This post to wrap up my session at TechEd Sydney 2014 : DCI315 Azure VM Security and Compliance Management with Configuration Manager and SCM.

In this blog post series we will dispell some of the myths and dive into Azure VM Security.

With Azure AU Geo launched on TechEd Sydney 2014, Azure now has 19 Regions. More and more enterprises start migrating their workloads into Azure. Most of our clients have the same question – How do we manage security and compliance on Azure VM?

Security for our Azure VMs is shared responsibility between Microsoft and us. The next question is – Who’s responsible for what ?

Below diagram is Shared Responsibility Model diagram which I borrow from Lori Woehler

sharedresponsibility diagram

We will focus on IaaS column from diagram above. Clearly, we have resposibility to look after O/S layer and above. The summary of our responsibilities as IaaS customer as follow:

  • Application Security
  • Access Control and Data Protection
  • Vulnerability Scanning, Penetration Testing
  • Logging, Monitoring, Incident Response
  • Protection, Patching and Hardening

There is no silver bullet to protect our Azure VM. The pro-active approach has to be taken to secure our Azure environment.This blog post will focus on Protection, Patching and Hardening our Azure VM. Let’s jump to our first focus.

Protect Azure VM

On this post we will use two different technique:

  • Using Azure VM Security Extensions (Out-of-the box solution)
  • Using Sytem Center Endpoint Protection which is our In-house AV Solution

Azure VM Security Extensions

Details for Azure Security Extensions can be found here. We will use Microsoft Anti-Malware for this post which recently announced its GA.  Microsoft Anti-Malware is built on the same anti-malware platform as MSE (Microsoft Security Essentials), Microsoft Forefront Endpoint Protection, Microsoft System Center Endpoint Protection, Windows Intune and Windows Defender.

We can deploy Microsoft Anti-Malware using Portal or Azure PowerShell or Visual Studio.

microsoft antimalware

We will use PowerShell deployment technique for this post. Script below will help us to deploy Microsoft Anti-Malware Security Extensions to existing Azure VM

Script below will check whether Microsoft Anti-Malware has been deployed to Azure VM

System Center Endpoint Protection

System Center Endpoint Protection is one of the security feature from System Center Configuration Manager known as SCCM or ConfigMgr. We will use ConfigMgr 2012 R2 on this post. ConfigMgr 2012 R2 is powerful enterprise-grade tool to maintain configuration, compliance and data protection users computers, notebooks, servers, mobile devices whether they are corporate-connected or cloud-based.

We will focus on Endpoint Protection solution to our Azure VMs. Four things need to be noted:

  • Endpoint Protection site system role need to be configured as endpoint protection point
    endpoint protection
  • Create Antimalware Policy and configure it
  • Configure Client Device Settings and select Endpoint Protection
  • Deploy ConfigMgr Agent with Endpoint Protection Agent and Deploy the Client Device Settings

And we just deployed Anti Malware for our Azure VM


Now what are the major benefits using ConfigMgr – Endpoint Protection instead Microsoft Antimalware VM Security Extensions?

  • Centralized Management
    ep console
  • Reporting Services

The next post we will focus on Patch and Compliance Management using ConfigMgr and SCM.

Azure Infrastructure, Cloud Infrastructure, Security
, , , , ,

Comments are closed.