Checking Open Ports in Azure

Published On: 2019-03-15By:

Let’s be honest here, data security is really important to me.  Some people probably think that I go to extremes to ensure that my data as well as my customers data is secured.  With that, sometime ago, I wrote a blog post on utilizing a VPN server that I built on an Azure Virtual Machine to help facilitate a secure connection whenever I am away from my home network.  Using a VPN server is a great way to ensure security and peace of mind.

Turns out that the server got hacked.  And it was my fault.

See, if you leave certain ports open to the outside world like I did, you are just asking for hackers to attack you.  And that’s exactly what happened.  When I first created the virtual machine, I mistakenly left port 3389, which is used to make remote desktop protocol (RDP) connections, open and available to the world.  There wasn’t any rule in place limiting those connections to a certain IP address or ranges, so it was a free for all for hackers.   By the way, hackers will routinely scan IP addresses looking for open ports so it was only natural that eventually one would find me.

Ironically, the hackers wanted bitcoin funds to release the virtual machine back to me.   I quickly laughed at them and promptly deleted the entire machine off of Azure.  Once the VM was removed, I was able to get a new virtual machine stood up, along with the VPN software re-installed, and available for connections within about 30 minutes.  I did make sure to apply certain Network Security Group (NSG) rules to help prevent this from happening again.

Azure Advisor

This was a great learning lesson for me, however it got me thinking about network security in Azure and ways to prevent this.  One way to do this is to utilize the Azure Advisor.  The Advisor offers up security recommendations (as well as recommendations in other categories) that will help further harden your Azure foot print.  These recommendations can range from NSG rules, enabling auditing, or installing endpoint protection solutions that will actively monitor for viruses and malware.  Here’s an example of what a report looks like:

As you can see, you can walk through all recommendations and decide on whether or not to implement them.  Keep in mind that some of the recommendations might incur additional costs against the respective subscriptions so make sure to evaluate them carefully.

Powershell

In conjunction with Azure Advisor, I also decided to utilize Powershell.   I thought that having a script that I could easily run on an ad-hoc basis would help me to identify any open ports that I might have.  Later I’ll automate this in some fashion, probably via Runbooks, but for now just having a script is handy enough for me.

The script is fairly basic in that it will loop through all of the subscriptions that are associated with your login, look for any NSG’s in which the source address is “*” (essentially this means any source IP address) and the Access method is set to “Allow”.   This, of course, is adjustable for your needs so feel free to play around with the values.   The script will also output the NSG’s which satisfy those requirements to a file and then subsequently open the file.

Let’s step through it!!

First, I’m going to set a path to the local file in which to export the output.   After that I need to authenticate to my Azure subscription.  If you are already connected and authenticated in the context of Powershell, the script will check for that and skip the login process accordingly.

$path = "c:\temp\openports.txt"

#log into Azure Account if needed
IF (-NOT (get-azcontext)){
    Login-AzAccount
}

Once we are authenticated and logged in, we can then start to loop through things.  We will loop through every subscription and then within every subscription, checking every NSG for open ports.  If the NSG has an open port, it will output the results into the file we specified in the step above.

#get all of the subs
$subs = get-azsubscription

#loop through the subscriptions
foreach($sub in $subs){
    set-azcontext -SubscriptionID $sub.ID
    $nsgs = Get-AzNetworkSecurityGroup 
        foreach($nsg in $nsgs){
            $nsg | get-aznetworksecurityruleconfig | where-object -FilterScript {$_.sourceaddressprefix -eq "*" -and $_.Access -eq "Allow"} | out-file -FilePath $path -Append
    }
}

Once the file has been populated, we can open the file with the Invoke-Item cmdlet which will open the text file into your default text editor, usually Notepad.

#open the file
invoke-item $path

Here is the entire script put together:

#############################################################################
# MIT License
# 
# Copyright (c) 2017-Present John Morehouse
# 
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:

# The above copyright notice and this permission notice shall be included in all
# copies or substantial portions of the Software.

# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
# SOFTWARE.
#############################################################################
$path = "c:\temp\openports.txt"

#log into Azure Account if needed
IF (-NOT (get-azcontext)){
    Login-AzAccount
}

#get all of the subs
$subs = get-azsubscription
foreach($sub in $subs){
    set-azcontext -SubscriptionID $sub.ID
    $nsgs = Get-AzNetworkSecurityGroup 
        foreach($nsg in $nsgs){
            $nsg | get-aznetworksecurityruleconfig | where-object -FilterScript {$_.sourceaddressprefix -eq "*" -and $_.Access -eq "Allow"} | out-file -FilePath $path -Append
    }
}

#open the file
invoke-item $path

You can also find the script in Github located here.

Summary

As a data professional, security should and is always on my mind.  Understanding the risks of using technology will help you find methods to prevent unauthorized access.  In this case, the hacker only really caused me about 30 minutes of time to rebuild my server, however they taught me a great lesson in security.  Even in your development environments, make sure to review your security rules so that this doesn’t happen to you.

 

© 2019, John Morehouse. All rights reserved.

Secure Travel

Published On: 2019-03-08By:

Traveling in today’s age of technology is a lot easier than in the past.   You can start your journey in the morning of one country and be half way across the world by nights end.   When traveling, data security is usually always at the forefront of my mind.  I recently traveled to a conference.   While this isn’t all that usual (I travel about once a month on average) this time it was different.  I was traveling internationally to England to speak at SQL Bits.  It was a glorious conference and I was really excited to go, however while preparing to travel, I made sure to review my security measures so that I could enjoy my trip and not be worried.

Full Disk Encryption

If your laptop (or laptops in my case) don’t already have hard drive encryption enabled, you are doing it wrong. As a user of both Windows and Apple hardware, enabling this security feature is painless and just easy to do.  Hard drive encryption happens behind the scenes and should not cause any type of performance hit when it is enabled.

FileVault for Apple – FileVault is the way to go if you are Mac user.  It’s built into the operating system and does not have any restrictions (that I know of) in terms of versions.  If you have been using your laptop for a bit without this enabled, when you do enable it, it may take some time to get everything encrypted appropriately.  I had been using my laptop for years without encryption enabled so when I made the switch, I did so over a weekend where I could let it sit.   However, you can enable it and continue to work just keep in mind that it might be slower as it’s encrypting all the bits.

Bitlocker for Windows – Bitlocker is the way to go if you are in the Windows eco-system.  It’s easy to enable and does not introduce any type of performance overhead.  My Surface (provided to me by my employer) already came encrypted.   Bitlocker, unfortunately, is not available for the Windows Home version, however you pay $99 to upgrade your operating system to Windows Pro which would then come with Bitlocker.  In my opinion, having that full disk encryption is worth every penny of $99 however if that is above your price point there are other alternatives on the market such as VeraCrypt.  Make sure that you research those alternatives closely and understand the process on how to encrypt/decrypt your hard drive.  If done wrong, the data that you could loose could be yours.

In short, having the peace of mind knowing that if my laptop is stolen, most likely nobody is going to be able to retrieve any sensitive information that I might have on the laptop.  Even when traveling domestically, just enabled it and have that peace of mind.

You’ll thank me later.

Password Managers

Password Managers such as 1Password, LastPass, or KeePass should be a part of your daily routine.  If you are continuing to utilize the same password for all of your accounts (both online & offline) you are begging for a hacker to break in.  Once they have been able to brute force your password, your kingdom is now theirs.  I personally use 1Password (and have for years) simply because they offer up several features that I really like.

One of these features is the Travel Mode.  Travel Mode is pretty simple in that it removes any password vault marked as “not safe for travel” from your devices.  It does not hide them or mask them, it removes them completely.   Once you reach your destination, you can simple turn off Travel Mode and the vaults will then be sync’d once again.  This really helps to ensure that any unwarranted search of your device will not find any passwords which could be then used against you.   You can mark certain vaults as “safe for travel” and those will not be removed from your devices.

If you are traveling to a country where unwarranted searches of your device might happen, this is a great way to elevate those concerns.

Note: Microsoft MVP & Security Expert Troy Hunt uses 1Password so take that into consideration.

Passport Security

I consider my passport as sensitive information thus I want to protect it as best as possible whenever I travel.  In addition to my US Driver’s license, I also travel with my passport so that I have a secondary method to authenticate my identity.   The United States passport (as well as many other countries) has an RFID chip built into the cover.  This means that someone with a RFID scanner and who is near my passport could scan it.  While the amount of information contained on the chip is most likely limited, I don’t like to give anybody any type of personal information unless I absolutely must.  Especially if I don’t even know that it’s happening

One way to protect your passport against RFID scanning is to purchase a sleeve for it.  These are inexpensive sleeve’s which your passport would slid into and be shielded from a RFID scanner.  They are easy to use and gives me peace of mind when I travel.

Another consideration when it comes to your passport, is have a secondary copy available somewhere, preferably off site.  In my case, I use a cloud provider (like Dropbox, OneDrive, Google, etc) with an encrypted copy of my passport in which certain family members have access to.   If my passport is stolen or mis-placed, I can either access it directly from my Cloud provider or I can contact a family member to get me a copy of my passport.  While this copy will not be enough to gain access to air travel or cross borders, it would at least give the local US Embassy information that can be used to authenticate who I am.

VPN

Whenever I am away from my home network, data security concerns are always present.  I work with a number of clients and I always want to ensure that I am protecting their data as well as mine as best as possible.  Therefore, when I am traveling anywhere and I need to access the internet, I use a VPN service.  In my case, I use my own VPN server that I stood up in Azure.  Having a VPN service available makes sure that all of my internet traffic is encrypted and secured away from any prying eyes.   Depending on where you are traveling too, you might look at various 3rd party VPN services to ensure that they have a VPN endpoint as close to your destination as possible.  In my case, my VPN server is located in the East US region in Azure and even across the Atlantic Ocean the speed was sufficient for what I needed.

My VPN solution also allowed me to use a VPN connection on my phone.  I have a newer iPhone but with OpenVPN I was able to get a secure connection when utilizing the hotel Wifi.

Summary

It is really exciting to be able to travel, especially when that travel takes you across borders and around the world.  These simple items I’ve listed above will help to secure your data.  Unauthorized access to your data can really ruin your travel plans, so take a few moments to go over them as well as anything else that might be critical for you.  Remember, the data that you might save could be your own!

If you are a frequent traveler, what do you do to secure your data?  I’d love to know so that I can be more secure!

Happy Traveling!

 

© 2019, John Morehouse. All rights reserved.

Restoring a Database from Azure

Published On: 2019-03-01By:

In a previous post, I described how you can use Azure storage to store SQL Server database backup files.  This flexible option offers the ability to get your critical backups off site and in certain regions, they could be configured to be automatically redundant to a secondary region.  Having backups of your backups is a backup plan that I would support.  Regardless of how many copies of the backups you have, you still need to be able to restore them.  Restoring them routinely helps to validate that the backups are good and safe as well as ensure you have the process in place in the event you need to restore.

So how do you restore from Azure storage? You do so from an URL.  Let’s take a look!

When you backup a database to Azure, there are two types of blobs that can be utilized, namely page and block blobs.   Due to price and flexibly, it is recommended to use block blobs.  However, depending on which type you used to perform the backup will dictate how the restores are performed.  Both methods require the use a credential, so that information will need to be known before being able to restore from Azure.

Page Blobs

If you used page blobs, the credential was created using a pre-configure key.  Unlike other keys, this one doesn’t have an expiration date assigned to it so as long as the keys have not been rotated, you don’t need to do anything else.  All you have to do is issue a simple RESTORE command and the database will be restored.  Note that you do have to utilize the “WITH CREDENTIAL” switch in the command and specify which credential to use.

RESTORE DATABASE Scratch2 FROM URL = 'https://backupsdemo.blob.core.windows.net/sqlbackups/Scratch2_pageblob.bak'
	WITH CREDENTIAL = 'PageBlobs', RECOVERY, STATS = 5

If all goes to plan, you’ll see the normal status messages as shown below:

Block Blobs

Block blobs can be a little more complicated.   A backup to Azure utilizing block blobs uses a Shared Access Signature (SAS) to facilitate security.  This signature is controlled through the Azure portal (or via various scripting languages such as Powershell) and is required in order to backup and restore from the blob.  Some things to note with them:

  1. They have an expiration date/time.  If you backed up using SAS and did not specify an expiration date further into the future, the SAS can and will expire.  This will force you to generate a new signature and subsequently update the credential you have on your SQL Server.
  2. They need an IP address or range to accept requests from.

If the signature that was utilized to backup the database expired, you will need to regenerate one.  Once the signature is regenerated, you will need to take the SAS token and update the password of the credential.  Remember that the credential, in the case of using SAS, will be named the same as the blob endpoint along with the container label.

Here is where the token needs to go:

Once the credential has been updated, you can then begin to restore the database with, again, your standard RESTORE DATABASE command.

RESTORE database Scratch2 FROM URL = 'https://backupsdemo.blob.core.windows.net/sqlbackups/Scratch2_Restore_blockblob.bak'
WITH replace, RECOVERY

As with page blobs, if all is well you will see the standard messages when doing a restore:

Summary

Just like backing up to URL is fairly easy to accomplish, restoring from URL is just as easy.  There aren’t any serious moving parts to make this happen.  Storing your backups in Azure is a great way to get your backups offsite and quite possibly even out of the region.  If you are looking for a way to get your backups off site, make sure to look at Azure along with any other providers.  I’m a huge fan.

Enjoy!

© 2019, John Morehouse. All rights reserved.

Adding Azure VM Boot Diagnostics

Published On: 2019-02-22By:

A couple of weeks ago, I blogged about boot diagnostics and how they can help you troubleshoot issues when virtual machines won’t start.  But what if you selected to disabled boot diagnostics when the virtual machine was created?  Can you go back and retro-actively add them back?

Yes, Virginia, yes you can.  There is indeed a Santa Clause.  It’s pretty simple to do.

Open the Azure portal, locate the virtual machine in question, and go to Boot Diagnostics.

  1. Make sure that the Status is set to “On
  2. Select a storage account to use or select “Create new”.  If you have a specific storage account that you use for diagnostics for all of your resources, you can use that, however I would just recommend creating a new storage account.
  3. You’ll need to give the storage account a globally unique name for the endpoint.  Here you can see I’ve given mine the name of “vpndiagXXXXXX” since this particular machine is used for VPN services when I travel.
  4. Like many things in Azure, you can select an appropriate level of redundancy for your needs.  If boot diagnostics are very critical to your environment, I would change the replication to geo-redundant storage (GRS).  This would ensure that the logs are geo-replicated to another region for resiliency.

Once you are done configuring the storage account, just simply click “Save” at the top left.

Summary

Boot diagnostics is your friend and is useful in determining the status of your Azure virtual machine.  If for some reason you didn’t enable this during creation, it’s simple to add back to the configuration.

© 2019, John Morehouse. All rights reserved.

1 2 3 15

Video

Globally Recognized Expertise

As Microsoft MVP’s and Partners as well as VMware experts, we are summoned by companies all over the world to fine-tune and problem-solve the most difficult architecture, infrastructure and network challenges.

And sometimes we’re asked to share what we did, at events like Microsoft’s PASS Summit 2015.