Because of the craziness of the hacks during this weekend, from May 12 to 15. Where a bunch of Microsoft OSs were hacked and penetrated and pretty much owned by the attackers. A lot of people running PaaS applications in Azure, started to wonder and started to ask me:
- Are we Safe?
- Is this platform protected?
- What if we get hacked?
- What do we do?
It’s many things at the same time:
- In the case of PaaS since the name implies it, it’s a service, and just like the powerline that you receive in your house, the Power Company manages everything all the way to it. You just have to turn on and off the lights and pay the service. Same thing here, Microsoft and any responsible Cloud vendor will patch, update and maintain its platform accordingly to make it as safe as possible. So ourselves as customers can trust and rely on them. What vendor in its safe mind would want it otherwise.
- In the very specific case of Microsoft, given they’re the creators of the OS (Windows Desktop and Windows Server), they would have full control over it. The Azure fabric, is a custom version of Windows server, in the case of Windows Web App, or the Application Service I did some testing and get some findings, pictures below
- What to do? Play defence, do not trust or take for granted anything, me not an expert in security, but there are many resources out that point in the right direction:
Azure App Service Security: https://docs.microsoft.com/en-us/azure/app-service-web/web-sites-security
Secure an app in Azure App Service: https://docs.microsoft.com/en-us/azure/app-service-web/web-sites-security
What’s the OS of a Web App then?
As mentioned before, it’s a customised image of Windows Server that cannot be patched directly by a customer. In a web app, there’s a way to interact with the OS, the way I found to request the version was by selecting the console in the web app, shown below:
This is Windows Server 2012, according to this table here: https://msdn.microsoft.com/en-us/library/windows/desktop/ms724832(v=vs.85).aspx
Can also be verified with Kudu:
The actual Webapp : http://helloworldpictures.azurewebsites.net
As Windows 2012 is a supported OS and the patch was released back in March 2017, and again, this is PaaS, and the vendor, meaning, Microsoft manages it, we will assume the OS is safe.