Welcome Kit - Azure Stack HCI - Management - Draft

Welcome to the “Azure Stack HCI - Security Welcome Kit.” This comprehensive guide is designed to provide you with essential insights into the areas of focus and consideration when managing your Azure Stack HCI Security. As part of your preparation before engaging with Microsoft engineers, this resource aims to demystify these technologies, offering clear explanations and answers to frequently asked questions. Whether you’re new to these concepts or seeking to deepen your understanding, this Welcome Kit is your stepping stone to navigating the world of modern cloud-native solutions. 

With the use of the core edition of the operating system and the removal of a large amount of roles and features which would not be need as the operating system of an hypervisor Azure Stack HCI as a much reduce attack surface. Additionally, there are over 200 security settings which are implemented immediately as part the installation.

The Security baseline settings for Azure Stack HCI (preview) is part of the supplemental pack which can be used for the deployment and and this will then introduce and maintain:

• A Security Baseline
• Secure-Core Core Enablement

To help maintain this baseline then it is recommended to create a new OU which each of the computer objects will be placed and also to disable any GPO inheritence to stop any conflicts with existing policies and the security baseline.

The security baseline is a list of settings which are held in a template and applied to each of the nodes. Any changes to the security baseline, which support drift control, should only be modified with the PowerShell module as drift is checked every 90 minutes and the settings will be reverted back to the baseline. There are a setting which can be applied during deployment of the cluster and then if they are modified post deployment then a reboot may be required.

Secure core is a set of security capabilities which are built into the hardware, firmware, drivers and Operating System protecting the system during both boot and running stages of the operating system. The security features which are available, but dependent on the hard not all of these will be available:

• Hypervisor Enforced Code Integrity (HVCI)
• Boot DMA Protection
• System Guard
• Secure Boot
• Virtualisation-based Security(VBS)
• Trusted Platform Module 2.0 (TPM 2.0)

The protection of your data is key and this needs to be considered not only in transit but also at rest. While the data is in transit then SMB Encryption can be enable to protect the date. There is an overhead to ending this as the traffic need to be encrypted and then decrypted as it is sent over the network. By default the traffic is sent as plain text with the option to enable signing or encryption At rest then BitLocker for Storage Spaces can be enabled on particular volumes, as with SMB Encryption there is a overhead. the amount of overhead is relational to the throughput occurring on the storage

The encryption of the management traffic can also to key. By default all cluster traffic is signed but if this traffic is leaves confines of the rack or even locations then there is the option to encrypt the traffic.

Protecting the accounts which are used to access and manages Azure Stack HCI is also important, these include both the local Active Directory and also the Azure Active Directory Accounts. Some considerations of ways to protect these are:

• Local Administrator Password Solution (LAPS) - to allow for the automatic rotation of local account passwords which are then stored securely with Active Directory
• Microsoft Advanced Threat Analytics (ATA) - a on-prem solution to help identify any attempts to compromise on-prem accounts
• Windows Defender Remote Credential Guard - allows the kerberos authentication to complete of the device initiating then connection to another (remote) device, meaning if the credentials are never exposed to the remote device incase it has been compromised.
• Microsoft Defender for Identities - a cloud solution to help identify any attempts to compromise cloud accounts

Each of the solutions are not exclusive to Azure Stack HCI and can be leverage across the whole organization.

Having tightly controlled RBAC permissions and ensure the rules of least privilege are followed. In certain circumstances, if rivileged Identity Management is enabled then these accounts may not be able to be used for certain parts of deployments and management. In these cases then check within the documentation to see if a service principle can be used as an alternative.

In some organization then CredSSP is blocked due to potential security issues. If using Windows Admin Centre for the management of the cluster then it is required that CredSSP is enabled for communication.