service and admin accounts for cloud servers

We are migrating a number of servers to the cloud with azure. As part of this we want to ensure the 3rd party helping with the migration adheres to best practices specific to service/local accounts on the servers been migrated. Are there any specifics around security/configuration of local/service accounts for new cloud based windows servers, aside from the obvious things like complex passwords?
LVL 3
pma111Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
I see mainly as verify, review and monitoring to be provisioned regardless the type of account - that has to be policy driven for clear accountability. Just some consideration below:

a)No remote administration without end to end encryption .g. VPN/IPSec. Make sure data (login credentials) in transit are protected with confidentiality and maintain integrity.

b) Verify the multi factor policy are configured and known (and not in default) e.g Lock user account after X consecutive MFA denials, Reset account lockout counter after X minutes and Unlock account after X minutes

c) Enable auditing trail and check the logs does have the account and associated timestamp (UNIX time format minimally) cum activities with resources where applicable. This is more for evidence tracking to ascertain the claimed action done and no "backdoor" account left behind intentionally or unintentionally.

d) Handling over of accounts required to change to your organisation known strong passphrase and verify the recovery process in event account lockout including even for admin account

See an article on Choosing strong Passphrase (not password only)
http://www.experts-exchange.com/articles/18309/Choosing-an-easy-to-remember-strong-password.html

e) Remove all unnecessary testing, redundant, shared accounts for a start once migrated. It is good time to housekeep as well to make sure named account is migrated for purpose and specific service need instead - "need to" basis  rather than default basis for system account esp those remote desktp group and power user group (asides from the DB and sys admin). E.g. Setting Role-Based Access Controls (RBAC) like Azure role-based access control comes with different built-in roles: “owner,” “reader” and “contributor,” that can be assigned to users, groups and services. It’s easier to first create and assign access to the “subscription level” and then make adjustments at the resource levels.

f) Always verify (and not assume) that each Azure (or service) subscription has an account owner, and a set of co-admins, authorized through, as example, Microsoft Accounts (formerly Live IDs), who have full control over the resources in the subscription through the management portal. They can create storage accounts, deploy cloud services, change configurations, and can add or remove co-admins. try to restrict and limit accounts (esp those requiring or have existing privileges account over the database, storage, network and apps access limit and usage - avoid self denial cases due to abuses and disable or limit as little of such accounts)

https://azure.microsoft.com/en-us/documentation/articles/azure-subscription-service-limits/

For example, your DBA assigned as a “reader” role at the subscription level, and based on his job role (i.e. DBA) and application structure (three-tier application, Web, app and DB), you can then assign the “contributor” role to at the virtual machine level that is running the database for your application. The service and local account applies as well as long as you are consistent throughout governing account and review them
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Shalom CarmelCTOCommented:
In the cloud, all of the old security paradigms are as valid as on premise. Accounts, passwords, MFA, audit etc etc.

However, there is a whole new dimension to take care of, and that is the management of the virtual datacenter thru the Azure management console. That is yest another place that needs controls, auditing and careful thought.
* changes to your account
* launching of services
* deletion of assets

You need to turn on the Azure audit logs like explained here http://blogs.msdn.com/b/cloud_solution_architect/archive/2015/03/10/audit-logs-for-azure-events.aspx
 http://azure.microsoft.com/en-us/updates/audit-logs-in-azure-preview-portal/

and also the AD if you use it
http://blogs.msdn.com/b/azuresecurity/archive/2015/06/11/azure-active-directory-audit-logs.aspx
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cloud Computing

From novice to tech pro — start learning today.