Secure Environment Setup and Hardening - brian-anderson01/Capstone GitHub Wiki
Inital overview
The secure environment consists of 2 VMs running on Azure, one Windows 10 VM, and one CentOS webserver. Both of these VMs are on a new virtual network named secure-net.
Main goals of the secure environment
RDP access to Windows VM only from VPN subnet
Only specified AAD users can RDP into the Windows VM
Allow all other connections to Windows VM so that it can get updates, connect to the AAD, etc.
Webserver should only have SSH access from Windows VM, no root login
The only user allowed to SSH into the webserver is the admin, the ssh pem key should be in the admin's user directory on the Windows VM and should have only read access for the admin, no other permissions
Inbound port 8080 only allowed from the windows VM to the webserver (8080 will be the listening port for apache)
Allow traffic out so that the server can update and get packages when needed
Setting up the Windows VM
First, a windows VM needs to be created, VM creation was covered in this page of the wiki. Choose a Windows 10 image and make sure you check the box for "Login with Azure AD"
Once the VM is created it should not have a public IP, RDP into it with the credentials made during the VM creation
Once in here, go to settings and then access school or work
Click connect and then login with an Azure Admin account. This will register the VM with Intune
Once registered with Intune, go to other users on the left and click add work or school user
Before RDPing in as an Azure user, you must have the role that allows you to RDP into the VM.
Head back to virtual machines in the Azure portal and choose the windows VM
On the left click Access control (IAM) and then click role assignments
Click add near the top and choose role assignment
Scroll down and choose "Virtual Machine User Login" if the user is going to be a normal user or choose "Virtual Machine Administrator Login" for admins
Click next and click select members. Add the users that are allowed to RDP in then click review + assign and review + assign again
Users with the RDP login role should not be able to RDP into the Windows VM. Note that the user must already be logged into their Azure AD account on the local machine before RDPing into the Windows VM with their AAD account.
With RDP access to the Windows VM the Linux VM can now be accessed, as they are on the same network
Configuring a security group and rules for the Windows VM
From the Azure portal search for Network security groups and select it from the search
Click create in the top left
Choose the Azure subscription and resource group of choice
Name the Security group and choose a region
Click review and create, then create
Go to the newly made security group and go to inbound security rules to setup inbound traffic
Note: The Azure security groups are stateful so no need to make corresponding outbound rules
Also, make sure the rules are in the correct order, the lower the number the higher priority, whatever rule meets the criteria first will be the one that is used for allowing or blocking traffic.
To make a new rule click add at the top set the source and source port, then the destination and the protocol. Choose deny or allow, then name the rule and click add. Below is an example of a rule allowing RDP to the windows VM from the VPN network
Apply the security group to the virtual machine
Once you have all of your rules in place in the security group, we need to add the Windows VM to the security group so that the rules are enforced.
While still in the security group resource, choose "Network interfaces" right under outbound security rules
At the top click Associate and choose the network interface for the VM you want to associate with the security group, then click Ok
There is also the option to set a security group to be associated with a subnet if you want to do that. Subnet association can be found right underneath the network interfaces one on the left side.
Once associated the security group rules will be enforced
