Jul 13 2023
03:01 AM
- last edited on
Mar 05 2024
02:51 PM
by
TechCommunityAP
Jul 13 2023
03:01 AM
- last edited on
Mar 05 2024
02:51 PM
by
TechCommunityAP
If using Azure DevOps Services but with on premise build agents, deployment targets and Environment resources, the outbound connection from these is to a range of generic IP addresses for endpoints that are for all organizations. What measures could restrict or mitigate the risk of a malicious user able to repoint an on premise agent/target/resource to a different organisation to be able to download malicious payloads/upload data?
The only ones i can currently think of:
1. The general protections regarding identity of anyone who sets up an organization.
2. Monitoring for agents etc that go offline (which would need some custom script/code to interact with the ADO API)
These are retroactive / not as complete enough to provide sufficient confidence of protection. Anyone else solved this problem? It would preferably be a measure that is external to the agent e.g network based.
Jul 13 2023 06:19 AM
Jul 13 2023 07:36 AM
@Fjorgego Sorry but you misunderstood - that's already in play and easily understood - it's the fact that those IP addresses host endpoints for all organizations so it's additional measures to ensure that the machines only ever access your own organization - I don't think the endpoints they use have the organisation name in the hostname or url resource path (the path and any organisation specific hostnames used specifically by the agent software are not published).