Securing a Windows Server VM in Azure

If you've built and managed Windows Servers in an on-premises environment, you may have a set of configuration steps as well as regular process and monitoring alerts, to ensure that server is as secure as possible. But if you run a Windows Server VM in Azure, apart from not having to manage the physical security of the underlying compute hardware, what on-premises concepts still apply, what may you need to alter and what capabilities of Azure should you include?

Windows Security Baselines – Most server administrators would start by configuring the default settings to meet their organization's security requirements and would search for guidance on other settings that could be tweaked to make the environment more restrictive. Traditional Windows Server hardening guidance can now get out of date easily, as we ship more frequent updates and changes to the operating system, though some practices are universally good to apply. In addition, security guidance can change, especially as we learn from the latest threats.

To keep up with the current advice, relevant to your server's current patch levels, we recommend the use of the Windows Security Baselines. Provided inside the Security Compliance Toolkit, the baselines bring together feedback from Microsoft security engineering teams, product groups, partners, and customers into a set of Microsoft-recommended configuration settings and their security impact. On the Microsoft Security Baselines blog, you can keep track of changes to the baselines through the Draft and Final stages, for example as they relate to the Windows Server version 20H2 release
This guidance applies to Windows Server whether it's on-premises or in the Cloud.

Hardening your Windows Server – In addition, my colleague Orin Thomas does a great presentation on Hardening your Windows Server environment. It includes things like Credential Guard, Privileged Administration Workstations, Shielded VMs and more. Download the presentation deck and the demo videos here: Orin-Thomas/HardenWinSvr: Hardening Windows Server presentation (

Server Roles and applications
You also need to pay attention to the role that your server is performing, which will install additional files and settings to the base operating system, for example if it's running IIS or SQL Server. These components come with their own security guidance, and Orin has written up advice on hardening IIS here: Windows Server 101: Hardening IIS via Security Control Configuration

And then there's the configuration of any applications you are hosting on the server. Have you custom applications been developed to protect against attacks or exploits? Are any third-party applications secure or do they require you to “relax” your security configurations for them to function properly (for example, turning off UAC)? Do you restrict who can install applications onto your server and which applications can be installed or run?

Microsoft Azure considerations
With some of the Windows Server considerations covered, let's explore the Azure considerations and capabilities.

One of the biggest differences to running an on-premises server is how you manage the configuration. IaaS VMs should always be managed through Azure, not via their settings inside the operating system.

RDP – It's still not a good idea to leave open the default RDP port, due to the high number of malicious attempts at taking servers down by flooding this port with invalid authentication attempts. Instead, for a secure connection to a remote server session for administration, check out Azure Bastion instead which is instigated through the Azure Portal. 

security groupsNetwork security groups allow granular control of traffic to and from Azure resources, including traffic between different resources in Azure. Plan your routing requirements and configure these virtual firewalls to only allow necessary traffic. 

Just-in-time access – If you do have a requirement to open ports sometimes, consider implementing just-in-time (JIT) VM access. This allows Azure to change networking settings for a specified period only, for approved user requests.

VPN Gateways – Implement a virtual network gateway for traffic between your on-premises location and your Azure resources. This can be from physical sites (such as branch offices), individual devices (via Point to Site gateways) or through private Express Route connections which don't traverse the public internet. Learn more at What is a VPN Gateway? 

Role Based Access Control – Specific to Azure, Role Based Access Control (RBAC) lets you control who has access to the properties and configuration settings of your Azure resources via the Azure Resource Manager (including the Azure Portal, PowerShell, the Azure CLI and Cloud Shell). These permissions are packaged by common roles, so you could assign someone as a Backup Operator and they'd get the necessary rights to manage Azure Backup for the VM, for example. This identity capability helps you implement a “least privilege” model, with the right people having only the access that they need to perform their roles. 

Privileged Identity Management – Like JIT VM access, Privileged Identity Management enables an approved user to elevate to a higher level of permissions for a limited time, usually to perform administration tasks.

Other advanced Identity features – With the Cloud, you can take advantage of additional advanced security features for securing authentication requests, including Conditional Access and Multi-Factor Authentication. Check out Phase 1: Build a foundation of security in the Azure Active Directory feature deployment guide. 

Security Compliance & Monitoring
Azure Security Benchmarks – Like the Windows Security Benchmarks, the Azure Security Benchmarks help you baseline your configuration against Microsoft recommended security practices. These include how security recommendations map to security controls from industry sources like NIST and CIS and include Azure configuration settings for your VM (such as privileged access, logging, and governance). 

Azure Defender for Servers – Azure allows for advanced security capabilities and monitoring of server VMs with Azure Defender for Servers. This is my “if you only do one thing in this article, do this” recommendation. It's needed for JIT access and includes things like file integrity monitoring, adaptive network hardening and fileless attack detection. 

Azure Policy – Other things can fall under the security umbrella, like staying compliant with the Payment Card Industry's Data Security Standard (PCI DSS), or ensuring that Cloud resources can only be created in an approved list of countries (with corresponding Azure regions) for your organization. Investigate how Azure Policy can help enforce these requirements when a new VM is created or can alert you if an existing VM has its configuration changed so it's now non-compliant. 

While it's easy to imagine a security scenario of an open application database or a hacking attempt to exploit application code, there are a considerable number of security aspects to running a Windows Server VM in the cloud too. Start with this list and you're going in the right direction to make your cloud servers as secure as possible, aligned with the specific requirements for your organization.


This article was originally published by Microsoft's Core Infrastructure and Security Blog. You can find the original article here.