未加星标

Head in the Clouds: Microsoft Azure

字体大小 | |
[系统(windows) 所属分类 系统(windows) | 发布者 店小二04 | 时间 2018 | 作者 红领巾 ] 0人收藏点击收藏
IP AddressRanges

Microsoft’s offers their up-to-date list of IP addresses as an XML document. The document is always changing and must be downloaded from the Microsoft Download Center:

Download Microsoft Azure Datacenter IP Ranges from Official Microsoft Download Center

This file contains the Compute IP address ranges (including SQL ranges) used by the Microsoft Azure Datacenters www.microsoft.com

The downloaded document will have a name that includes the date it was last updated, e.g. PublicIPs_20180813.xml. The XML is made-up of Region nodes that name the region, such as “australiac2,” and includes the IP address ranges in lines like this one:

<IpRange Subnet=”20.36.64.0/19" />

Making Use of the IP Addresses

An up-to-date list of these IP addresses is useful for identifying assets hosted in an Azure environment. Any domain or subdomain that points back to an IP address in the list will lead to an Azure file share or virtual server.

Maintaining an Updated MasterList

The collection of these IP addresses has been automated in the following script:

chrismaddalena/UsefulScripts

UsefulScripts―A collection of useful scripts github.com

The script fetches the latests IP address ranges used by each provider and then outputs one list in a CloudIPs.txt file. Each range is on a new line following a header naming the service, e.g. “# Microsoft Azure.”

Storage: Azure FileShares

Azure file shares are different from the other options offering by Amazon and Google. They can actually be accessed as windows file shares and created and managed using some PowerShell cmdlets. The web address for an Azure resource looks like this:

https://cmaddy.file.core.windows.net/test/foo.bar

The first part is a storage account name (e.g. cmaddy). The part following the windows.net domain is a file share name (e.g. test).

Requesting that address is not enough to retrieve a file or list the contents of a share. A “Shared Access Signature” is required as part of the URI. This is a long signature that must be added to the request before the resource can be retrieved. From Azure’s dashboard:

A shared access signature (SAS) is a URI that grants restricted access rights to Azure Storage resources. You can provide a shared access signature to clients who should not be trusted with your storage account key but whom you wish to delegate access to certain storage account resources. By distributing a shared access signature URI to these clients, you grant them access to a resource for a specified period of time.

A user must configure and then generate an SAS to be used for the request. Users may configure an SAS to allow only certain IP addresses access to the resource, restrict time of day for access, delegate privileges, and even enforce access over HTTPS. This SAS is then added to the end of the web address. If the SAS is valid, the resource is returned.

It is possible to detect if a storage account name exists using a web request, but only so much can be learned. Requesting a non-existent name will return an HTTP 404 response. Requesting a valid name, like the one above, will return:

<Error>

<Code>InvalidQueryParameterValue</Code>

<Message>

Value for one of the query parameters specified in the request URI is invalid.

</Message>

<QueryParameterName>comp</QueryParameterName>

<QueryParameterValue/>

<Reason/>

</Error>

Appending a file share name to the end returns a different XML error response, but it is the same regardless of whether or not the name corresponds to a file share that exists under the storage account name. The response only changes if a valid SAS and valid file share names is provided.

Computing: VirtualMachines

Azure’s virtual machine offering is simply called Virtual Machines. Microsoft’s documentation for the virtual machine metadata service can be found here:

Azure Instance Metadata Service

The Azure Instance Metadata Service provides information about running virtual machine instances that can be used to… docs.microsoft.com

The metadata service is covered in the main primer article.

Authentication: AzureUsers

An Azure account is managed by a root user which can be used to add an additional user accounts and other types of users to the account. Similar to Compute, Azure requires a user account to be named using a verified domain. A domain name can be configured and verified by following the steps outlined here:

Add a custom domain to Azure AD

Explains how to add a custom domain in Azure Active Directory. docs.microsoft.com

Azure also allows the root user to create various types of accounts, such as Automation Accounts, that can be used in different ways and do not require a “verified domain.” Azure’s documentation is dense, but the most interesting type of user from a “someone just stole some credentials” point of view may be the Azure Service Principal Name (SPN). Azure’s documentation explains:

If you want to create a separate sign in with access restrictions, you can do so through a service principal. Service principals are separate identities that can be associated with an account. Service principals are useful for working with applications and tasks that must be automated.

SPNs can be created using the Azure command line tool:

# az ad sp create-for-rbac―name TestSPN―password PASSWORD

Retrying role assignment creation: 1/36

{

“appId”: “9fe5ea08 569d-48dd-9b15 6c9b84486ff5”,

“displayName”: “TestSPN”,

“name”: “ http://TestSPN ",

“password”: “PASSWORD”,

“tenant”: “<TENANT_OBJECT_ID>”

}

Then an SPN can be used to authenticate:

# az login―service-principal -u http://TestSPN -p PASSWORD―tenant <TENANT_OBJECT_ID>

[

{

“cloudName”: “AzureCloud”,

“id”: <OBJECT_ID>,

“isDefault”: true,

“name”: “Free Trial”,

“state”: “Enabled”,

“tenantId”: <TENANT_OBJECT_ID>,

“user”: {

“name”: “

本文系统(windows)相关术语:三级网络技术 计算机三级网络技术 网络技术基础 计算机网络技术

tags: Azure,name,gt,lt,The,file
分页:12
转载请注明
本文标题:Head in the Clouds: Microsoft Azure
本站链接:https://www.codesec.net/view/597069.html


1.凡CodeSecTeam转载的文章,均出自其它媒体或其他官网介绍,目的在于传递更多的信息,并不代表本站赞同其观点和其真实性负责;
2.转载的文章仅代表原创作者观点,与本站无关。其原创性以及文中陈述文字和内容未经本站证实,本站对该文以及其中全部或者部分内容、文字的真实性、完整性、及时性,不作出任何保证或承若;
3.如本站转载稿涉及版权等问题,请作者及时联系本站,我们会及时处理。
登录后可拥有收藏文章、关注作者等权限...
技术大类 技术大类 | 系统(windows) | 评论(0) | 阅读(17)