SlideShare ist ein Scribd-Unternehmen logo
1 von 13
Downloaden Sie, um offline zu lesen
Detect and fix the Azure SQL Resources which uses TLS Version
less than 1.2!
Introduction
There are many reports out that TLS 1.0 and 1.1 are no longer secure and you need to
upgrade to at least TLS 1.2 to get the maximum security for your web application. You can
review this Stack Exchange post to get more information. It is very important that Azure
resources that are deployed to your tenant disable the support for TLS 1.0 and 1.1 and rely
at least on TLS 1.2 for their operations. Fortunately, Azure SQL supports TLS1.2. In this post,
I am showing you how to find this security vulnerability in your Azure tenant using Prancer
platform, and how to auto remediate this issue.
As per Microsoft Azure blog, now Azure SQL instance requires TLS version 1.2 to maintain
stable and secure connectivity. Prancer provides an automated way for finding out the Azure
SQL resources which have configured TLS Version less than 1.2. And also auto remediate
those vulnerabilities with a click of a button!
Look at this screenshot here you can see Minimum TLS Version is set to 1.1 (Which is a
security issue!)
•
Here are the steps for how to configure in Prancer and Remediate the Azure SQL
configuration.
Create configuration files
• Connector Configuration file:
Connector file is used for authenticating to Azure Cloud services to manage the resources
on the cloud. Use the below azure connector sample file and
create azure_structure.json file with the updated Azure AD credentials in it.
{
"container": "azure_remediation_demo",
"name": "azure_structure",
"json": {
"type": "azure",
"fileType": "structure",
"companyName": "Prancer",
// replace your tenant id
"tenant_id": "f997f2f9-a48f-****-****-************",
"autoRemediate": true,
"accounts": [
{
"department": "Network Security",
"subscription": [
{
"subscription_name": "whitekite",
"subscription_description": "whitekite",
// replace your subscription id
"subscription_id": "d34d6141-7a19-****-****-************",
"users": [
{
// subscription user name.
"name": "abc*****@gmail.com",
// replace your client id
"client_id": "db57053a-7bce-****-****-************"
}
]
}
]
}
]
}
}
• Master Snapshot Configuration file:
Master Snapshot configuration file is used to define resource type details which you want to
execute the compliance test on.
Create azure_snapshot.json file, based on the below sample configuration json file.
{
"container": "azure_remediation_demo",
"name": "azure_snapshot",
"json": {
"contentVersion": "1.0.0.0",
"fileType": "masterSnapshot",
"snapshots": [
{
"source": "azure_structure",
"type": "azure",
// subscription user name, should be same as used in connector file
"testUser": "abc*****@gmail.com",
// subscription id, should be same as used in connector file
"subscription_id": "d34d6141-7a19-****-****-************",
"nodes": [
{
"masterSnapshotId": "AZURE_SQL",
"type": "Microsoft.Sql/servers",
"collection": "Microsoft.Servers"
}
]
}
]
}
}
• Master Compliance Configuration file:
Master Compliance configuration file contains the list of testcases that will be run on
fetched cloud resource json files.
Create azure_test.json file, based on the below configuration json file.
{
"container": "azure_remediation_demo",
"name": "azure_test",
"json": {
"contentVersion": "1.0.0.0",
"fileType": "mastertest",
"masterSnapshot": "azure_snapshot",
"testSet": [
{
"masterTestName": "AZURE_TEST",
"version": "0.1",
"cases": [
{
"masterTestId": "AZURE_SQL_TEST",
"type": "rego",
"rule": "file(azure_sql.rego)",
"tags": [
{
"cloud": "Azure",
"compliance": [],
"service": [
"Databases"
]
}
],
"evals": [
{
"id": "sql_tls_version",
"eval": "data.rule.tls_version",
"message": "data.rule.tls_version_err",
"remediationDescription": "Mannual Steps: n 1) Open Azure Portal. n 2) Open
SQL Servers list n 3) Select the SQL Server for which you want to modify the Mimimal TLS
Version. n 4) Click on `Firewalls and virtual networks` option under `Security` section. n
5) Update the Minimum TLS Version to `1.2` and click on save button.",
"remediationFunction": "remediate_security_rule.py"
}
],
"title": "Azure SQL Database check minumum TLS version",
"description": "This policy will find the Azure SQL Databases which are set the
minumum TLS version lower then 1.2",
"masterSnapshotId": [
"AZURE_SQL"
],
"status": "enable"
}
]
}
],
"notification": []
}
}
• Rego file:
Create the azure_sql.rego file which contains the rule checks which will be perform against
cloud resource.
Create azure_sql.rego file as below.
package rule
sql_database_issue["invalid_minimal_tls_version"] {
lower(input.type) == "microsoft.sql/servers"
input.properties.minimalTlsVersion != "1.2"
}
default tls_version = null
tls_version = true {
not sql_database_issue["invalid_minimal_tls_version"]
}
tls_version = false {
sql_database_issue["invalid_minimal_tls_version"]
}
tls_version_err = "Azure SQL Database has set minumum TLS version lower then 1.2" {
sql_database_issue["invalid_minimal_tls_version"]
}
Upload configuration files on Prancer
• Create Collection:
All the configuration files Connector configuration file, Snapshot configuration
file, Compliance Configuration file, Rego files should be store in a collection. The name of
the collection should be same as one which we defined in all configuration json files. Here
we have set azure_remediation_demo value as container_name in all configuration json
files.
To create a new collection on Prancer:
1. Open the collection screen from left side menu items.
2. Click on Add Collection button.
3. Enter the collection name and click on save button.
• Upload Rego file
Once collection is created, you can see the created collection in the collection list. Now we
can upload the Rego file to that collection. To upload the Rego file,
1. Click on upload button
2. Drag and drop the azure_sql.rego file in file upload area.
3. Click on Upload button.
• Upload Connector file
For upload a Connector Configuration file,
1. Open connector upload screen.
2. Drag and drop the azure_structure.json file in file upload area.
3. Click on Upload Connector button.
• Upload Master Snapshot Configuration file
For upload a Master Snapshot configuration file,
1. Open screen for upload new snapshot.
2. Drag and drop the azure_snapshot.json file in file upload area.
3. Select Master Resource Snapshot option as a Snapshot Type.
4. Click on Submit button.
• Upload Compliance Configuration file
For upload a compliance file,
1. Open screen for upload new compliance.
2. Drag and drop the azure_test.json file in file upload area.
3. Select Master Compliance option as a Compliance Type.
4. Click on Submit button.
Set client secret value in vault
• For security purpose we are storing the confidential data in azure vault.
• In azure_structure.json file, we have set the Client Id db57053a-7bce-****-****-
************.
Now require to add the Client Secret value of that client id into the vault.
Run Crawler
• Crawler is the process in which Prancer will connect to Azure cloud with your
provided credentials and will get the list of cloud resources. It generates
the Snapshot Configuration file which contains the list of cloud resources.
To crawl the resources:
1. Open the Run Crawler screen.
2. Select the collection name azure_remediation_demo.
3. Click on Run Crawler button.
Verify generated snapshot files:
Once the crawler is done then verify that the cloud resources are fetched correctly or not.
• Open All Resource Configuration screen.
• Select the Resource Configuration Tab
• Search for your collection name.
• It should show the generated snapshot in the list.
Click on the generated snapshot list item to verify that resources are fetched correctly.
Run compliance
Once you verify that all the resources are fetched correctly, we can run the compliance on
it.
• Open the Run Compliance screen.
• Select the collection name azure_remediation_demo
• Click on Run Test button.
Check Report
Once the compliance process is completed then we can see the pass/fail reports in report
page.
• Open the Report screen.
• It will show the latest compliance report by default.
• It takes sometime to show the latest report based on number of resources
available. so if you did not see the report then after few seconds click
on filter button for see the latest report.
• In report you can see the list of resources and it’s status (pass/fail)
• Click on the failed resource for view detail information of it.
• You can see the path of the cloud resource and manual steps for fix the issue.
• Click on Remediation button for fix the problem. It will run the process for fix the
problem on cloud and will give the success message about Remediation done.
Verify Azure SQL on Portal
Open the Azure SQL cloud resource on Azure portal and verify that the remediation is done
correctly or not.

Weitere ähnliche Inhalte

Was ist angesagt?

Download Presentation
Download PresentationDownload Presentation
Download Presentationwebhostingguy
 
Hadoop sqoop2 server setup and application integration
Hadoop   sqoop2 server setup and application integrationHadoop   sqoop2 server setup and application integration
Hadoop sqoop2 server setup and application integrationRajasekaran kandhasamy
 
2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server
2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server
2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL ServerScott Sutherland
 
Installing ingres enterprise access in a system which already has an ingres i...
Installing ingres enterprise access in a system which already has an ingres i...Installing ingres enterprise access in a system which already has an ingres i...
Installing ingres enterprise access in a system which already has an ingres i...malu42
 
Amazon AWS Identity Access Management
Amazon AWS Identity Access ManagementAmazon AWS Identity Access Management
Amazon AWS Identity Access ManagementVCP Muthukrishna
 
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL Server
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL ServerSecure360 - Beyond xp cmdshell - Owning the Empire through SQL Server
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL ServerScott Sutherland
 
TROOPERS 20 - SQL Server Hacking Tips for Active Directory Environments
TROOPERS 20 - SQL Server Hacking Tips for Active Directory EnvironmentsTROOPERS 20 - SQL Server Hacking Tips for Active Directory Environments
TROOPERS 20 - SQL Server Hacking Tips for Active Directory EnvironmentsScott Sutherland
 
PowerUpSQL - 2018 Blackhat USA Arsenal Presentation
PowerUpSQL - 2018 Blackhat USA Arsenal PresentationPowerUpSQL - 2018 Blackhat USA Arsenal Presentation
PowerUpSQL - 2018 Blackhat USA Arsenal PresentationScott Sutherland
 
2017 Thotcon - Hacking SQL Servers on Scale with PowerShell
2017 Thotcon - Hacking SQL Servers on Scale with PowerShell2017 Thotcon - Hacking SQL Servers on Scale with PowerShell
2017 Thotcon - Hacking SQL Servers on Scale with PowerShellScott Sutherland
 
Beyond xp_cmdshell: Owning the Empire through SQL Server
Beyond xp_cmdshell: Owning the Empire through SQL ServerBeyond xp_cmdshell: Owning the Empire through SQL Server
Beyond xp_cmdshell: Owning the Empire through SQL ServerScott Sutherland
 
( 15 ) Office 2007 Create A Membership Database
( 15 ) Office 2007   Create A Membership Database( 15 ) Office 2007   Create A Membership Database
( 15 ) Office 2007 Create A Membership DatabaseLiquidHub
 
2019 Blackhat Booth Presentation - PowerUpSQL
2019 Blackhat Booth Presentation - PowerUpSQL2019 Blackhat Booth Presentation - PowerUpSQL
2019 Blackhat Booth Presentation - PowerUpSQLScott Sutherland
 
Beyond XP_CMDSHELL: Owning the Empire Through SQL Server
Beyond XP_CMDSHELL: Owning the Empire Through SQL ServerBeyond XP_CMDSHELL: Owning the Empire Through SQL Server
Beyond XP_CMDSHELL: Owning the Empire Through SQL ServerNetSPI
 

Was ist angesagt? (18)

Download Presentation
Download PresentationDownload Presentation
Download Presentation
 
Hadoop sqoop2 server setup and application integration
Hadoop   sqoop2 server setup and application integrationHadoop   sqoop2 server setup and application integration
Hadoop sqoop2 server setup and application integration
 
AWS essentials EC2
AWS essentials EC2AWS essentials EC2
AWS essentials EC2
 
2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server
2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server
2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server
 
Installing ingres enterprise access in a system which already has an ingres i...
Installing ingres enterprise access in a system which already has an ingres i...Installing ingres enterprise access in a system which already has an ingres i...
Installing ingres enterprise access in a system which already has an ingres i...
 
Amazon AWS Identity Access Management
Amazon AWS Identity Access ManagementAmazon AWS Identity Access Management
Amazon AWS Identity Access Management
 
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL Server
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL ServerSecure360 - Beyond xp cmdshell - Owning the Empire through SQL Server
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL Server
 
TROOPERS 20 - SQL Server Hacking Tips for Active Directory Environments
TROOPERS 20 - SQL Server Hacking Tips for Active Directory EnvironmentsTROOPERS 20 - SQL Server Hacking Tips for Active Directory Environments
TROOPERS 20 - SQL Server Hacking Tips for Active Directory Environments
 
Glassfish JEE Server Administration - Clustering
Glassfish JEE Server Administration - ClusteringGlassfish JEE Server Administration - Clustering
Glassfish JEE Server Administration - Clustering
 
PowerUpSQL - 2018 Blackhat USA Arsenal Presentation
PowerUpSQL - 2018 Blackhat USA Arsenal PresentationPowerUpSQL - 2018 Blackhat USA Arsenal Presentation
PowerUpSQL - 2018 Blackhat USA Arsenal Presentation
 
2017 Thotcon - Hacking SQL Servers on Scale with PowerShell
2017 Thotcon - Hacking SQL Servers on Scale with PowerShell2017 Thotcon - Hacking SQL Servers on Scale with PowerShell
2017 Thotcon - Hacking SQL Servers on Scale with PowerShell
 
Backbase CXP Manager Setup
Backbase CXP Manager SetupBackbase CXP Manager Setup
Backbase CXP Manager Setup
 
Beyond xp_cmdshell: Owning the Empire through SQL Server
Beyond xp_cmdshell: Owning the Empire through SQL ServerBeyond xp_cmdshell: Owning the Empire through SQL Server
Beyond xp_cmdshell: Owning the Empire through SQL Server
 
( 15 ) Office 2007 Create A Membership Database
( 15 ) Office 2007   Create A Membership Database( 15 ) Office 2007   Create A Membership Database
( 15 ) Office 2007 Create A Membership Database
 
Core data optimization
Core data optimizationCore data optimization
Core data optimization
 
2019 Blackhat Booth Presentation - PowerUpSQL
2019 Blackhat Booth Presentation - PowerUpSQL2019 Blackhat Booth Presentation - PowerUpSQL
2019 Blackhat Booth Presentation - PowerUpSQL
 
Beyond XP_CMDSHELL: Owning the Empire Through SQL Server
Beyond XP_CMDSHELL: Owning the Empire Through SQL ServerBeyond XP_CMDSHELL: Owning the Empire Through SQL Server
Beyond XP_CMDSHELL: Owning the Empire Through SQL Server
 
ALL NEW OOP 2014
ALL NEW OOP 2014ALL NEW OOP 2014
ALL NEW OOP 2014
 

Ähnlich wie Detect and fix the azure sql resources which uses tls version less than 1.2

White Paper On ConCurrency For PCMS Application Architecture
White Paper On ConCurrency For PCMS Application ArchitectureWhite Paper On ConCurrency For PCMS Application Architecture
White Paper On ConCurrency For PCMS Application ArchitectureShahzad
 
Apache stratos hangout 3
Apache stratos hangout   3Apache stratos hangout   3
Apache stratos hangout 3Nirmal Fernando
 
Asset Model Import FlexConnector Developer's Guide
Asset Model Import FlexConnector Developer's GuideAsset Model Import FlexConnector Developer's Guide
Asset Model Import FlexConnector Developer's GuideProtect724migration
 
patchVantage Cloud Starter Pack
patchVantage Cloud Starter Pack patchVantage Cloud Starter Pack
patchVantage Cloud Starter Pack David McNish
 
Hands-on Lab: Migrating Oracle to PostgreSQL
Hands-on Lab: Migrating Oracle to PostgreSQL Hands-on Lab: Migrating Oracle to PostgreSQL
Hands-on Lab: Migrating Oracle to PostgreSQL Amazon Web Services
 
Actor Model Import Connector for Microsoft Active Directory
Actor Model Import Connector for Microsoft Active DirectoryActor Model Import Connector for Microsoft Active Directory
Actor Model Import Connector for Microsoft Active Directoryprotect724rkeer
 
UPGRADING FROM ORACLE ENTERPRISE MANAGER 10G TO CLOUD CONTROL 12C WITH ZERO D...
UPGRADING FROM ORACLE ENTERPRISE MANAGER 10G TO CLOUD CONTROL 12C WITH ZERO D...UPGRADING FROM ORACLE ENTERPRISE MANAGER 10G TO CLOUD CONTROL 12C WITH ZERO D...
UPGRADING FROM ORACLE ENTERPRISE MANAGER 10G TO CLOUD CONTROL 12C WITH ZERO D...Leighton Nelson
 
Oracle Database Backup
Oracle Database BackupOracle Database Backup
Oracle Database BackupHandy_Backup
 
Asset modelimportconn devguide_5.2.1.6190.0
Asset modelimportconn devguide_5.2.1.6190.0Asset modelimportconn devguide_5.2.1.6190.0
Asset modelimportconn devguide_5.2.1.6190.0Protect724
 
Asset modelimportconn devguide_5.2.1.6190.0
Asset modelimportconn devguide_5.2.1.6190.0Asset modelimportconn devguide_5.2.1.6190.0
Asset modelimportconn devguide_5.2.1.6190.0Protect724
 
Advance java session 19
Advance java session 19Advance java session 19
Advance java session 19Smita B Kumar
 
Single Sign-On for APEX applications based on Kerberos (Important: latest ver...
Single Sign-On for APEX applications based on Kerberos (Important: latest ver...Single Sign-On for APEX applications based on Kerberos (Important: latest ver...
Single Sign-On for APEX applications based on Kerberos (Important: latest ver...Niels de Bruijn
 
sfdx continuous Integration with Jenkins on aws (Part I)
sfdx continuous Integration with Jenkins on aws (Part I)sfdx continuous Integration with Jenkins on aws (Part I)
sfdx continuous Integration with Jenkins on aws (Part I)Jérémy Vial
 
Building microservices sample application
Building microservices sample applicationBuilding microservices sample application
Building microservices sample applicationAnil Allewar
 
E business suite r12.2 changes for database administrators
E business suite r12.2 changes for database administratorsE business suite r12.2 changes for database administrators
E business suite r12.2 changes for database administratorsSrinivasa Pavan Marti
 

Ähnlich wie Detect and fix the azure sql resources which uses tls version less than 1.2 (20)

White Paper On ConCurrency For PCMS Application Architecture
White Paper On ConCurrency For PCMS Application ArchitectureWhite Paper On ConCurrency For PCMS Application Architecture
White Paper On ConCurrency For PCMS Application Architecture
 
Data load utility
Data load utilityData load utility
Data load utility
 
Java EE Services
Java EE ServicesJava EE Services
Java EE Services
 
Apache stratos hangout 3
Apache stratos hangout   3Apache stratos hangout   3
Apache stratos hangout 3
 
Asset Model Import FlexConnector Developer's Guide
Asset Model Import FlexConnector Developer's GuideAsset Model Import FlexConnector Developer's Guide
Asset Model Import FlexConnector Developer's Guide
 
patchVantage Cloud Starter Pack
patchVantage Cloud Starter Pack patchVantage Cloud Starter Pack
patchVantage Cloud Starter Pack
 
Hands-on Lab: Migrating Oracle to PostgreSQL
Hands-on Lab: Migrating Oracle to PostgreSQL Hands-on Lab: Migrating Oracle to PostgreSQL
Hands-on Lab: Migrating Oracle to PostgreSQL
 
Terraform Cosmos DB
Terraform Cosmos DBTerraform Cosmos DB
Terraform Cosmos DB
 
Actor Model Import Connector for Microsoft Active Directory
Actor Model Import Connector for Microsoft Active DirectoryActor Model Import Connector for Microsoft Active Directory
Actor Model Import Connector for Microsoft Active Directory
 
Lampstack (1)
Lampstack (1)Lampstack (1)
Lampstack (1)
 
UPGRADING FROM ORACLE ENTERPRISE MANAGER 10G TO CLOUD CONTROL 12C WITH ZERO D...
UPGRADING FROM ORACLE ENTERPRISE MANAGER 10G TO CLOUD CONTROL 12C WITH ZERO D...UPGRADING FROM ORACLE ENTERPRISE MANAGER 10G TO CLOUD CONTROL 12C WITH ZERO D...
UPGRADING FROM ORACLE ENTERPRISE MANAGER 10G TO CLOUD CONTROL 12C WITH ZERO D...
 
Oracle Database Backup
Oracle Database BackupOracle Database Backup
Oracle Database Backup
 
Asset modelimportconn devguide_5.2.1.6190.0
Asset modelimportconn devguide_5.2.1.6190.0Asset modelimportconn devguide_5.2.1.6190.0
Asset modelimportconn devguide_5.2.1.6190.0
 
Asset modelimportconn devguide_5.2.1.6190.0
Asset modelimportconn devguide_5.2.1.6190.0Asset modelimportconn devguide_5.2.1.6190.0
Asset modelimportconn devguide_5.2.1.6190.0
 
Advance java session 19
Advance java session 19Advance java session 19
Advance java session 19
 
Single Sign-On for APEX applications based on Kerberos (Important: latest ver...
Single Sign-On for APEX applications based on Kerberos (Important: latest ver...Single Sign-On for APEX applications based on Kerberos (Important: latest ver...
Single Sign-On for APEX applications based on Kerberos (Important: latest ver...
 
sfdx continuous Integration with Jenkins on aws (Part I)
sfdx continuous Integration with Jenkins on aws (Part I)sfdx continuous Integration with Jenkins on aws (Part I)
sfdx continuous Integration with Jenkins on aws (Part I)
 
Sql tuning
Sql tuningSql tuning
Sql tuning
 
Building microservices sample application
Building microservices sample applicationBuilding microservices sample application
Building microservices sample application
 
E business suite r12.2 changes for database administrators
E business suite r12.2 changes for database administratorsE business suite r12.2 changes for database administrators
E business suite r12.2 changes for database administrators
 

Mehr von Prancer Io

Is iac scanning scalable in the git ops era
Is iac scanning scalable in the git ops eraIs iac scanning scalable in the git ops era
Is iac scanning scalable in the git ops eraPrancer Io
 
How to use prancer configuration wizard for easy repository onboarding for ia...
How to use prancer configuration wizard for easy repository onboarding for ia...How to use prancer configuration wizard for easy repository onboarding for ia...
How to use prancer configuration wizard for easy repository onboarding for ia...Prancer Io
 
Azure arm template ia c security
Azure arm template ia c securityAzure arm template ia c security
Azure arm template ia c securityPrancer Io
 
Introducing prancer resource explorer feature for reconnaissance missions
Introducing prancer resource explorer feature for reconnaissance missionsIntroducing prancer resource explorer feature for reconnaissance missions
Introducing prancer resource explorer feature for reconnaissance missionsPrancer Io
 
Static code analysis
Static code analysisStatic code analysis
Static code analysisPrancer Io
 
Azure software as a service
Azure software as a serviceAzure software as a service
Azure software as a servicePrancer Io
 
Iac evolutions
Iac evolutionsIac evolutions
Iac evolutionsPrancer Io
 
Data center revolutions
Data center revolutionsData center revolutions
Data center revolutionsPrancer Io
 
What is cloud encryption
What is cloud encryptionWhat is cloud encryption
What is cloud encryptionPrancer Io
 

Mehr von Prancer Io (9)

Is iac scanning scalable in the git ops era
Is iac scanning scalable in the git ops eraIs iac scanning scalable in the git ops era
Is iac scanning scalable in the git ops era
 
How to use prancer configuration wizard for easy repository onboarding for ia...
How to use prancer configuration wizard for easy repository onboarding for ia...How to use prancer configuration wizard for easy repository onboarding for ia...
How to use prancer configuration wizard for easy repository onboarding for ia...
 
Azure arm template ia c security
Azure arm template ia c securityAzure arm template ia c security
Azure arm template ia c security
 
Introducing prancer resource explorer feature for reconnaissance missions
Introducing prancer resource explorer feature for reconnaissance missionsIntroducing prancer resource explorer feature for reconnaissance missions
Introducing prancer resource explorer feature for reconnaissance missions
 
Static code analysis
Static code analysisStatic code analysis
Static code analysis
 
Azure software as a service
Azure software as a serviceAzure software as a service
Azure software as a service
 
Iac evolutions
Iac evolutionsIac evolutions
Iac evolutions
 
Data center revolutions
Data center revolutionsData center revolutions
Data center revolutions
 
What is cloud encryption
What is cloud encryptionWhat is cloud encryption
What is cloud encryption
 

Kürzlich hochgeladen

Cracking the ‘Business Process Outsourcing’ Code Main.pptx
Cracking the ‘Business Process Outsourcing’ Code Main.pptxCracking the ‘Business Process Outsourcing’ Code Main.pptx
Cracking the ‘Business Process Outsourcing’ Code Main.pptxWorkforce Group
 
NewBase 25 March 2024 Energy News issue - 1710 by Khaled Al Awadi_compress...
NewBase  25 March  2024  Energy News issue - 1710 by Khaled Al Awadi_compress...NewBase  25 March  2024  Energy News issue - 1710 by Khaled Al Awadi_compress...
NewBase 25 March 2024 Energy News issue - 1710 by Khaled Al Awadi_compress...Khaled Al Awadi
 
Team B Mind Map for Organizational Chg..
Team B Mind Map for Organizational Chg..Team B Mind Map for Organizational Chg..
Team B Mind Map for Organizational Chg..dlewis191
 
Entrepreneurship & organisations: influences and organizations
Entrepreneurship & organisations: influences and organizationsEntrepreneurship & organisations: influences and organizations
Entrepreneurship & organisations: influences and organizationsP&CO
 
Plano de marketing- inglês em formato ppt
Plano de marketing- inglês  em formato pptPlano de marketing- inglês  em formato ppt
Plano de marketing- inglês em formato pptElizangelaSoaresdaCo
 
MC Heights construction company in Jhang
MC Heights construction company in JhangMC Heights construction company in Jhang
MC Heights construction company in Jhangmcgroupjeya
 
Lecture_6.pptx English speaking easyb to
Lecture_6.pptx English speaking easyb toLecture_6.pptx English speaking easyb to
Lecture_6.pptx English speaking easyb toumarfarooquejamali32
 
7movierulz.uk
7movierulz.uk7movierulz.uk
7movierulz.ukaroemirsr
 
Fabric RFID Wristbands in Ireland for Events and Festivals
Fabric RFID Wristbands in Ireland for Events and FestivalsFabric RFID Wristbands in Ireland for Events and Festivals
Fabric RFID Wristbands in Ireland for Events and FestivalsWristbands Ireland
 
TalentView Webinar: Empowering the Modern Workforce_ Redefininig Success from...
TalentView Webinar: Empowering the Modern Workforce_ Redefininig Success from...TalentView Webinar: Empowering the Modern Workforce_ Redefininig Success from...
TalentView Webinar: Empowering the Modern Workforce_ Redefininig Success from...TalentView
 
Upgrade Your Banking Experience with Advanced Core Banking Applications
Upgrade Your Banking Experience with Advanced Core Banking ApplicationsUpgrade Your Banking Experience with Advanced Core Banking Applications
Upgrade Your Banking Experience with Advanced Core Banking ApplicationsIntellect Design Arena Ltd
 
AMAZON SELLER VIRTUAL ASSISTANT PRODUCT RESEARCH .pdf
AMAZON SELLER VIRTUAL ASSISTANT PRODUCT RESEARCH .pdfAMAZON SELLER VIRTUAL ASSISTANT PRODUCT RESEARCH .pdf
AMAZON SELLER VIRTUAL ASSISTANT PRODUCT RESEARCH .pdfJohnCarloValencia4
 
IIBA® Melbourne - Navigating Business Analysis - Excellence for Career Growth...
IIBA® Melbourne - Navigating Business Analysis - Excellence for Career Growth...IIBA® Melbourne - Navigating Business Analysis - Excellence for Career Growth...
IIBA® Melbourne - Navigating Business Analysis - Excellence for Career Growth...AustraliaChapterIIBA
 
Project Brief & Information Architecture Report
Project Brief & Information Architecture ReportProject Brief & Information Architecture Report
Project Brief & Information Architecture Reportamberjiles31
 
PDT 89 - $1.4M - Seed - Plantee Innovations.pdf
PDT 89 - $1.4M - Seed - Plantee Innovations.pdfPDT 89 - $1.4M - Seed - Plantee Innovations.pdf
PDT 89 - $1.4M - Seed - Plantee Innovations.pdfHajeJanKamps
 
Talent Management research intelligence_13 paradigm shifts_20 March 2024.pdf
Talent Management research intelligence_13 paradigm shifts_20 March 2024.pdfTalent Management research intelligence_13 paradigm shifts_20 March 2024.pdf
Talent Management research intelligence_13 paradigm shifts_20 March 2024.pdfCharles Cotter, PhD
 
Michael Vidyakin: Introduction to PMO (UA)
Michael Vidyakin: Introduction to PMO (UA)Michael Vidyakin: Introduction to PMO (UA)
Michael Vidyakin: Introduction to PMO (UA)Lviv Startup Club
 
Live-Streaming in the Music Industry Webinar
Live-Streaming in the Music Industry WebinarLive-Streaming in the Music Industry Webinar
Live-Streaming in the Music Industry WebinarNathanielSchmuck
 
NASA CoCEI Scaling Strategy - November 2023
NASA CoCEI Scaling Strategy - November 2023NASA CoCEI Scaling Strategy - November 2023
NASA CoCEI Scaling Strategy - November 2023Steve Rader
 
Borderless Access - Global Panel book-unlock 2024
Borderless Access - Global Panel book-unlock 2024Borderless Access - Global Panel book-unlock 2024
Borderless Access - Global Panel book-unlock 2024Borderless Access
 

Kürzlich hochgeladen (20)

Cracking the ‘Business Process Outsourcing’ Code Main.pptx
Cracking the ‘Business Process Outsourcing’ Code Main.pptxCracking the ‘Business Process Outsourcing’ Code Main.pptx
Cracking the ‘Business Process Outsourcing’ Code Main.pptx
 
NewBase 25 March 2024 Energy News issue - 1710 by Khaled Al Awadi_compress...
NewBase  25 March  2024  Energy News issue - 1710 by Khaled Al Awadi_compress...NewBase  25 March  2024  Energy News issue - 1710 by Khaled Al Awadi_compress...
NewBase 25 March 2024 Energy News issue - 1710 by Khaled Al Awadi_compress...
 
Team B Mind Map for Organizational Chg..
Team B Mind Map for Organizational Chg..Team B Mind Map for Organizational Chg..
Team B Mind Map for Organizational Chg..
 
Entrepreneurship & organisations: influences and organizations
Entrepreneurship & organisations: influences and organizationsEntrepreneurship & organisations: influences and organizations
Entrepreneurship & organisations: influences and organizations
 
Plano de marketing- inglês em formato ppt
Plano de marketing- inglês  em formato pptPlano de marketing- inglês  em formato ppt
Plano de marketing- inglês em formato ppt
 
MC Heights construction company in Jhang
MC Heights construction company in JhangMC Heights construction company in Jhang
MC Heights construction company in Jhang
 
Lecture_6.pptx English speaking easyb to
Lecture_6.pptx English speaking easyb toLecture_6.pptx English speaking easyb to
Lecture_6.pptx English speaking easyb to
 
7movierulz.uk
7movierulz.uk7movierulz.uk
7movierulz.uk
 
Fabric RFID Wristbands in Ireland for Events and Festivals
Fabric RFID Wristbands in Ireland for Events and FestivalsFabric RFID Wristbands in Ireland for Events and Festivals
Fabric RFID Wristbands in Ireland for Events and Festivals
 
TalentView Webinar: Empowering the Modern Workforce_ Redefininig Success from...
TalentView Webinar: Empowering the Modern Workforce_ Redefininig Success from...TalentView Webinar: Empowering the Modern Workforce_ Redefininig Success from...
TalentView Webinar: Empowering the Modern Workforce_ Redefininig Success from...
 
Upgrade Your Banking Experience with Advanced Core Banking Applications
Upgrade Your Banking Experience with Advanced Core Banking ApplicationsUpgrade Your Banking Experience with Advanced Core Banking Applications
Upgrade Your Banking Experience with Advanced Core Banking Applications
 
AMAZON SELLER VIRTUAL ASSISTANT PRODUCT RESEARCH .pdf
AMAZON SELLER VIRTUAL ASSISTANT PRODUCT RESEARCH .pdfAMAZON SELLER VIRTUAL ASSISTANT PRODUCT RESEARCH .pdf
AMAZON SELLER VIRTUAL ASSISTANT PRODUCT RESEARCH .pdf
 
IIBA® Melbourne - Navigating Business Analysis - Excellence for Career Growth...
IIBA® Melbourne - Navigating Business Analysis - Excellence for Career Growth...IIBA® Melbourne - Navigating Business Analysis - Excellence for Career Growth...
IIBA® Melbourne - Navigating Business Analysis - Excellence for Career Growth...
 
Project Brief & Information Architecture Report
Project Brief & Information Architecture ReportProject Brief & Information Architecture Report
Project Brief & Information Architecture Report
 
PDT 89 - $1.4M - Seed - Plantee Innovations.pdf
PDT 89 - $1.4M - Seed - Plantee Innovations.pdfPDT 89 - $1.4M - Seed - Plantee Innovations.pdf
PDT 89 - $1.4M - Seed - Plantee Innovations.pdf
 
Talent Management research intelligence_13 paradigm shifts_20 March 2024.pdf
Talent Management research intelligence_13 paradigm shifts_20 March 2024.pdfTalent Management research intelligence_13 paradigm shifts_20 March 2024.pdf
Talent Management research intelligence_13 paradigm shifts_20 March 2024.pdf
 
Michael Vidyakin: Introduction to PMO (UA)
Michael Vidyakin: Introduction to PMO (UA)Michael Vidyakin: Introduction to PMO (UA)
Michael Vidyakin: Introduction to PMO (UA)
 
Live-Streaming in the Music Industry Webinar
Live-Streaming in the Music Industry WebinarLive-Streaming in the Music Industry Webinar
Live-Streaming in the Music Industry Webinar
 
NASA CoCEI Scaling Strategy - November 2023
NASA CoCEI Scaling Strategy - November 2023NASA CoCEI Scaling Strategy - November 2023
NASA CoCEI Scaling Strategy - November 2023
 
Borderless Access - Global Panel book-unlock 2024
Borderless Access - Global Panel book-unlock 2024Borderless Access - Global Panel book-unlock 2024
Borderless Access - Global Panel book-unlock 2024
 

Detect and fix the azure sql resources which uses tls version less than 1.2

  • 1. Detect and fix the Azure SQL Resources which uses TLS Version less than 1.2! Introduction There are many reports out that TLS 1.0 and 1.1 are no longer secure and you need to upgrade to at least TLS 1.2 to get the maximum security for your web application. You can review this Stack Exchange post to get more information. It is very important that Azure resources that are deployed to your tenant disable the support for TLS 1.0 and 1.1 and rely at least on TLS 1.2 for their operations. Fortunately, Azure SQL supports TLS1.2. In this post, I am showing you how to find this security vulnerability in your Azure tenant using Prancer platform, and how to auto remediate this issue. As per Microsoft Azure blog, now Azure SQL instance requires TLS version 1.2 to maintain stable and secure connectivity. Prancer provides an automated way for finding out the Azure SQL resources which have configured TLS Version less than 1.2. And also auto remediate those vulnerabilities with a click of a button! Look at this screenshot here you can see Minimum TLS Version is set to 1.1 (Which is a security issue!) • Here are the steps for how to configure in Prancer and Remediate the Azure SQL configuration. Create configuration files • Connector Configuration file: Connector file is used for authenticating to Azure Cloud services to manage the resources on the cloud. Use the below azure connector sample file and create azure_structure.json file with the updated Azure AD credentials in it. { "container": "azure_remediation_demo", "name": "azure_structure",
  • 2. "json": { "type": "azure", "fileType": "structure", "companyName": "Prancer", // replace your tenant id "tenant_id": "f997f2f9-a48f-****-****-************", "autoRemediate": true, "accounts": [ { "department": "Network Security", "subscription": [ { "subscription_name": "whitekite", "subscription_description": "whitekite", // replace your subscription id "subscription_id": "d34d6141-7a19-****-****-************", "users": [ { // subscription user name. "name": "abc*****@gmail.com", // replace your client id "client_id": "db57053a-7bce-****-****-************" } ] } ] } ] } } • Master Snapshot Configuration file: Master Snapshot configuration file is used to define resource type details which you want to execute the compliance test on. Create azure_snapshot.json file, based on the below sample configuration json file. { "container": "azure_remediation_demo",
  • 3. "name": "azure_snapshot", "json": { "contentVersion": "1.0.0.0", "fileType": "masterSnapshot", "snapshots": [ { "source": "azure_structure", "type": "azure", // subscription user name, should be same as used in connector file "testUser": "abc*****@gmail.com", // subscription id, should be same as used in connector file "subscription_id": "d34d6141-7a19-****-****-************", "nodes": [ { "masterSnapshotId": "AZURE_SQL", "type": "Microsoft.Sql/servers", "collection": "Microsoft.Servers" } ] } ] } } • Master Compliance Configuration file: Master Compliance configuration file contains the list of testcases that will be run on fetched cloud resource json files. Create azure_test.json file, based on the below configuration json file. { "container": "azure_remediation_demo", "name": "azure_test", "json": { "contentVersion": "1.0.0.0", "fileType": "mastertest", "masterSnapshot": "azure_snapshot", "testSet": [ {
  • 4. "masterTestName": "AZURE_TEST", "version": "0.1", "cases": [ { "masterTestId": "AZURE_SQL_TEST", "type": "rego", "rule": "file(azure_sql.rego)", "tags": [ { "cloud": "Azure", "compliance": [], "service": [ "Databases" ] } ], "evals": [ { "id": "sql_tls_version", "eval": "data.rule.tls_version", "message": "data.rule.tls_version_err", "remediationDescription": "Mannual Steps: n 1) Open Azure Portal. n 2) Open SQL Servers list n 3) Select the SQL Server for which you want to modify the Mimimal TLS Version. n 4) Click on `Firewalls and virtual networks` option under `Security` section. n 5) Update the Minimum TLS Version to `1.2` and click on save button.", "remediationFunction": "remediate_security_rule.py" } ], "title": "Azure SQL Database check minumum TLS version", "description": "This policy will find the Azure SQL Databases which are set the minumum TLS version lower then 1.2", "masterSnapshotId": [ "AZURE_SQL" ], "status": "enable" }
  • 5. ] } ], "notification": [] } } • Rego file: Create the azure_sql.rego file which contains the rule checks which will be perform against cloud resource. Create azure_sql.rego file as below. package rule sql_database_issue["invalid_minimal_tls_version"] { lower(input.type) == "microsoft.sql/servers" input.properties.minimalTlsVersion != "1.2" } default tls_version = null tls_version = true { not sql_database_issue["invalid_minimal_tls_version"] } tls_version = false { sql_database_issue["invalid_minimal_tls_version"] } tls_version_err = "Azure SQL Database has set minumum TLS version lower then 1.2" { sql_database_issue["invalid_minimal_tls_version"] } Upload configuration files on Prancer • Create Collection: All the configuration files Connector configuration file, Snapshot configuration file, Compliance Configuration file, Rego files should be store in a collection. The name of the collection should be same as one which we defined in all configuration json files. Here we have set azure_remediation_demo value as container_name in all configuration json files. To create a new collection on Prancer:
  • 6. 1. Open the collection screen from left side menu items. 2. Click on Add Collection button. 3. Enter the collection name and click on save button. • Upload Rego file Once collection is created, you can see the created collection in the collection list. Now we can upload the Rego file to that collection. To upload the Rego file, 1. Click on upload button 2. Drag and drop the azure_sql.rego file in file upload area. 3. Click on Upload button.
  • 7. • Upload Connector file For upload a Connector Configuration file, 1. Open connector upload screen. 2. Drag and drop the azure_structure.json file in file upload area. 3. Click on Upload Connector button. • Upload Master Snapshot Configuration file For upload a Master Snapshot configuration file, 1. Open screen for upload new snapshot. 2. Drag and drop the azure_snapshot.json file in file upload area.
  • 8. 3. Select Master Resource Snapshot option as a Snapshot Type. 4. Click on Submit button. • Upload Compliance Configuration file For upload a compliance file, 1. Open screen for upload new compliance. 2. Drag and drop the azure_test.json file in file upload area. 3. Select Master Compliance option as a Compliance Type. 4. Click on Submit button.
  • 9. Set client secret value in vault • For security purpose we are storing the confidential data in azure vault. • In azure_structure.json file, we have set the Client Id db57053a-7bce-****-****- ************. Now require to add the Client Secret value of that client id into the vault. Run Crawler • Crawler is the process in which Prancer will connect to Azure cloud with your provided credentials and will get the list of cloud resources. It generates the Snapshot Configuration file which contains the list of cloud resources. To crawl the resources: 1. Open the Run Crawler screen. 2. Select the collection name azure_remediation_demo. 3. Click on Run Crawler button.
  • 10. Verify generated snapshot files: Once the crawler is done then verify that the cloud resources are fetched correctly or not. • Open All Resource Configuration screen. • Select the Resource Configuration Tab • Search for your collection name. • It should show the generated snapshot in the list. Click on the generated snapshot list item to verify that resources are fetched correctly.
  • 11. Run compliance Once you verify that all the resources are fetched correctly, we can run the compliance on it. • Open the Run Compliance screen. • Select the collection name azure_remediation_demo • Click on Run Test button. Check Report Once the compliance process is completed then we can see the pass/fail reports in report page. • Open the Report screen.
  • 12. • It will show the latest compliance report by default. • It takes sometime to show the latest report based on number of resources available. so if you did not see the report then after few seconds click on filter button for see the latest report. • In report you can see the list of resources and it’s status (pass/fail) • Click on the failed resource for view detail information of it. • You can see the path of the cloud resource and manual steps for fix the issue. • Click on Remediation button for fix the problem. It will run the process for fix the problem on cloud and will give the success message about Remediation done.
  • 13. Verify Azure SQL on Portal Open the Azure SQL cloud resource on Azure portal and verify that the remediation is done correctly or not.