -- assigned to the WEB-1 nic
|
||||
|
||||
- For the DBTrafficOnly and WebTrafficOnly, add an incoming rule with priority 1000 that denies all traffic.
|
||||
|
||||
### Task 5: Azure SQL server
|
||||
|
||||
- Create an instance of Azure SQL Server.
|
||||
|
||||
### Task 6: Create an Azure Key Vault
|
||||
|
||||
- Create an instance of Azure Key Vault.
|
||||
|
||||
|
||||
|
||||
You should follow all steps provided *after* attending the Hands-on lab.
|
||||
Двоичный файл не отображается.
|
До Ширина: | Высота: | Размер: 11 KiB После Ширина: | Высота: | Размер: 88 KiB |
Двоичный файл не отображается.
|
До Ширина: | Высота: | Размер: 19 KiB После Ширина: | Высота: | Размер: 170 KiB |
Двоичный файл не отображается.
|
До Ширина: | Высота: | Размер: 23 KiB После Ширина: | Высота: | Размер: 70 KiB |
Двоичный файл не отображается.
|
До Ширина: | Высота: | Размер: 57 KiB После Ширина: | Высота: | Размер: 271 KiB |
|
|
@ -9,7 +9,7 @@ Security baseline on Azure
|
|||
</div>
|
||||
|
||||
<div class="MCWHeader3">
|
||||
March 2019
|
||||
August 2019
|
||||
</div>
|
||||
|
||||
Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
|
||||
|
|
|
|||
|
|
@ -9,7 +9,7 @@ Security baseline on Azure
|
|||
</div>
|
||||
|
||||
<div class="MCWHeader3">
|
||||
March 2019
|
||||
August 2019
|
||||
</div>
|
||||
|
||||
Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
|
||||
|
|
|
|||
Загрузка…
Ссылка в новой задаче