Azure Stack HCI gets extra protection with 'long-requested feature'
Kerberos support in WAC and a host of other goodies also added
Microsoft upgraded its Windows Admin Center, with a focus on protecting the vendor's Azure Stack hyperconverged infrastructure (HCI) service from outside threats.
The latest features include default admin policies to push back against lateral network attacks, network segmentation, and support for managing clusters that include the Kerberos network authentication protocol.
Azure Stack HCI clusters host both virtualized Windows and Linux workloads, plus storage, in a hybrid cloud environment that includes on-premises infrastructure and Azure cloud services. Microsoft introduced Azure Stack 2017 as its response to the rise of hyperconverged infrastructure. It has since evolved to become Redmond's hybrid cloud contender and competes with efforts from Amazon Web Services (Outposts) and Google Cloud (Anthos, now part of the Google Distributed Cloud portfolio).
Hybrid clouds are becoming a dominant IT architecture, but as data management software maker Actian noted last year: "Hybrid cloud security architectures still have the security risks related to a public cloud; however, hybrid cloud risks are higher simply because there are more clouds to protect."
Securing networks against outside threats is therefore critical in hybrid clouds, because their larger attack surfaces represent a target criminals know could expose many resources.
The new default network polices for Azure Stack HCI in WAC v2211 were among the most requested feature from users, Kyle Bisnett, senior product manager at Microsoft, wrote in a blog post this week. Microsoft released the latest version of WAC in December.
"We are bringing Azure parity to our existing NSG (network security groups) on Azure Stack HCI," Bisnett wrote. "Default Network Policies are automatically enabled as an available feature once your environment is upgraded to [Azure Stack HCI] 22H2."
- Microsoft extends Azure Hybrid benefit to some on-prem software
- Microsoft fixes Hyper-V VM problem caused by Patch Tuesday
- Patch Tuesday update is causing some Windows 10 systems to blue screen
- Microsoft sunsets Windows built-in data leak prevention
Users can reduce lateral attacks – where miscreants will move through the network after the initial access into the system – now that the default policies include options such as "open some ports", "use existing NSG" or "no protection." The first option enables users to select certain inbound ports and full outbound access from a virtual machine (VM).
They also can use the NSG that they already have in place or choose no protection, which exposes all the VM ports to networks.
In addition, Microsoft is offering user-defined security tags for micro-segmentation of networks. Micro-segmentation carves up networks into smaller logical networks to improve isolation and performance.
In a blog post in October previewing the tag-based segmentation, Anirban Paul, principal program manager lead at Microsoft, said that granular segmentation that was offered in Azure Stack HCI offered broad protection against threats but created management headaches at scale, forcing network admins to know the network ranges of all their software and services.
Now users can use the custom tags to classify VMs and then apply NSGs based on the tags, which will restrict communication between the VMs and external and internal sources.
"Gone are the days of remembering and retyping the IP ranges for your production machines and management machines," Bisnett wrote. "Simple, self-explanatory labels can be used instead."
With the Kerberos support in WAC, Microsoft is aiming to boost security in clusters when users are access and updating SDN resources. They can deploy network controllers, load balancers, and gateways and then deploy Kerberos on the controller for another layer of network authentication without affecting VM management or SDN features.
Microsoft also is adding a location setting capability and option for blob uploading in Azure to its NSG audit logging. Bisnett noted that the blob upload feature enables network admins to better comply with regulatory logging requirements. ®