π Privileged Azure Virtual Machine is accessed by identities without MFA π’
- Contextual name: π Privileged Virtual Machine is accessed by identities without MFA π’
- ID:
/ce/ca/azure/virtual-machine/privileged-virtual-machine-access-mfa-identity-only - Located in: π Azure Virtual Machines
Flagsβ
- π’ Impossible policy
- π’ Policy with categories
- π’ Policy with type
Our Metadataβ
- Policy Type:
COMPLIANCE_POLICY - Policy Category:
SECURITY
Descriptionβ
Descriptionβ
Verify identities without MFA that can log in to a privileged virtual machine using separate login credentials. An adversary can leverage the access to move laterally and perform actions with the virtual machine's managed identity. Make sure the virtual machine only has necessary permissions, and revoke the admin-level permissions according to the least privileges principal
Rationaleβ
Integrating multi-factor authentication (MFA) as part of the organizational policy can greatly reduce the risk of an identity gaining control of valid credentials that may be used for additional tactics such as initial access, lateral movement, and collecting information. MFA can also be used to restrict access to cloud resources and APIs.
An Adversary may log into accessible cloud services within a compromised environment using Valid Accounts that are synchronized to move laterally and perform actions with the virtual machine's managed identity. The adversary may then perform management actions or access cloud-hosted resources as the logged-on managed identity.
... see more
Remediationβ
Remediationβ
From Azure Portalβ
Log in to the Azure portal.
This can be remediated by enabling MFA for user, Removing user access or Reducing access of managed identities attached to virtual machines.
- Case I : Enable MFA for users having access on virtual machines.
- Navigate to
Azure ADfrom the left pane and selectUsersfrom the Manage section.- Click on
Per-User MFAfrom the top menu options and select each user withMULTI-FACTOR AUTH STATUSasDisabledand can login to virtual machines:
- From
quick stepson the right side selectenable.- Click on
enable multi-factor authand share the link with the user to setup MFA as required.- Case II : Removing user access on a virtual machine.
- Select the
Subscription, then click onAccess control (IAM).- Select
Role assignmentsand search forVirtual Machine Administrator LoginorVirtual Machine User Loginor any role that provides access to log into virtual machines.- Click on
Role Name, SelectAssignments, and remove identities with no MFA configured.... see more
policy.yamlβ
Linked Framework Sectionsβ
| Section | Sub Sections | Internal Rules | Policies | Flags |
|---|---|---|---|---|
| πΌ CIS Azure v2.1.0 β πΌ 7.8 Ensure only MFA enabled identities can access privileged Virtual Machine - Level 2 (Automated) | 1 | |||
| πΌ CIS Azure v3.0.0 β πΌ 8.10 Ensure only MFA enabled identities can access privileged Virtual Machine (Manual) | 1 | |||
| πΌ Cloudaware Framework β πΌ Multi-Factor Authentication (MFA) Implementation | 16 |