During my time working with the Government Cloud, I recognized that every on-boarding virtual machine after successfully provisioned needed to apply a script called hardening. Digging into this script, I realized that it contained many security configuration policies. When running this script, Windows will automatically configure Local Security Policy and built-in advanced firewall (for Windows Server). This practice is part of security by default, and can be found in information security policy in large organizations, especially governmental environment. While it is to make sure new on-boarding machine will have intended configuration you need, and all machines will have the same hardening template.
If you want to learn advanced Azure IaaS Defense in Depth with lot of hands-on labs to practice, go order my book here
In Microsoft Azure, you can automate provisioning your virtual machines while applying a custom script inside to configure security policies by using Azure Automation Desired State Configuration. It allows you to build a custom script, and trigger it in your virtual machine. The script may contain local security policy setting, firewall rule, antivirus deployment or other settings which may help protect your virtual machine. Azure Automation Desired State Configuration is built on top of PowerShell Desired State Configuration.
There are many hardening guidelines but I would high recommend you to take Security Technical Implementation Guide conducted by USA Department of Defense (DoD) here.
You can use custom script extension to automate triggering script in your virtual machine. However Azure Desired State Configuration is still recommended for manageable centralized configuration and deployment.
You can RDP to every virtual machine to run a hardening script. However, this takes time and is not considered a practical deployment. This lab is going to walk you through steps to automate hardening script deployment using Azure Desired State Configuration (DSC)
Log into the Azure Management Portal (https://portal.azure.com) using your administrator account. From the left panel, click New. Click Monitoring + Management. Click Automation.
On the Add Automation Account blade, enter name of the new automation account. Select your subscription under Subscription setting. Select Use existing under Resource group setting. Select did-infra-rg (the one you created already) from the drop-down list. Select your location under Location setting. Select Yes under Create Azure Run As account setting. Click Create.
You can add Automation Accounts navigation to the left panel to easily navigate to manage your automation account. Click to open your automation account.
On the did-auto-account blade, click Modules Gallery.
On the Modules Gallery blade, enter security on the search box and press Enter. In the result, click SecurityPolicyDsc to add the module to your automation account.
On the SecurityPolicyDsc blade, click Import.
On the Import blade, click OK.
Click Modules to review all available modules, including the one you just imported.
Click DSC configurations. Click Add a configuration.
On the Import blade, click folder icon to browse to your DSC configuration file. This is your hardening PowerShell script. The name is automatically populated from the pre-defined parameter in the script. Click OK.
Click on your newly added script.
On the blade, click Compile.
Azure asks you to confirm to compile your DSC configuration. Click Yes.
You can check from the blade the compiling status.
After the compiling process is finished, you can check the status
Go back to your automation blade, click DSC nodes to start adding your virtual machine. Click Add Azure VM.
On the Add Azure VMs blade, click Virtual Machines setting. Select the jump virtual machine as an example. Click OK.
Click Registration setting. On the Registration blade, select Primary key under Registration key setting. Select your DSC configuration under Node Configuration Name setting. Keep Refresh Frequency and Configuration Mode Frequency settings by default. Select ApplyOnly under Configuration Mode setting. Keep Allow Module Override and Reboot Node if Needed settings by default.
Select StopConfiguration under Action after Reboot setting.
Click Create. During the process, Microsoft.PowerShell.DSC extension is automatically installed on the jump virtual machine.
RDP to the jump virtual machine to verify your hardening configuration which is successfully applied.
This article shows you how easy automating script deployment on an Azure virtual machine is by using DSC. This way helps you save time if you work on a large environment with many virtual machines. To download sample Local Security Policy scripts written to support DSC deployment, go here.
[Update] I wrote another article to complement to this article.