Azure World Newsletter – Issue 4.19

September 20, 2023

Welcome to the eighteenth edition of the Azure World Newsletter in 2023.

Hello again, my friends from around the world. I’m so happy you continue to subscribe and read this bi-weekly newsletter on Azure. I enjoy sitting down each week to research and write this, and hopefully, you will continue to find value in it. Feel free to invite your co-workers or others to subscribe if you think they would find it helpful.

The unsubscribe link is at the bottom if you want to stop receiving these emails.

ONE.

A recent sophisticated hacker attack against a client of Microsoft Azure exposed a weakness in one of the oldest security systems protecting Azure storage – SAS tokens.

By default, an Azure Storage account is created with a public URL to access it. This doesn’t mean the data inside the storage account is available for anyone to read. You still need a security key to access the data. One analogy can be a bank safe with a door exposed to the street. The door is locked, and it’s impossible to break the door or the lock. But there is still a door exposed to the street, allowing anyone with the key to enter with no other security measures.

Also, by default, an Azure Storage account is protected with two access keys. Anyone with one of these keys can access the contents of the storage. It’s just extremely hard (impossibly hard) to guess the key using brute force. The key is 512-bits. That is a 1 with 154 zeros, which is more than the estimated number of atoms in the universe.

Users should never share their Azure Storage key, if possible. Once a storage account becomes central to operations, changing the key is very difficult. However, Microsoft does offer a way to share access to files securely through the SAS Token.

(I’ll stop here and say that many professionals shudder at the thought of using SAS tokens on valuable stuff, but as of the time of writing, it’s a prominent security tool.)

The SAS token uses the secret access key to digitally sign some parameters like read/write permission, start and end date for access, and specific scopes of what can be accessed. You can send this signed token to a third party, and they can use it to access the file.

By having the SAS token, the third party cannot get access to anything you did not specifically give them access to and does not have access to the secret key used to create it.

Of course, there is a downside.

SAS tokens don’t get saved anywhere in Azure. You generate them (a digital signature) and can share them with co-workers and partners. Azure promptly forgets that they were generated, and it’s up to you – a human – to remember who you gave access to which files.

Notoriously, most humans are terrible at remembering stuff.

And so, a recent hack against an Azure client led to the hacker finding a SAS token for an Azure Storage container. That container contained a lot of valuable data, and the SAS token had basically full privileges. This allowed them to encrypt those files and demand a ransom for their recovery.

So, while there was not a vulnerability in Azure itself and SAS tokens “worked as designed” in this scenario, the client had created a huge whole in their security without knowing about it by having a token with full permissions to a valuable storage account stored somewhere that a hacker could potentially find.

SAS tokens are fine for some situations. But they are difficult to manage once created. Their permissions cannot be modified after creation, nor can the token be directly revoked before its expiry date. The only way to invalidate a token is to recycle your access key, which could break a lot of apps unintentionally, so it is difficult to do except in emergencies in a production context.

There’s no central page in the Azure Portal to show which SAS tokens have been created and alert you to ones that are still valid.

When creating SAS tokens, ensure they have very short expiry times and are limited only to the exact permissions required to perform their intended task (such as read-only). For sensitive storage situations, don’t use SAS tokens.

See more:
https://www.bleepingcomputer.com/news/microsoft/microsoft-leaks-38tb-of-private-data-via-unsecured-azure-storage/

See more:
https://techcommunity.microsoft.com/t5/azure-confidential-computing/announcing-trusted-launch-as-default-in-azure-portal/ba-p/3854872

TWO.

Microsoft is touting a new “almost free” WordPress solution within Azure, but I swear this solution has been around since almost the start of Azure App Services.

I can recall several years ago creating videos about how to create a WordPress website for free in Azure. There was “WordPress for App Service” in the Azure Marketplace that allowed you to create a WordPress website with a MySQL backend using the free tier of Azure App Services.

It seems Microsoft has revamped this service from all those years ago to improve it.

WordPress on App Service is new and improved. The marketplace image is now always going to be the latest versions of WordPress and PHP. It also provides performance improvements, including caching and image compression by default. They’ve followed a lot of WordPress’ own recommendations on performance.

And finally, WordPress on App Service comes with several tiers of hosting plans to meet your needs. Now, with a free version as well, you can also choose a basic website for hobbyists, a development website, the standard option for most production applications, and a premium tier for websites that are under heavy workload.

Do you want to experiment with hosting WordPress in Azure? Check out this service.

See more:
https://visualstudiomagazine.com/articles/2022/03/03/wordpress-on-app-service.aspx
and
https://www.infoq.com/news/2023/09/azure-wordpress-free-playground/

AZURE PLATFORM UPDATES.

A few updates for you this week.

The following updates to the Azure platform were announced in the last two weeks:

Azure AI Speech service can help with call automation, in preview
Azure Load Testing now supports uploading large files as ZIP
Azure Front Door Standard and Premium support bring your own certificated-based domain validation
Configure load testing in your CI/CD pipeline from Azure portal
Latest generation burstable VMs – Bsv2, Basv2, and Bpsv2
Configure customer-managed keys on existing Cosmos DB accounts, in preview
Use Azure Key Vault to securely store and retrieve access key when mounting Azure Storage as a local share in App Service
Sensitive Data Protection for Application Gateway Web Application Firewall
WordPress on App Service – Free hosting plan now in Public Preview
Save Azure Backup Recovery Services Agent (MARS) passphrase to Azure Key Vault, in preview
Malware Scanning in Defender for Storage

Be sure and check out the Azure Updates page if any of these affect you.

https://azure.microsoft.com/en-us/updates/

COMING UP FOR ME.

Last week, I added a free practice test to the TOGAF 9.2 and TOGAF 10 Part 1 courses.

I’m now going through some of the courses – AZ-204 and AZ-104 particularly – and updating many of the videos to reflect the latest Azure Portal and/or Visual Studio UIs. I’ve also been adding videos to these courses to go deeper into topics as it makes sense.