Windows Hardening in the cloud with Azure Automation

In a previous blogpost, we discussed the OS hardening baselines for Windows Server 2016 written in PowerShell DSC, which we made publicly available on the NVISO GitHub page. Using this, you can define your own hardening baseline to use within your own environment. Once a baseline is defined, we want to apply it to the entire Windows server environment but doing this manually to each systems requires a large effort. To minimize the effort required for applying the baseline and maintaining compliance, you should use a configuration management solution such as Azure Automation.

Azure Automation is a cloud service for automating administration or configuration tasks using PowerShell across your on-premise or Azure environment. It is a cloud-native configuration management solution providing scalability without requiring virtual network access to virtual machines.

The biggest advantage of using Azure Automation is that it uses the Azure backbone network to push configurations. This eliminates the need to provide direct network access within your virtual network as would be required for other configuration management tools such as Ansible.

In this blog post, we want to show you how to apply a hardening baseline to your Windows virtual machines in Azure with Azure Automation.

Step 1: Setup Azure Automation

First, we need to create an Automation Account in the Azure Portal:

  1. Click the Create a resource button
  2. Search for automation and click create
  3. Fill in the Name, select the resource group and location and click create

When creating an Automation Account, an Azure Run As account is also created. This is the identity under which all tasks will run. It is an Azure Active Directory App Registration (service principle) which by default is granted contributor role on your subscription. By using the principle of least privileges, these permissions should be limited to specific resource groups.

Before we can start importing hardening baselines, we will first need to import the PowerShell modules used in the PowerShell DSC. Azure Automation has only a limited number of PowerShell modules imported by default. If you want to use additional modules in your PowerShell runbooks or DSC configuration, they will need to be imported. To add module, open the modules blade in the Automation Account and click Browse gallery:

In the gallery, search for following PowerShell DSC modules that are used in our hardening baselines:

For each of these modules, click on import and then on OK:

Importing these modules can take some time, make sure it is completed before compiling the configurations.

Step 2: Import PowerShell DSC Baselines

Now that we have setup our Automation Account, we created a custom hardening baseline based on PowerShell DSC OS hardening baselines that can be found on the project hosted on our NVISO GitHub:

https://github.com/NVISO-BE/posh-dsc-windowsserver-hardening

When defining a hardening baseline for your organization, review each setting and assess and test the impact on your systems and applications.

To import the configuration, open the State configuration (DSC) blade in the Automation Account. Click on Configurations and then on Add:

Select the .ps1 file and click on OK:

Before PowerShell DSC code can be applied, it needs to be compiled into a .mof file. When the PowerShell DSC configuration file has been imported, open it and click on compile:

If the configuration has been compiled successfully, it is ready to be applied.

Step 3: Apply Baselines To Virtual Machines

To apply the hardening baseline to a Windows Server 2016 virtual machine in Azure, open the State configuration (DSC) blade in Azure Automation. In the Nodes tab, click on Add:

Select the virtual machine, click on connect:

Select the Node configuration name we compiled and click on OK:

The Microsoft.Powershell.DSC vm extension will be installed on the virtual machine and the PowerShell DSC hardening baseline will be applied. If it was successful the status in the state configuration dashboard will say compliant:


In this blogpost we showed you how to manually apply a PowerShell DSC hardening baseline to a virtual machine in Azure with Azure Automation. Stay tuned for a next blog post where we will automate this entire process with event-based automation whenever a virtual machine is deployed in Azure!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s