CrowdStrike launches CrowdStrike Reporting Tool for Azure which is a free tool that will help organizations review excessive permissions in their Azure AD environments, help determine configuration weaknesses, and provide advice to mitigate risk. CRT uses PowerShell and automatically installs the Exchange Online PowerShell V2, MSOnline, and AzureAD modules. The company recommends to run the tool with an account with Global Reader privileges, certain read-only functions nonetheless require authentication as a user with Global Admin or similarly high-risk privileges.
Configuration review and hardening measures
Based on incident response engagements conducted by the CrowdStrike Services team, the company also highlights some additional attack surface and mitigation recommendations.
The company also recommends centralizing the storage of logs in a secure location to prevent tampering, unauthorized access, and forensic preservation and log sources must be enabled and diagnostic settings need to be added for sufficient detail to be available. The following logs should be captured in a Security Incident Event Management system or log storage environment separate from Azure:
- Unified Audit Log
- Azure Activity Logs
- Azure Services Logs
- Azure NSG Flow Logs
- Azure AD Logs:
- Azure AD Audit Logs
- Azure AD Sign-In Logs
- Azure AD Managed Identity Sign-In Logs (Preview)
- Azure AD Non-Interactive User Sign-In Logs (Preview)
- Azure AD Service Principal Sign-In Logs (Preview)
- Azure AD Provisioning Logs
- Azure AD Risky Sign-In events
- Review trust relationships with partners including IT consultants, vendors and resellers, and limit privileges.
- Review existing Federations. Identify unauthorized or unrecognized Federations and revoke them.
- Store SAML token signing certificate key material in a Hardware Security Module (HSM) so that the signing key cannot be stolen. Alternatively, rotate SAML signing certificates periodically.
- Review Azure AD allowed identity providers (SAML IDPs through direct federation or social logins) and identify and remove those that are not legitimate.
- Review Azure B2B external identities’ access to the Azure portal and identify and remove those that are no longer needed or not legitimate.
- Ensure only required on-premises AD Organizational Units (OUs) and objects are being synced to the cloud. Use extreme caution when establishing bi-directional trust and syncing privileged identities, service accounts, or OUs between on-premise and cloud.
- Implement Azure Policies to restrict specific actions in the tenant.
- Restrict Region Usage
- Enforce tagging for sensitive resources
- Review access controls to the Azure administrator portal, using least privilege access principles.
- Review environment for overly privileged service accounts that may have access to on-prem environments as well as Azure and reduce privileges and access if possible.
Azure ADOAuth applications
- Review existing applications with credentials recently added.
- Review non-Microsoft registered applications and permissions, and revoke permissions and credentials for any unrecognized application.
- Review and remove unused applications.
- Limit application consent policy to only approved administrators.
- Ensure that only dedicated cloud-only administrator accounts are used for cloud administration.
- Practice the principle of least privilege and remove unnecessary privileges where warranted.
- Review users granted membership in administrative roles or groups:
- Users with elevated permissions via the following roles should be given extra scrutiny:
- Authentication Administrator
- Billing Administrator
- Conditional Access Administrator
- E-Discovery Manager and Administrator
- Exchange Administrator
- Global Administrator
- Helpdesk Administrator
- Password Administrator
- Security Administrator
- SharePoint Administrator
- User Access Administrator
- User Administrator
- Review privileges and enforce multi-factor authentication requirements for Guest users.
- Ensure only the appropriate users have Azure CLI access to the tenant.
- Enforce multi-factor authentication (MFA) for all users.
- Check for new unknown MFA registrations and restrict service accounts from MFA registration.
- Set the multi-factor authentication access policy to “Do not allow users to create app passwords to sign in to non-browser apps” to prevent bypassing MFA.
- Review and enforce Conditional Access Policies:
- Utilize geo-fencing and/or trusted locations.
- Enforce modern authentication and blocking of legacy authentication.
- Block “risky sign-ins” with medium severity and above.
- Monitor authentication requests from unknown identity providers.
- Monitor for credentials being added to service principals.
- Ensure Self Service Password Reset (SSPR) requests are enabled to notify users when their passwords are changed.
- Review mailbox forwarding rules and remove unauthorized rules, including:
- Tenant-wide mail flow rules
- Individual mailboxes
- Review mailbox delegations and remove unnecessary delegations.
- Ensure Exchange PowerShell usage is only permitted for Exchange Administrators.