Security Audit

Azure Penetration Testing Guide – Policies, Tools & Tips

Updated on: June 4, 2024

Azure Penetration Testing Guide – Policies, Tools & Tips

Azure penetration testing is the process of simulating cyberattacks on Microsoft’s Azure cloud platform to find weaknesses in your configuration, applications, and access controls.

While Azure’s firewalls, IAM, and encryption are strong defences, they need to be foolproof. With threats like CVE-2024-21400, a path traversal vulnerability that allows complete container takeover via privilege escalation, emerging constantly, a thorough Azure penetration test is essential to fortify your cloud environment and applications.

Before we get into specifics, let’s take a deeper dive into what such a pentest entails

What is an Azure Penetration Test?

An Azure Penetration test is a security assessment that helps evaluate the security posture of the Azure environment, including the services, infrastructure, and applications, by simulating real-world attacks and uncovering security flaws like common misconfigurations and vulnerabilities in the hosted applications.

Before you get started with penetration testing of your Azure Environments, let’s first take a look at Microsoft’s Azure pen-testing procedure.

There are two teams – Red and Blue, involved in the Azure pentest. The Red team is responsible for simulating real-world attacks on Azure services without affecting customers’ data. The Blue team is in charge of analyzing and mitigating these threats, attacks, and recovery. Once any breach is detected, the Blue Team will:

  • Collect all evidence regarding the incident
  • Notify operations, engineering, and other relevant teams
  • Classify and document the vulnerabilities to determine the need for further investigation.
  • Create a plan to clear the threat
  • Execute the plan and recover the affected systems

After the attack, both the Blue and Red teams convene to analyze the attempt and response to the attack. The following details are analyzed and discussed:

  • Timing of the breach
  • Mechanism of the breach
  • Compromised systems and assets
  • If the Blue team was able to mitigate the attack
  • Whether recovery was successful and effective

Let experts find security gaps in your cloud infrastructure

Pen-testing results that comes without a 100 emails, 250 google searches and painstaking PDFs.

Why is Pentesting Your Azure Environment Important?

  1. Identify Vulnerabilities: Penetration testing of the Azure environment helps detect risks and vulnerabilities, such as misconfigured WAF rules or unsafe data security policies, associated with the environment. This allows organizations to adopt a proactive approach and address vulnerabilities before they are exploited by attackers.
  2. Validate Security Posture: Penetration Testing helps organizations validate their security posture by ensuring that the access controls, encryption, firewall rules, and all security configurations are enforced properly.
  3. Upholding Standards and Compliances: Penetration testing of the Azure environment helps organizations meet regulatory compliances like GDPR, HIPAA, or PCI-DSS.

What are the Types of Azure Pentesting?

what-are-the-types-of-azure-penetration-testing

Configuration Review

As the name suggests, configuration review is a process of reviewing the Azure configurations and resources being used in the environment for best security practices There are more than 200+ services available within the Azure platform, but it is human to have a configuration that isn’t the most secure one. 

Azure Configuration Review involves the following tests:

  1. Cloud Configuration: Testing and reviewing the overall setup of the Azure environment, including but not limited to resource policies, security group rules, and misconfigurations.
  2. Data Security Configuration: This involves testing data storage and its policies, encryption, access controls, and backups to protect the data and ensure the configuration is compliant.
  3. Identity and Access Management Configuration: Involves testing of the Azure Active Directory roles, user permissions, and access control mechanisms to ensure proper user privilege.

Internal Network Pentest

Internal Network Penetration Testing is a process of simulating attacks by an attacker who already has access to internal resources or networks and uncovering vulnerabilities that could be exploited from the inside.

Internal Pentest involves the following test:

  1. Infrastructure Penetration Testing: Involves testing services, containers, and virtual machines within the Azure network to identify vulnerabilities.
  2. Network Security Group Testing: This involves testing the internal network segmentation, routing, and subnet configurations to identify potential vulnerabilities.

External Pentest

External Pentest is a process of simulating attacks by attackers from outside the organization without any internal access and identifying potential vulnerabilities.

External Pentest involves the following test:

  1. Network Penetration Testing involves testing external network surfaces like the firewall and its rules, load balancers, and public IPs. Main checks include looking for open ports, firewall misconfigurations, and network misconfigurations.
  2. Web Application Penetration Testing: This involves testing applications hosted on the Azure network to find vulnerabilities such as SQL Injection, Logical flows, and others.

How Do You Prepare For and Perform an Azure Pentest?

Understanding Azure Deployment

Before getting into Azure penetration testing, the first step is to understand how Azure is deployed on your end. Security management depends on the type of deployment—Classic mode and Resource Management mode.

In resource management mode, a single entity bundles all the cloud services. You get access to Azure Resource Manager (ARM), which can be used to manage all cloud services and apply standard security protocols. ARM lets you apply RBAC (role-based access control) across all virtual resources in the group.

Classic mode gives you a cloud service containing a virtual machine, a load balancer, an external IP, and a network interface card.

Azure Pentest Policies

Do’s and Dont’s of an Azure Penetration Test

Microsoft encourages security researchers to test their Azure services and report their findings to help fix and patch the security gaps. However, to protect their customer’s data and to avoid disruption in their services, security researchers need to follow some rules while performing any kind of testing:

The following actions are prohibited by Microsoft:

  • Scanning or conducting tests on other Azure customer assets
  • Accessing data that is not completely self-owned
  • Conducting any DDoS attacks
  • Conducting any intensive network fuzzing against Azure virtual machines
  • Any tests that generate a huge amount of traffic through automated testing methods
  • Attempt phishing or any social engineering attacks on Microsoft’s employees
  • Utilizing any services that violate the acceptable usage policies as mentioned in the online usage terms

The following steps are encouraged by Microsoft to conduct Azure penetration testing:

  • Create multiple test or trial accounts to test cross-account access vulnerabilities. However, using these test accounts to access other customers’ data is prohibited.
  • Running vulnerability scanning tools, performing port scans, or fuzzing on your virtual machine.
  • Testing your account by generating traffic that is expected to match regular working periods and can also include surge capacity.
  • Try to break out of Azure services to access other customer assets. If any such vulnerability is found, you should inform Microsoft and cease any further tests.

Azure penetration testing requires care since Microsoft uses multiple automated attack mitigation services that are not disarmed for pen testing.

How to Perform an Azure Penetration Test?

  • Preparation and Scope Definition
    • Clearly define the scope of the penetration test, including Azure services, resources, virtual networks, and virtual machines.
    • Determine the objective of the pentest, like assessing for compliance, identifying vulnerabilities, and more.
    • Decide what type of penetration testing will be performed eg, network, application, IAM, etc.
    • Choose the tools and methods of penetration testing according to the scope and expected outcome.
  • Configuration Review
    • Network Configuration: Analyze the virtual networks, subnets, and Network Security Groups(NSGs) to look for misconfigurations such as Open Ports, Unused NSGs, Default Subnets, and more.
    • Identity and Access Management: Check the user authentication and Role-Based Access Controls of the Azure Active Directory to look for misconfigurations, such as Excessive Permissive Access Controls, a Lack of MFA, and more.
    • Security Center Configuration: Analyze security policies like Misconfigured Just-In-Time Access and VM Antimalware Policy, alerts and recommendations are enforced in the Azure Security Center.
    • Data Encryption: Check whether the data is encrypted at rest and in motion in Azure services like Cosmos DB, SQL database, or Blob storage. Also, look for common misconfigurations like the usage of weak encryption algorithms and Misconfigured Key Management.
    • Logging and Monitoring: Analyze the Azure Monitor settings and check if it is enabled for critical Azure resources and check for Insufficient Log Collection & Retention.
    • Backup and Recovery: Analyze the Backup and recovery policies to check for irregular backups and ensure Backup Data integrity and security.
  • Deep Service Review
    • Azure Blob Storage
      1. Check Network Access Controls to allow access only through trusted networks.
      2. Check the usage of Role-Based Access Control to allow access to the Blob storage.
      3. Check the Implementation of input validation to prevent injection attacks.
      4. Check Azure Policy recommendations implementation.
      5. Check for sufficient logging and backup implementations.
    • Azure DevOps Server
      1. Check Azure AD authentication and MFA implementation.
      2. Check the usage of Role-Based Access Controls to allow access to the DevOps Server.
      3. Check for secure storage and management of API keys, encryption keys, and other secrets.
      4. Check for unnecessary usage of services
      5. Check for sufficient logging and monitoring to track events.
    • Azure Active Directory
      1. Check for strong password policies and MFA implementations.
      2. Check the usage of Role-Based Access Control to allow access to the Azure Active Directory.
      3. Check the usage of Conditional Access based on users, devices, location, etc.
      4. Check for high usage of global administrator accounts.
      5. Check for sufficient logging and monitoring to track events.
    • Azure Cosmos DB
      1. Check the usage of Network Security Groups for traffic control.
      2. Check the usage of Role-Based Access Control to allow access to the Cosmos DB.
      3. Check for data encryption using service or customer-managed keys.
      4. Check for unnecessary or unused public endpoints.
      5. Check for Firewall implementation and security rules setup for Cosmos.
    • Azure Virtual Machines
      1. Check the usage of SSH authentication keys for Linux VMs.
      2. Check for antivirus or antimalware software on the Azure VMs
      3. Check if encryption is enabled on the Azure VMs using BitLocker or Azure Disk Encryption
      4. Check for usage of Role-Based Access Control to allow access to the Azure VMs.
      5. Check for usage of unnecessary services and unused ports.
common-security-checks-in-a-deep-service-review
  • Penetration Test
    1. Network Pentest: Testing the security of firewalls, network security groups, and virtual networks.
    2. Application Pentest: Testing the security of web apps, APIs, and serverless functions.
    3. Infrastructure Pentest: Testing the security of containers, virtual machines, and other infrastructure components.
    4. Identity and Access Management Pentest: Testing the security of identity management features and Azure AD.
    5. Data Security Pentest: Tests the security of Azure Blob storage, Azure SQL, and other data storage services.
  • Analyze Findings
    1. Document all the findings on vulnerabilities, misconfiguration, and threats.
    2. Understand the severity of the findings and prioritize based on their impacts.
  • Reporting and Remediation
    1. Create a detailed report with the severity and recommendations for remediation of the vulnerabilities.
    2. Implement the remediation to fix the vulnerabilities.
    3. Retest the application to make sure all the vulnerabilities are mitigated.

Common Vulnerabilities Found in Azure Penetration Tests

top-5-vulnerablities-found-in-penstest
  1. Storage Account Permissions: Overly permissive access controls.
  2. Network Security Group Rules: Inadequate firewall configurations.
  3. Virtual Machine Security: Unpatched or misconfigured VMs.
  4. Identity and Access Management: Weak user permissions or roles.
  5. Encryption Settings: Lack of encryption for data at rest.
  6. Monitoring and Logging: Insufficient logging configurations.
  7. Container Security: Misconfigured container settings.
  8. Web Application Firewall (WAF): Improperly configured WAF rules.
  9. Key Management: Poor management of encryption keys.
  10. Backup and Disaster Recovery: Inadequate backup and recovery configurations.

Azure Penetration Testing Tools

There is a vast array of Azure Penetration Testing tools, both manual and automated, that can be used to test the Azure environments. Below are some tools that you can use for Azure penetration testing:

1. Astra Security

astra-best-api-penetration-testing-tool-in-2024

Key Features:

  • Platform: Offline or Command Line Interface
  • Pentest Capability: Automated Tests
  • Accuracy: False Positives possible
  • Compliance: PCI-DSS,HIPAA,SOC2 and ISO27001
  • Expert Remediation: No
  • Integration: No
  • Reporting: Comprehensive Vulnerablitiy and Compliance Reports
  • Price:Open-Source(GPL)Astra

Astra’s VAPT Suite integrates the powerful, AI-driven Astra vulnerability scanner with expert manual penetration testing, ensuring compliance with industry benchmarks like OWASP TOP 10 and SANS 25.

2. ScoutSuite

scoutsuite-1531

Key Features:

  • Platform: Offline or Command Line Interface
  • Pentest Capability: Automated Tests
  • Accuracy: False Positives possible
  • Compliance: No
  • Expert Remediation: No
  • Integration: No
  • Reporting: Vulnerbility Reports
  • Price:Open-Source(GPL)

ScoutSuite is a multi-thread plugin that automatically audits your Azure environment and collects all relevant details about the platform. It analyzes the collected data to detect any security concerns.

3. PowerZure

PowerZure Cloud Tool

Key Features:

  • Platform: Offline or Command Line Interface
  • Pentest Capability: Automated Tests
  • Accuracy: False Positives possible
  • Compliance: No
  • Expert Remediation: No
  • Integration: No
  • Reporting: No
  • Price:Open-Source(GPL)

PowerZure is a PowerShell-based script that can be used for reconnaissances and testing Azure. It offers several functionalities for information collection, credential access, and data extraction.

4. MicroBurst

Microburst CLoud Tool

Key Features:

  • Platform: Offline or Command Line Interface
  • Pentest Capability: Automated Tests
  • Accuracy: False Positives possible
  • Compliance: No
  • Expert Remediation: No
  • Integration: No
  • Reporting: No
  • Price:Open-Source(GPL)

MicroBurst is a collection of scripts to test your Azure deployment thoroughly and is generally used to detect misconfigurations, Azure service discovery, and other post-exploitation objectives.

5. CS-Suite(Cloud Security Suite)

 AWS_Audit_Report

Key Features:

  • Platform: Offline or Command Line Interface
  • Pentest Capability: Automated Tests
  • Accuracy: False Positives possible
  • Compliance: No
  • Expert Remediation: No
  • Integration: No
  • Reporting: JSON Reports for integration with SIEM tools.
  • Price:Open-Source(GPL)

CS-Suite is a Python-based automation tool that lets you conduct a comprehensive cloud test on various services, including Microsoft Azure.

Security Best Practices During Azure Pentest

Since we now know the rules and tools for Azure penetration testing, we can dive into the steps and areas which we can test.

There are three major areas for pen testing in Azure. Let’s discuss them.

1. Accessing Azure Cloud Services

Once Azure is deployed, the first thing to check is access management. The first place to start is the Azure web portal. Check the Azure access directory to review users accessing your Azure services. Remove any unknown or unauthorized users from the access list. Additionally, tighten the access by using multi-factor authentication for logging in.

If you are using other access getaways for Azure, notably PowerShell or REST APIs, check if the connection is encrypted. Also, be careful about persisting credentials across different machines.

Using appropriate access controls for different user roles is necessary to keep your application secure from unauthorized access security risks. Azure provides three different roles: reader, contributor, and owner, in the growing order of privileges. Ensure that the principle of least privileges applies to all users. 

Role-based access control
Image: Role-based access control (Source: Microsoft.docs)

2. Securing the Database

In Azure, organizations store their data in MS-SQL databases, which are protected by multiple security tools by Microsoft over several layers. These tools include server and network-level firewalls and data masking, to name a few.

Regarding network-level security, ensure that both server—and database-level firewalls are enforced and functioning to provide security to the servers and individual databases.

Network-level security for Azure
Image: Network-level security for Azure

Always Encrypted is a powerful addition to Azure by Microsoft that ensures that not even Microsoft administrators have access to sensitive data.  If you choose to encrypt all data stored in Azure, you generate an encryption key stored either on Azure itself or on-premise. By handing over the encryption keys to Azure, you get convenience and seamless integration across your Azure platform, but you’d lose control over key backup and rotation.

Data masking can also help in cases where complete data encryption is not possible and can be specifically useful in scenarios such as storing customers’ financial details

3. Encryption

For a secure cloud platform, encryption plays a very important part. Data in the cloud needs to be encrypted both in transit and at rest.

For in-transit encryption, you can use the latest HTTPS or TLS implementation. Chances of unauthorized access from the user’s end need to be analyzed and if required, secure protocols such as VPN might also be used.

Azure data encryption-at-rest
Image: Azure data encryption-at-rest (Source: Microsoft.docs)

Managed keys on-premise require complete responsibility for protecting them from attackers. By using Azure Key Vault, you can control which Azure services can access it. However, if attackers get their hands on this vault, they can use these keys to decrypt all sensitive data. It depends on the organization whether it is capable of managing encryption keys on-premise or allowing Microsoft to be in charge of them.

Astra's VAPT Process
Image: Astra’s VAPT Process

Final Thoughts

Azure Penetration Testing is a necessary practice for organizations working with Azure environments. It analyzes the security standard and helps organizations understand what works for their environment.

A thorough pentest helps organizations understand how to improve the Azure security posture and keep your application safe. Astra’s Azure penetration testing service is a mix of thorough manual testing and ensures that all policies are followed, and all aspects of the Azure application are prodded.

FAQs

1. What is the timeline for Azure Penetration Testing?

The timeline for Azure Penetration Testing is 4-5 days. You start seeing the vulnerabilities from the 2nd day on your dashboard. The timeline may differ a little depending upon the scope of the test.

2. How much does Azure penetration testing cost?

Penetration testing on Azure costs between $490 and $999 per scan, depending on the scope of the Azure environment that is being tested.

3. Does Azure Perform Pentests on the Environments?

No, Azure does not perform penetration tests on the Azure Environments hosted by customers. Instead, Azure provides a service called the Azure Security Center that gives policy recommendations and alerts based on the user’s configurations. Organizations can perform pen tests on the Azure Environments with their security team or hire third-party security experts like Astra Security to secure their environments.

Jinson Varghese

Jinson Varghese Behanan is an Information Security Analyst at Astra. Passionate about Cybersecurity from a young age, Jinson completed his Bachelor's degree in Computer Security from Northumbria University. When he isn’t glued to a computer screen, he spends his time reading InfoSec materials, playing basketball, learning French and traveling. You can follow him on Medium or visit his Website for more stories about the various Security Audits he does and the crazy vulnerabilities he finds.
Subscribe
Notify of
guest

This site uses Akismet to reduce spam. Learn how your comment data is processed.

0 Comments
Inline Feedbacks
View all comments

Psst! Hi there. We’re Astra.

We make security simple and hassle-free for thousands
of websites and businesses worldwide.

Our suite of security products include a vulnerability scanner, firewall, malware scanner and pentests to protect your site from the evil forces on the internet, even when you sleep.

earth spiders cards bugs spiders

Made with ❤️ in USA France India Germany