TOC & Recently Viewed

Recently Viewed Topics

Auditing the Microsoft Azure Cloud Environment

Tenable offers the ability to audit the Microsoft Azure Cloud environment to detect misconfigurations in the cloud environment and account settings. Audits can be performed using Tenable.io. No pre-authorization is needed from Microsoft to perform the audit, but a Microsoft Azure account is required.

In order to perform an audit of the Microsoft Azure cloud environment, Tenable.io needs a Microsoft Azure Client ID. To obtain a Client ID, navigate to Microsoft Azure (https://manage.windowsazure.com) and log in.

In the Microsoft Azure Interface

  1. Log in to the Microsoft Azure portal.
  2. In the left-hand menu, click Azure Active Directory.

  3. Click App registrations.

  4. To add a new application, click New Application Registration.

  5. In the Create section, enter a descriptive Name for the application.

  6. In the Application Type drop-down and select Native.

  7. In the Redirect URL box, enter a URL.

    Note: You can use a fake URL for the Redirect URL.

  8. Click Create to finalize the settings.

    A success message displays at the top of the page stating that the new application has been created.

  9. Double-click the newly created application to display the details.
  10. Copy the Application ID.

    Note: This information is used to complete the audit configuration with Tenable.io.

  11. Click Test Application > Settings > Required Permissions.

  12. In the Required Permissions section, click + Add.

  13. In the Add API access section, click Select an API.

    The Select an API options appear.

  14. Highlight Windows Azure Service Management API.

  15. Click Select.

  16. Check the box next to Access Azure Service Management as organization users (preview) to enable the permissions.
  17. Click Select.

  18. Click Done.

In the Tenable.io Interface

  1. Log in to Tenable.io.
  2. Click New Scan.

  3. Select the Audit Cloud Infrastructure template.

  4. In the Name box, type a descriptive name for the scan.
  5. Click Credentials.

  6. Click Microsoft Azure.

    Note: See the Required User Privileges section in the Nessus User Guide for the required Microsoft Azure privileges.

  7. In the appropriate boxes, enter your Microsoft Azure Username and Password, Client ID (Application ID), and Subscription IDs.

    Note: Leave the Subscription IDs box blank if you want to audit all of your Azure subscriptions.

  8. Click Compliance.

  9. Click Microsoft Azure.

    The Microsoft Azure options appear.

    Tenable offers three pre-configured compliance checks and provides the ability to upload a custom Azure audit file.

    • Microsoft Azure Best Practices – Infrastructure: This audit file implements a set of general best practices for Microsoft Azure infrastructure items including Principals, Virtual Networks, Certificates, and Virtual Machines.
    • Microsoft Azure Best Practices – Websites: This audit file implements a set of general best practices for Microsoft Azure Website items including Website Status, SSL Status, and recent Site modifications.
    • Microsoft Azure Best Practices – Databases: This audit file implements a set of general best practices for Microsoft Azure items including Database Configuration, Audit Events, and Recoverable Databases.

  10. Click each compliance check you want to add to the scan.
  11. If you choose to add a custom audit file, click Add File and select the file to upload.

  12. Do one of the following:

    Click Save.

    - or-

    Click the drop-down arrow next to Save and select Launch to initiate the scan.

Note: For additional information on configuring Tenable.io scans, please refer to the Tenable.io User Guide.

Copyright 2017 - 2018 Tenable, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered trademarks of Tenable, Inc. Tenable, Tenable.io, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their respective owners.