Tuesday, March 21, 2017

Get hands-on with Operations Management Suite Security and Compliance

Get hands-on with Operations Management Suite Security and Compliance

Objective

After completing this lab, you will have:
  • Deployed a sample infrastructure environment using a Marketplace Template
  • Deployed a sample SQL Database
  • Explored Azure Security Center
  • Enabled Endpoint Protection on Virtual Machines
  • Enabled Auditing and Threat detection on the SQL Database Server
  • Enabled Transparent Data Encryption (TDE)

Scenario

In this lab, you will use Azure Security Center to identify recommendations and configure additional security measures against resources configured in your Azure Subscription.

Time estimate:  60-75 minutes

Virtual Machines

  1. Windows 10

Exercise 1 : Set up your Azure Account

In this exercise you will:
  • Set up your Azure Account

Scenario:  To perform this lab, you must have an Azure account set up that you can modify.  To set up up this account, use the promotional code visible in the Content tab of the lab interface.  This exercise will walk you through the steps for redeeming the code.

Note:  If you already have an Azure subscription (MSDN/Internal) that you can use for this hands-on lab, you can skip this exercise.
  1. Obtain Microsoft Account
    You will need a Microsoft account (@outlook.com or @live.com, etc).  This account must NOT have an Azure subscription associated with it.  If you do not have an appropriate Microsoft account, please acquire one before continuing this lab. You can obtain an account from the following site:  http://www.microsoft.com/en-us/account.
  2. Open Site (Azure Pass)
    Open the Edge or IE browser, and navigate to http://microsoftazurepass.com.
  3. Submit Promo Code
    Choose from the country drop-down “United States”.  Enter the promotional code (given to you in the lab Content tab) in the Promo Code field.  Click on the Submit button.
  4. Complete Account Request
    Click on the Sign in button to enter your MSA account (@outlook.com/@live.com etc.)  Follow any additional instructions to complete the process.
Congratulations!

You have successfully:
  • Set up your Azure Account

Click Continue to advance to the next exercise.

Exercise 2 : Deploy a Sample Infrastructure Environment Using a Marketplace Template

In this exercise you will:
  • Deploy a sample infrastructure environment using a Marketplace template

Scenario:  In this exercise, you will deploy a lab environment based on an already existing Azure Marketplace template for SharePoint 2013 non-HA farm. You will also deploy an additional Windows Server 2012 R2 Virtual Machine via the portal.

You can now easily deploy a two or three-tier SharePoint Server 2013 farm in Azure. This is designed to help you quickly create an Internet-facing SharePoint farm for dev/test, demonstration, or proof-of-concept purposes. The SharePoint 2013 non-HA Farm template deploys a SharePoint Server 2013 two-tier farm topology including Active Directory Domain Services and Microsoft SQL Server with three servers and 10 cores (using default virtual machine sizes). The completed deployment consists of a Windows Server 2012 R2 domain controller, a SQL Server 2014 server, and a SharePoint 2013 server.

Each farm is configured with just a single web application and site collection. The SharePoint service application deployment is left to you to configure.

This will give us the required Virtual Machines and applications we will use throughout this lab.
  1. Open Azure Portal
    Open a Web Browser and browse to the Azure Portal, https://portal.azure.com.
  2. Authenticate
    Authenticate with the account for the Azure Subscripton that you configured in Exercise 1.
  3. Create SharePoint Farm
    Click + New, and type Sharepoint 2013 in the Marketplace search field. From the list of results, select Sharepoint 2013 non-HA Farm.
  4. Select Template
    Select it from the filtered list of Azure templates on the Everything blade.
  5. Launch Deployment Template
    Select the Create button.  This launches the Sharepoint 2013 deployment template.
  6. Configure Basic Information
    For the Basics information, enter the information as shown in the Alert window and screenshot.  Then click the OK button to continue to Infrastructure settings.
    SharePoint farm name:   omsdemosp
    Subscrption:   Select your subscription
    Resource group:   Create new – OMSDemoRG
    Location:  Location Closest to you
  7. Configure Infrastructure Settings
    In the Infrastructure settings blade, enter the informationas shown in teh Alert window and screenshot.  Click OK to continue to the next step.
    Username:   demouser
    Password:   demo@pass123
    Confirm password:   demo@pass123
    Storage account name prefix:   omsdemosp[+#]; if necessary,add a number to make it unique
    Storage account type:   Premium-LRS (default)
    Virtual Network name:   spfarmvnet (default)
  8. Configure Active Directory Setting
    In the Active Directory settings blade, enter the information shown in the Alerrt window and the screenshot.  Click the OK button to continue to the SQL Server settings.
    Forest root domain name:   omsdemosp.com
    Virtual machine size:   1x Standard DS2 (default)
  9. Configre SQL Server Settings
    In the SQL Server settings blade, enter the information as shown in the Alert window and screenshot.  Click the OK button to go to the next step.
    Virtual machine size:   1x Standard DS3 (default)
    Service account password:   demo@pass123
    Confirm password:   demo@pass123
  10. Configure SharePoint Server Settings
    In the SharePoint Server settings blade, enter the information as shown in the Alert window and screenshot.  Click the OK button to continue to the validation and the Summary blade.
    Public IP address:   (new) ip01 (default)
    DNS label:   omsdemo0101 (must be unique) – look for green checkmark
    Virtual machine size:   1x Standard DS3 (default)
    Setup user account password:   demo@pass123
    Confirm password:   demo@pass123
    Server farm account password:   demo@pass123
    Confirm password:   demo@pass123
    Server farm passphrase:   demo@pass123
    Confirm passphrase:   demo@pass123
    Content site template:   Team Site (default)

    NOTE:  For ease of deployment and our lab environment, we are choosing the same password for all the entries. Were this an actual production environemnt, follow password best practices and utilize different secure password entries for the password options.
  11. Confirm Validation
    On the Summary blade, make sure the validation passes, then click the OK button to continue.
  12. Purchase
    In the Buy blade, confirm the deployment by clicking the Purchase button.
  13. View Deployment Progress
    Your deployment will start, and depending on your selection, a tile is will be pinned to the Azure portal dashboard, showing you the progress of the deployment.  Select this tile to get a more detailed view of the deployment process.
    NOTE:   This deployment should take about 30-45 minutes to complete. You can continue with exercise 3 in the meantime. Wait for the confirmation on screen the deployment is successfully completed before moving onto Exercise 4.
Congratulations!

You have successfully:
  • Deployed a sample infrastructure environment using a Marketplace template

Click Continue to advance to the next exercise.

Exercise 3 : Deploy a Sample SQL Database

In this exercise you will:
  • Deploy a sample SQL database

Scenario:  In this exercise you will provision a new SQL Database and Server that will be used in a later exercise with Azure Security Center. 
  1. Create New SQL Database
    Click New -> Databases -> SQL Database.
  2. Configure Database
    1. Specify SQLDBLAB for the Database name.
    2. Specify SQLDBLABRG for the new resource group name.  
    3. Change the Pricing tier to S0 Standard
    4. Click the Server tile.
  3. Create Server
    Click Create a new server.
  4. Specify SQL Properties
    Specify the properties as shown in the Alert window and screenshot.  Click Select and then click Create to provision the SQL Database.
    1. Specify a unique server name
    2. Ensure the green checkmark appears to tell you that the name is unique.
    3. Specify a user name such as demouser
    4. Specify a complex password
    5. Confirm the password
    6. An Azure region near you
Congratulations!

You have successfully:
  • Deployed a sample SQL database

Click Continue to advance to the next exercise.

Exercise 4 : Explore Azure Security Center

In this exercise you will:
  • Explore Azure Security Center

Scenario:  In this exercise you will enable Azure Security Center and learn more about its capabilities for monitoring and recommendations.
  1. Open Azure Security Center
    Open Azure Security Center by clicking the More Services link in the Azure portal.
    Before continuing, ensure that the deployment from Exercise 2 has completed.
  2. Select Security Center
    Click Security Center.
  3. Open Quickstart
    Once Security Center opens click the Quickstart link on the left.
  4. Review Quickstart Panel
    Review the Quick Start panel to learn more about getting started with Azure Security Center.
  5. View Security Policy
    View the default Security policy by clicking the Security policy tile.
  6. View Subscription Level Information
    Click the name of the subscription to view what information is being collected at the subscription level.
  7. View Prevention Policy
    The Azure Security Center policy can be changed by clicking the Prevention policy tile.   Click the Prevention policy tile to view the types of recommendations security center will provide recommendations for.  Ensure that Data Collection is set to On.
  8. View Email Notifications
    Security Center can also provide email alerts when a threat or anomalous behavior is detected.  You can configure the email by clicking the Email notifications tile.
  9. View Pricing Tier Information
    Click the Pricing tier tile to view the available options.
  10. Learn More
    Click the Learn more link to view the additional features the Standard pricing tier provides.   Select the Standard – Free Trial and click Select.
  11. Save Settings
    Click Save and close the blade.
  12. View Resource Groups
    Click the arrow by the subscription to see the individual resource groups. Each resource group by default will inherit the policy settings from the subscription but can also be customized individually.
  13. View PREVENTION and DETECTION Tiles
    Note that the PREVENTION and DETECTION tiles allow quick access to recommendations from Security Center as well as Security alerts that Security Center has detected.
Congratulations!

You have successfully:
  • Explored Azure Security Center

Click Continue to advance to the next exercise.

Exercise 5 : Enable Endpoint Protection on Virtual Machines

In this exercise you will:
  • Enable Endpoint Protection on virtual machines

Scenario:  In this exercise you will configure endpoint protection on the previously deployed virtual machines to protect them from malware.
  1. View Overview
    Click the Overview link under the GENERAL section.
  2. View Recommendations
    Click the Recommendations tile.
  3. Install Endpoint Protection
    Note that there are several recommendations from Azure Security Center.  To resolve the first one, click Install Endpoint Protection.
    If you do not see the recommendation, wait awhile and try again.
  4. Install on 3 VMs
    Click the button Install on 3 VMs at the top to install Endpoint Protection on the virtual machines.
  5. Install Microsoft Antimalware
    Click Microsoft Antimalware to install on the virtual machines.  Note that you can also choose to install Deep Security Agent by TrendMicro.
  6. Complete Installations
    Click Create and then click OK.  Close the Install Endpoint Protection blade.
Congratulations!

You have successfully:
  • Enabled Endpoint Protection on virtual machines

Click Continue to advance to the next exercise.

Exercise 6 : Enable Auditing and Threat Detection on the SQL Database Server

In this exercise you will:
  • Enable Auditing and Threat detection on the SQL Database Server

Scenario:  In this exercise you will configure auditing on your SQL Database server to ensure actions against the SQL Database or threats detected are logged into Azure storage for later analysis. Note that enabling Auditing on the SQL Database Server will apply it to the SQL Database as well.
  1. Enable Auditing on SQL Servers
    Click Enable Auditing on SQL Servers.
  2. Select SQL Database Server
    Click the SQL Database Server name.
  3. Configure Auditing on the SQL Database Server
    Configure Auditing on the SQL Database Server, as shown in the screenshot:  Enable Auditing, Enable Threat detection.  Click Storage Details to configure a storage account to log audit data to.
  4. Create Storage Account
    Click the Create new link, and specify a unique name for the storage account (use all lower case letters).  Ensure the green checkmark appears to show the name is valid.  Click OK to configure.
  5. Configure Retention Period
    Change the retention period to 180 days, and click OK to complete the configuration.
  6. Save Settings
    Click Save to save the new settings.
Congratulations!

You have successfully:
  • Enabled Auditing and Threat detection on the SQL Database Server

Click Continue to advance to the next exercise.

Exercise 7 : Enable Transparent Data Encryption (TDE)

In this exercise you will:
  • Enable Transparent Data Encryption (TDE)

Scenario:  In this exercise you will configure Transparent Data Encryption (TDE) on the SQL Database. TDE adds encryption to the database without changing connectivity settings on the application(s) using the database.
  1. Filter Recommendations
    To make it simpler to identify open issues, click the Filter link at the top of the page.
  2. Filter Open Issues
    Uncheck the Resolved status so that only open issues show in the view.
  3. Enable Transparent Data Encryption
    Click the Enable Transparent Data Encryption link.
  4. Select SQL Database
    Click the name of the SQL Database.
  5. Finalize Configuration
    Read the capabilities of Transparent data encryption and then click the ON button to enable the feature.  Click Save to finalize the configuration.
  6. Clean Up Azure Account
    If you intent to use yor trial Azure account for other labs or testing, t is advisable to delete the Azure resources created during this lab.
Congratulations!

You have successfully:
  • Enabled Transparent Data Encryption (TDE)
In this lab, you used Azure Security Center to resolve several high priority issues detected in existing virtual machine deployments as well as SQL Database and you explored several other capabilities of the Azure Security Center service.

Click Continue to close and finalize this lab.
Posted by at
Labels: , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)