11 juli 2022|Defender for Cloud
Hi All,
Thanks for joining me in the second blog of a series all covering a part of Defender for Cloud. For those who missed the first one, here is the getting started with Defender for Cloud blog Getting started with Defender for Cloud (kooijman.cloud)
In this blog we are going to cover protecting a Windows Virtual Machine with Defender for Cloud. To start with, lets take a look at the 2 plans we can pick to protect our VM.
Plan 1 will deploy Defender for endpoint to your VM, and with the integration of Defender for Endpoint and Defender for Cloud, it will report to your Defender for Cloud dashboard.
MVP Jeffrey Appel is currently writing a series of blogs covering Defender for Endpoint in a great way, if you want to know more, please visit Microsoft Defender for Endpoint - The ultimate blog series for Windows (Intro) - P0 (jeffreyappel.nl)
We are going to cover a default deployed Server 2019 VM with Plan 2 attached to it. So lets go and see what information we are getting.
On the left side you will see some key information about this VM, Recommendations to cover, Alerts, Agent status and Resource status. To utilize all capability's we first need to have a Monitoring Agents installed in on the VM. To do this we will connect it to a Log Analytics Workspace (500 MB Free).
If you want to know what kind of logs are exactly saved in the LAW: Auto-deploy agents for Microsoft sign for Cloud | Microsoft Docs
There are 2 ways to connect your VM to a Log Analytics Workspace enabled for Defender for Cloud. You can let Defender for Cloud create a LAW for you, or upgrade your own LAW to enable it for Defender for Cloud.
Now we have the LAW in place, we need to select the extensions we want to use on the VM, and finally the level of logging that take place.
If we now look at the status of our VM in the resource pane, we will see the monitoring agents shows as Installed. From now on alerts can be generated based on the logging that takes place.
Next up is the installation of the Endpoint Protection, also known as the Microsoft AntiMalware Extension. You can easily install this on your VM from the extensions tab, or by selecting the recommendation in Defender for cloud, and click the install button.
Now that we have all the tools and logging in place, lets go and look at the recommandaties what it takes to make our VM a bit safer.
One of the key features in Defender for Servers Plan 2 is Just in Time access (JIT) that is used to open management ports only when needed. To utilize this we should first create a Network Security Group (NSG) and associate it to the VM's NIC. Azure Firewalls also support this future.
To enable JIT we select configure in the JIT overview pane.
Once we select configure, the associated NSG will get aditional rules for the all management ports that are blocked by default. Only if you request access for access those will get opened for a specific time span and closes after.
Now we are going to make the data flow more secure. By encrypting our cache and data flows as by default only data at rest is encrypted on the VM. For this we need Azure Disk Encryption (ADE) and a Keyvault with ADE access enabled.
If you go to your VM -> Disks -> Settings will be able to enable ADE:
Okay, we have a VM that reports when there are issues, is encrypted, scanned for treaths, we have JIT enabled and with that resolved the most important recommendations. (please note it can take up to 24 hours to show). But the good old Windows Updates?
Yes, we want our server up to date with the latest patches.
Abdul Basith wrote a great blog on updating your servers with Azure Automation:
Automate Windows Update With Azure Automation Accounts (c-sharpcorner.com)
Looks that our VM is getting nicely Healthy, so lets simulate when something does go wrong.
To get a feel for this you can select Sample Alerts in the Security Alert pane.
In a later post i will cover more about how the handle alerts, and how to automate those.
For today we have our VM nicely working in Defender for Cloud, increased the protection of the VM and resolved recommendation.
Hope you enjoyed the blog and found it useful, for any questions or remarks please feel free to contact me directly.
