TOC & Recently Viewed

Recently Viewed Topics

Auditing the Microsoft Azure Cloud Environment

Tenable offers the ability to audit the Microsoft Azure Cloud environment to detect misconfigurations within the cloud environment and with account settings. Audits can be performed using Tenable.io, Nessus Manager, or a standalone Nessus scanner. No pre-authorization is needed from Microsoft to perform the audit, but a Microsoft Azure account is required.

In order to perform an audit of the Microsoft Azure cloud environment, Nessus will need a Microsoft Azure Client ID. To obtain a Client ID, navigate to Microsoft Azure (https://manage.windowsazure.com) and log in.

  1. Once logged in to the Microsoft Azure portal, click Azure Active Directory (highlighted below) in the left-hand menu.

  2. Click App registrations (highlighted below).

  3. To add a new application, click New Application Registration (highlighted below).

  4. Under the Create section (highlighted below), enter a descriptive Name for the application. Next, click the Application Type drop-down and select Native. Enter a Redirect URI and then click Create to finalize the settings.

  5. A success message will display at the top of the page stating that the new Application has been created.

  6. Double-click on the newly created application to display its details. Copy the Application ID (highlighted below). This information will be used to complete the audit configuration with Nessus.

  7. Click Settings (highlighted below) under the Test Application section and then click Required permissions (highlighted below).

  8. Under the Required Permissions section click + Add (highlighted below).

  9. Click Select an API (highlighted below) from within the Add API access section. Once selected, the Select an API options will appear. Highlight Windows Azure Service Management API and click Select (highlighted below).

  10. Check the box next to Access Azure Service Management as organization users (preview) (highlighted below) to enable the permissions. Once enabled, click Select.

  11. Once the permissions have been enabled, click Done (highlighted below) to finalize the settings.

  12. Log in to Nessus and click New Scan.

  13. Select the Audit Cloud Infrastructure template.

  14. Enter a descriptive name for the scan and then click Credentials.


  15. Click the + next to Microsoft Azure to open the Credentials options.


  16. Enter your Microsoft Azure Username and Password, Client ID (Application ID), and Subscription IDs into the appropriate boxes. Leave the Subscription IDs box blank if you want to audit all of your Azure subscriptions.


  17. Click Compliance and expand the Microsoft Azure option. Tenable offers three pre-configured compliance checks and also provides the ability to upload a custom Azure audit file. Click the + next to each compliance check you want to add to the scan. If you choose to add a custom audit file, click Add File and select the file to upload. Once the compliance checks are added, click Save or click the drop-down arrow next to Save and select Launch to initiate the scan.


Note:

Microsoft Azure Best Practices – Infrastructure: This audit file implements a set of general best practices for Microsoft Azure infrastructure items including Principals, Virtual Networks, Certificates, and Virtual Machines.

Microsoft Azure Best Practices – Websites: This audit file implements a set of general best practices for Microsoft Azure Website items including Website Status, SSL Status, and recent Site modifications.

Microsoft Azure Best Practices – Databases: This audit file implements a set of general best practices for Microsoft Azure items including Database Configuration, Audit Events, and Recoverable Databases.

For additional information on configuring Nessus scans, please refer to the Nessus User Guide.

Copyright 2017 Tenable, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered trademarks of Tenable, Inc.  Tenable, Tenable.io, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc.  All other products or services are trademarks of their respective owners.