Azure DevOps services - on premise agent lockdown

Copper Contributor

If using Azure DevOps Services but with on premise build agents, deployment targets and Environment resources, the outbound connection from these is to a range of generic IP addresses for endpoints that are for all organizations. What measures could restrict or mitigate the risk of a malicious user able to repoint an on premise agent/target/resource to a different organisation to be able to download malicious payloads/upload data? 

 

The only ones i can currently think of:

1. The general protections regarding identity of anyone who sets up an organization.

2. Monitoring for agents etc that go offline (which would need some custom script/code to interact with the ADO API)

 

These are retroactive / not as complete enough to provide sufficient confidence of protection. Anyone else solved this problem? It would preferably be a measure that is external to the agent e.g network based.

2 Replies
Hi,
Tou can also restricted outbound connections by configure your network security policies to allow outbound connections only to the specific IP addresses or IP ranges required for Azure DevOps Services.

Hope that tip may help 🙂

@Fjorgego Sorry but you misunderstood - that's already in play and easily understood - it's the fact that those IP addresses host endpoints for all organizations  so it's additional measures to ensure that the machines only ever access your own organization - I don't think the endpoints they use have the organisation name in the hostname or url resource path (the path and any organisation specific hostnames used specifically by the agent software are not published).