Eliminate Password-Based Attacks on Azure Linux VMs

Published Apr 15 2021 01:49 PM 5,061 Views
Microsoft

Yanelis Lopez, Security Software Engineer, Cloud & AI Security Green Team

 

A common tactic we observe used by adversaries against customers running Linux Virtual Machines (VMs) in Azure is password-based attacks. This article will explain how to help protect Linux VMs in Azure from these types of attacks at every step of the deployment pipeline.

 

Flow chart picturing a password being used on multiple machines and working with one. This is a simplified depiction of a password spray attack.Flow chart picturing a password being used on multiple machines and working with one. This is a simplified depiction of a password spray attack.

 

Many tools exist that are commonly used to brute force user account passwords over SSH, including those used in cases of Linux brute force compromise in Azure. A specific example is password spray attacks, where an attacker uses one or a few passwords against multiple well-known user accounts in an environment. These attacks typically attempt common passwords hoping one or more accounts can be compromised across multiple virtual machines. Attackers limit the number of password guess attempts to avoid account lockout and detection by defenders.


Although mitigating controls such as password complexity, routine password rotations, disallowing common passwords, etc. help, using password-less authentication is the safer approach.


On Linux, authentication via SSH can be password-less, using SSH key-based authentication instead. SSH keys, are non-human generated, inherently unique, and significantly harder to be brute forced or guessed.


Below, we will show you how to use SSH key-based authentication pre-deployment, enforce it during deployment, and detect non-compliance post-deployment.


Pre-Deployment – Secure from the start: Creating Linux virtual machines

In Azure, there are a few methods for creating Linux VMs: via the Azure Portal, Azure CLI, Powershell, or Azure Resource Manager (ARM) Templates. All have the ability (and document how) to deploy a Linux VM with SSH key as a default option for authentication. To update an ARM template that uses password authentication to instead use SSH keys, follow the below steps.


How to transform your ARM template to use SSH key

Replace the admin password parameter with the 'adminSSHKey' parameter

"parameters": {
...
"adminUsername": {
"type": "string",
"metadata": {
"description": "Username for the Virtual Machine."
}
},
"adminPassword": {
"type": "securestring",
"metadata": {
"description": "Admin password on all VMs."
}
},
"adminSSHKey": {
"type": "securestring",
"metadata": {
"description": "SSH Key for the Virtual Machine."
}
}
...
}

Next, add the ‘linuxConfiguration’ property to the variables of the template

"variables": {
...
"linuxConfiguration": {
"disablePasswordAuthentication": true,
"ssh": {
"publicKeys": [
{
"path": "[concat('/home/', parameters('adminUsername'), '/.ssh/authorized_keys')]",
"keyData": "[parameters('adminSSHKey')]"
}
]
}
},
...
}

Finally, add the ‘linuxConfiguration’ property to the VM resource in the template. In the ‘osProfile’ property remove the 'adminPassword' property and add the following ‘linuxConfiguration’ property

"properties": {
...
"osProfile": {
...
"adminPassword": "[parameters('adminPassword')]"
"linuxConfiguration": "[variables('linuxConfiguration')]"
}
...
}

Now that the template is updated to use SSH key authentication, generate a SSH key using the following command

ssh-keygen -m PEM -t rsa -b 4096

Check out this documentation for more information about generating SSH keys on Windows.


Pass the public key of the SSH key as the value for the ‘adminSSHKey’ parameter described above. Now all VMs deployed using these transformed ARM templates will be safer from password-based attacks.


You can find many examples of ARM templates that deploy VMs with SSH key-based authentication online. When searching for ARM Template examples for Linux VMs, one of the top results is the Azure Quickstart GitHub Repo. These templates are used as starting points for deployments by many individuals. Almost 200 templates in this 800-template repo, deploy a VM or VMSS and previously had SSH authentication configured as password only, making VMs deployed with these templates vulnerable to password-based attacks. We updated these sample templates to disable password-based authentication by default, adding SSH key as the default option.


At Deployment – SSH key enforcer: Using Azure Policy

As part of Microsoft’s quest to get rid of passwords, we have published an Azure Policy which helps ensure Azure Linux VMs use SSH key authentication instead of passwords. You can deploy this policy to your subscription or management group to prevent creation of Linux VMs with password as the SSH authentication type. As seen below, this policy blocks the deployment if the ‘disablePasswordAuthentication’ property in a VM is not defined or is set to ‘false’ when the VM image publisher and offer are well-known Linux offerings. After deploying this policy, any new deployments which include a Linux VM with password-based authentication fail.

 

"policyRule": {
  "if": {
    "allOf": [
      {
        "field": "type",
        "equals": "Microsoft.Compute/virtualMachines"
      },
      {
        "anyof": [
          {
            "field": "Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration.disablePasswordAuthentication",
            "exists": "False"
          },
          {
            "field": "Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration.disablePasswordAuthentication",
            "equals": "false"
          }
        ]
      },
      {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "Microsoft.Compute/imagePublisher",
                "equals": "Canonical"
              },
              {
                "field": "Microsoft.Compute/imageOffer",
                "in": [
                  "UbuntuServer",
                  "Ubuntu_Core"
                ]
              }
            ]
          },
          ...
          {
            "allOf": [
              {
                "field": "Microsoft.Compute/imagePublisher",
                "equals": "RedHat"
              },
              {
                "field": "Microsoft.Compute/imageOffer",
                "in": [
                  "osa",
                  "RHEL",
                  "rhel-byos",
                  "rhel-ocp-marketplace",
                  "RHEL-SAP",
                  "RHEL-SAP-APPS",
                  "RHEL-SAP-HANA"
                ]
              }
            ]
          }
        ]
      }
    ]
  },
  "then": {
    "effect": "deny"
  }
}

 

Post-Deployment – Staying Secure: The Microsoft Defender for Cloud Recommendation

We have discussed solutions for new deployments, but what if you have VMs already deployed which use password-based SSH authentication? A new Microsoft Defender for Cloud recommendation, “Authentication to Linux machines should require SSH keys”, checks for the use of SSH authentication after a VM has been deployed. This recommendation is part of the ASC Secure Score* and follows Azure Security Benchmark best practices. The recommendation is a built-in Guest Configuration policy that monitors changes made to the SSH password authentication setting on the machine itself; if a VM was originally deployed with SSH key-based authentication and later password-based authentication is enabled in the SSH settings, this recommendation will report the VM as non-compliant.


For the recommendation to run, the Guest Configuration extension must be installed. You can follow this documentation for installing the prerequisite Guest Configuration extension. There is also a Defender for Cloud recommendation suggesting downloading the extension that includes a Quick Fix capability named “Guest Configuration extension should be installed on your machines”. It can be found under the “Manage access and permissions” control. Likewise, the Linux SSH policy recommendation can be found under the “Manage access and permissions” control. The figure below shows this Linux SSH policy recommendation:

ASC Linux SSH Recommendation - Screenshot of the recommendation in the Azure Security Center blade in the Azure Portal. You can find the recommendation by searching for "ssh" in the search bar.ASC Linux SSH Recommendation - Screenshot of the recommendation in the Azure Security Center blade in the Azure Portal. You can find the recommendation by searching for "ssh" in the search bar.

 

The policy can also be found in the virtual machine resource under the Policies blade. This can be useful for understanding the Compliance state, Compliance reason, and Last evaluated time. The figure below shows a Non-compliant machine using password authentication:

ASC Linux SSH Policy - Screenshot of the Azure Portal showing the Compliance information for the ASC recommendation. This example shows a VM as non-complaint for this recommendation.ASC Linux SSH Policy - Screenshot of the Azure Portal showing the Compliance information for the ASC recommendation. This example shows a VM as non-complaint for this recommendation.

 

To remediate this recommendation, you must add an SSH key to the non-compliant VM and disable password authentication by following the below steps.

  1. SSH into the existing VM
  2. Copy the SSH public key from your host into ~/.ssh/authorized_keys
  3. Edit /etc/ssh/sshd_config (with sudo) and update the value of "PasswordAuthentication" to "no".
  4. Restart the SSH service on the VM

Azure Active Directory (Azure AD) alternative

An alternative to SSH keys is using Azure Active Directory (Azure AD) authentication. This allows for the use of Azure AD credentials to log in to Azure Linux VMs; this feature is currently in public preview.


Conclusion

Password-based attacks on Azure Linux VMs is an active problem, but solutions are available to help protect against these attacks. We’ve demonstrated how to fix ARM templates to use SSH Key instead of passwords, how to deploy a security gate using Azure Policy which disallows Linux VMs that use passwords, and how to detect and remediate existing VMs that have password authentication enabled. Together, these recommendations provide a solid defense against password-based attacks on Azure Linux VMs. Take action and do all you can to be as secure as possible!

 

Footnotes:

*The policy does not impact the Defender for Cloud Secure Score during public preview. Secure Score will only be impacted when the policy becomes Generally Available (GA).

 

Reviewers

Johnathon Mohr, Security Software Engineer, Cloud & AI Security Green Team

4 Comments
%3CLINGO-SUB%20id%3D%22lingo-sub-2282981%22%20slang%3D%22en-US%22%3ERe%3A%20Eliminate%20Password-Based%20Attacks%20on%20Azure%20Linux%20VMs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2282981%22%20slang%3D%22en-US%22%3E%3CP%3EGreat%20write%20up!%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2353642%22%20slang%3D%22en-US%22%3ERe%3A%20Eliminate%20Password-Based%20Attacks%20on%20Azure%20Linux%20VMs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2353642%22%20slang%3D%22en-US%22%3E%3CP%3EI%20am%20facing%20an%20issue%20where%20this%20recommendation%20won't%20go%20away.%3C%2FP%3E%3CP%3EI%20have%20confirmed%20that%20the%20file%20%3CSPAN%3E%2Fetc%2Fssh%2Fsshd_config%20in%26nbsp%3B%3C%2FSPAN%3ELinux%20VM%20has%26nbsp%3B%3CSPAN%3Ethe%20%22no%22%20value%20of%20%22PasswordAuthentication%22.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EAnd%20also%20osProfile.linuxConfiguration.disablePasswordAuthentication%20is%20set%20true.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EAny%20suggestion%20on%20how%20to%20resolve%20this%20issue%3F%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2369050%22%20slang%3D%22en-US%22%3ERe%3A%20Eliminate%20Password-Based%20Attacks%20on%20Azure%20Linux%20VMs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2369050%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1053599%22%20target%3D%22_blank%22%3E%40eexe1%3C%2FA%3E%26nbsp%3BEexe1's%20issue%20was%20fixed%20by%20updating%20to%20the%20latest%20Guest%20Configuration%20extension.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2271139%22%20slang%3D%22en-US%22%3EEliminate%20Password-Based%20Attacks%20on%20Azure%20Linux%20VMs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2271139%22%20slang%3D%22en-US%22%3E%3CP%3EYanelis%20Lopez%2C%20Security%20Software%20Engineer%2C%20Cloud%20%26amp%3B%20AI%20Security%20%3CA%20href%3D%22https%3A%2F%2Faka.ms%2Fgreenteamblog%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EGreen%20Team%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EA%20common%20tactic%20we%20observe%20used%20by%20adversaries%20against%20customers%20running%20Linux%20Virtual%20Machines%20(VMs)%20in%20Azure%20is%20%3CA%20href%3D%22https%3A%2F%2Fattack.mitre.org%2Ftechniques%2FT1110%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Epassword-based%20attacks%3C%2FA%3E.%20This%20article%20will%20explain%20how%20to%20help%20protect%20Linux%20VMs%20in%20Azure%20from%20these%20types%20of%20attacks%20at%20every%20step%20of%20the%20deployment%20pipeline.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22Flow%20chart%20picturing%20a%20password%20being%20used%20on%20multiple%20machines%20and%20working%20with%20one.%20This%20is%20a%20simplified%20depiction%20of%20a%20password%20spray%20attack.%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F272626i0AA840404CC924AD%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22PasswordSprayDiagram-large.png%22%20alt%3D%22Flow%20chart%20picturing%20a%20password%20being%20used%20on%20multiple%20machines%20and%20working%20with%20one.%20This%20is%20a%20simplified%20depiction%20of%20a%20password%20spray%20attack.%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3EFlow%20chart%20picturing%20a%20password%20being%20used%20on%20multiple%20machines%20and%20working%20with%20one.%20This%20is%20a%20simplified%20depiction%20of%20a%20password%20spray%20attack.%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EMany%20tools%20exist%20that%20are%20commonly%20used%20to%20brute%20force%20user%20account%20passwords%20over%20SSH%2C%20including%20those%20used%20in%20cases%20of%20Linux%20brute%20force%20compromise%20in%20Azure.%20A%20specific%20example%20is%20password%20spray%20attacks%2C%20where%20an%20attacker%20uses%20one%20or%20a%20few%20passwords%20against%20multiple%20well-known%20user%20accounts%20in%20an%20environment.%20These%20attacks%20typically%20attempt%20common%20passwords%20hoping%20one%20or%20more%20accounts%20can%20be%20compromised%20across%20multiple%20virtual%20machines.%20Attackers%20limit%20the%20number%20of%20password%20guess%20attempts%20to%20avoid%20account%20lockout%20and%20detection%20by%20defenders.%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3EAlthough%20mitigating%20controls%20such%20as%20password%20complexity%2C%20routine%20password%20rotations%2C%20disallowing%20common%20passwords%2C%20etc.%20help%2C%20using%20password-less%20authentication%20is%20the%20safer%20approach.%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3EOn%20Linux%2C%20authentication%20via%20SSH%20can%20be%20password-less%2C%20using%20SSH%20key-based%20authentication%20instead.%20SSH%20keys%2C%20are%20non-human%20generated%2C%20inherently%20unique%2C%20and%20significantly%20harder%20to%20be%20brute%20forced%20or%20guessed.%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3EBelow%2C%20we%20will%20show%20you%20how%20to%20use%20SSH%20key-based%20authentication%20pre-deployment%2C%20enforce%20it%20during%20deployment%2C%20and%20detect%20non-compliance%20post-deployment.%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--493838051%22%20id%3D%22toc-hId--493837965%22%3E%3CBR%20%2F%3EPre-Deployment%20%E2%80%93%20Secure%20from%20the%20start%3A%20Creating%20Linux%20virtual%20machines%3C%2FH2%3E%0A%3CP%3EIn%20Azure%2C%20there%20are%20a%20few%20methods%20for%20creating%20Linux%20VMs%3A%20via%20the%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fvirtual-machines%2Flinux%2Fquick-create-portal%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EAzure%20Portal%3C%2FA%3E%2C%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fvirtual-machines%2Flinux%2Fquick-create-cli%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EAzure%20CLI%3C%2FA%3E%2C%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fvirtual-machines%2Flinux%2Fquick-create-powershell%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EPowershell%3C%2FA%3E%2C%20or%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fvirtual-machines%2Flinux%2Fcreate-ssh-secured-vm-from-template%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EAzure%20Resource%20Manager%20(ARM)%20Templates%3C%2FA%3E.%20All%20have%20the%20ability%20(and%20document%20how)%20to%20deploy%20a%20Linux%20VM%20with%20SSH%20key%20as%20a%20default%20option%20for%20authentication.%20To%20update%20an%20ARM%20template%20that%20uses%20password%20authentication%20to%20instead%20use%20SSH%20keys%2C%20follow%20the%20below%20steps.%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId-196723423%22%20id%3D%22toc-hId-196723509%22%3E%3CBR%20%2F%3EHow%20to%20transform%20your%20ARM%20template%20to%20use%20SSH%20key%3C%2FH3%3E%0A%3CP%3EReplace%20the%20admin%20password%20parameter%20with%20the%20'adminSSHKey'%20parameter%3C%2FP%3E%0A%3CPRE%3E%22parameters%22%3A%20%7B%3CBR%20%2F%3E...%3CBR%20%2F%3E%20%20%20%20%22adminUsername%22%3A%20%7B%3CBR%20%2F%3E%20%20%20%20%20%20%20%20%22type%22%3A%20%22string%22%2C%3CBR%20%2F%3E%20%20%20%20%20%20%20%20%22metadata%22%3A%20%7B%3CBR%20%2F%3E%20%20%20%20%20%20%20%20%20%20%20%20%22description%22%3A%20%22Username%20for%20the%20Virtual%20Machine.%22%3CBR%20%2F%3E%20%20%20%20%20%20%20%20%7D%3CBR%20%2F%3E%20%20%20%20%7D%2C%3CBR%20%2F%3E%20%20%20%20%3CSTRIKE%3E%22adminPassword%22%3A%20%7B%20%3C%2FSTRIKE%3E%3CBR%20%2F%3E%20%20%20%20%20%20%20%20%3CSTRIKE%3E%22type%22%3A%20%22securestring%22%2C%20%3C%2FSTRIKE%3E%3CBR%20%2F%3E%20%20%20%20%20%20%20%20%3CSTRIKE%3E%22metadata%22%3A%20%7B%3C%2FSTRIKE%3E%3CBR%20%2F%3E%20%20%20%20%20%20%20%20%20%20%20%20%3CSTRIKE%3E%22description%22%3A%20%22Admin%20password%20on%20all%20VMs.%22%20%3C%2FSTRIKE%3E%3CBR%20%2F%3E%20%20%20%20%20%20%20%20%3CSTRIKE%3E%7D%3C%2FSTRIKE%3E%3CBR%20%2F%3E%20%20%20%20%3CSTRIKE%3E%7D%2C%3C%2FSTRIKE%3E%3CBR%20%2F%3E%20%20%20%20%3CFONT%20color%3D%22%232e8540%22%3E%3CSTRONG%3E%22adminSSHKey%22%3A%20%7B%3C%2FSTRONG%3E%3C%2FFONT%3E%3CBR%20%2F%3E%3CFONT%20color%3D%22%232e8540%22%3E%3CSTRONG%3E%20%20%20%20%20%20%20%20%22type%22%3A%20%22securestring%22%2C%3C%2FSTRONG%3E%3C%2FFONT%3E%3CBR%20%2F%3E%3CFONT%20color%3D%22%232e8540%22%3E%3CSTRONG%3E%20%20%20%20%20%20%20%20%22metadata%22%3A%20%7B%3C%2FSTRONG%3E%3C%2FFONT%3E%3CBR%20%2F%3E%3CFONT%20color%3D%22%232e8540%22%3E%3CSTRONG%3E%20%20%20%20%20%20%20%20%20%20%20%20%22description%22%3A%20%22SSH%20Key%20for%20the%20Virtual%20Machine.%22%3C%2FSTRONG%3E%3C%2FFONT%3E%3CBR%20%2F%3E%3CFONT%20color%3D%22%232e8540%22%3E%3CSTRONG%3E%20%20%20%20%20%20%20%20%7D%3C%2FSTRONG%3E%3C%2FFONT%3E%3CBR%20%2F%3E%3CFONT%20color%3D%22%232e8540%22%3E%3CSTRONG%3E%20%20%20%20%7D%3C%2FSTRONG%3E%3C%2FFONT%3E%3CBR%20%2F%3E...%3CBR%20%2F%3E%7D%3C%2FPRE%3E%0A%3CP%3ENext%2C%20add%20the%20%E2%80%98linuxConfiguration%E2%80%99%20property%20to%20the%20variables%20of%20the%20template%3C%2FP%3E%0A%3CPRE%3E%22variables%22%3A%20%7B%3CBR%20%2F%3E...%3CBR%20%2F%3E%3CFONT%20color%3D%22%232e8540%22%3E%3CSTRONG%3E%20%20%22linuxConfiguration%22%3A%20%7B%3C%2FSTRONG%3E%3C%2FFONT%3E%3CBR%20%2F%3E%3CFONT%20color%3D%22%232e8540%22%3E%3CSTRONG%3E%20%20%20%20%22disablePasswordAuthentication%22%3A%20true%2C%3C%2FSTRONG%3E%3C%2FFONT%3E%3CBR%20%2F%3E%3CFONT%20color%3D%22%232e8540%22%3E%3CSTRONG%3E%20%20%20%20%22ssh%22%3A%20%7B%3C%2FSTRONG%3E%3C%2FFONT%3E%3CBR%20%2F%3E%3CFONT%20color%3D%22%232e8540%22%3E%3CSTRONG%3E%20%20%20%20%20%20%22publicKeys%22%3A%20%5B%3C%2FSTRONG%3E%3C%2FFONT%3E%3CBR%20%2F%3E%3CFONT%20color%3D%22%232e8540%22%3E%3CSTRONG%3E%20%20%20%20%20%20%20%20%7B%3C%2FSTRONG%3E%3C%2FFONT%3E%3CBR%20%2F%3E%3CFONT%20color%3D%22%232e8540%22%3E%3CSTRONG%3E%20%20%20%20%20%20%20%20%20%20%22path%22%3A%20%22%5Bconcat('%2Fhome%2F'%2C%20parameters('adminUsername')%2C%20'%2F.ssh%2Fauthorized_keys')%5D%22%2C%3C%2FSTRONG%3E%3C%2FFONT%3E%3CBR%20%2F%3E%3CFONT%20color%3D%22%232e8540%22%3E%3CSTRONG%3E%20%20%20%20%20%20%20%20%20%20%22keyData%22%3A%20%22%5Bparameters('adminSSHKey')%5D%22%3C%2FSTRONG%3E%3C%2FFONT%3E%3CBR%20%2F%3E%3CFONT%20color%3D%22%232e8540%22%3E%3CSTRONG%3E%20%20%20%20%20%20%20%20%7D%3C%2FSTRONG%3E%3C%2FFONT%3E%3CBR%20%2F%3E%3CFONT%20color%3D%22%232e8540%22%3E%3CSTRONG%3E%20%20%20%20%20%20%5D%3C%2FSTRONG%3E%3C%2FFONT%3E%3CBR%20%2F%3E%3CFONT%20color%3D%22%232e8540%22%3E%3CSTRONG%3E%20%20%20%20%7D%3C%2FSTRONG%3E%3C%2FFONT%3E%3CBR%20%2F%3E%3CFONT%20color%3D%22%232e8540%22%3E%3CSTRONG%3E%20%20%7D%2C%3C%2FSTRONG%3E%3C%2FFONT%3E%3CBR%20%2F%3E...%3CBR%20%2F%3E%7D%3C%2FPRE%3E%0A%3CP%3EFinally%2C%20add%20the%20%E2%80%98linuxConfiguration%E2%80%99%20property%20to%20the%20VM%20resource%20in%20the%20template.%20In%20the%20%E2%80%98osProfile%E2%80%99%20property%20remove%20the%20'adminPassword'%20property%20and%20add%20the%20following%20%E2%80%98linuxConfiguration%E2%80%99%20property%3C%2FP%3E%0A%3CPRE%3E%22properties%22%3A%20%7B%3CBR%20%2F%3E...%3CBR%20%2F%3E%20%20%22osProfile%22%3A%20%7B%3CBR%20%2F%3E%20%20...%3CBR%20%2F%3E%20%20%20%20%3CSTRIKE%3E%22adminPassword%22%3A%20%22%5Bparameters('adminPassword')%5D%22%3C%2FSTRIKE%3E%3CBR%20%2F%3E%20%20%20%20%3CFONT%20color%3D%22%232e8540%22%3E%3CSTRONG%3E%22linuxConfiguration%22%3A%20%22%5Bvariables('linuxConfiguration')%5D%22%3C%2FSTRONG%3E%3C%2FFONT%3E%3CBR%20%2F%3E%20%20%7D%3CBR%20%2F%3E...%3CBR%20%2F%3E%7D%3C%2FPRE%3E%0A%3CP%3ENow%20that%20the%20template%20is%20updated%20to%20use%20SSH%20key%20authentication%2C%20generate%20a%20SSH%20key%20using%20the%20following%20command%3C%2FP%3E%0A%3CPRE%3Essh-keygen%20-m%20PEM%20-t%20rsa%20-b%204096%3C%2FPRE%3E%0A%3CP%3ECheck%20out%20this%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fvirtual-machines%2Flinux%2Fcreate-ssh-keys-detailed%23generate-keys-with-ssh-keygen%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Edocumentation%20for%20more%20information%20about%20generating%20SSH%20keys%20on%20Windows%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3EPass%20the%20public%20key%20of%20the%20SSH%20key%20as%20the%20value%20for%20the%20%E2%80%98adminSSHKey%E2%80%99%20parameter%20described%20above.%20Now%20all%20VMs%20deployed%20using%20these%20transformed%20ARM%20templates%20will%20be%20safer%20from%20password-based%20attacks.%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3EYou%20can%20find%20many%20examples%20of%20ARM%20templates%20that%20deploy%20VMs%20with%20SSH%20key-based%20authentication%20online.%20When%20searching%20for%20ARM%20Template%20examples%20for%20Linux%20VMs%2C%20one%20of%20the%20top%20results%20is%20the%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FAzure%2Fazure-quickstart-templates%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EAzure%20Quickstart%20GitHub%20Repo%3C%2FA%3E.%20These%20templates%20are%20used%20as%20starting%20points%20for%20deployments%20by%20many%20individuals.%20Almost%20200%20templates%20in%20this%20800-template%20repo%2C%20deploy%20a%20VM%20or%20VMSS%20and%20previously%20had%20SSH%20authentication%20configured%20as%20password%20only%2C%20making%20VMs%20deployed%20with%20these%20templates%20vulnerable%20to%20password-based%20attacks.%20We%20updated%20these%20sample%20templates%20to%20disable%20password-based%20authentication%20by%20default%2C%20adding%20SSH%20key%20as%20the%20default%20option.%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-186220319%22%20id%3D%22toc-hId-186220405%22%3E%3CBR%20%2F%3EAt%20Deployment%20%E2%80%93%20SSH%20key%20enforcer%3A%20Using%20Azure%20Policy%3C%2FH2%3E%0A%3CP%3EAs%20part%20of%20%3CA%20href%3D%22https%3A%2F%2Fwww.microsoft.com%2Fitshowcase%2Fblog%2Fno-more-passwords-the-relentless-commitment-to-creating-a-password-less-world-at-microsoft%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EMicrosoft%E2%80%99s%20quest%20to%20get%20rid%20of%20passwords%3C%2FA%3E%2C%20we%20have%20published%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FAzure%2FAzure-Security-Center%2Ftree%2Fmaster%2FSecurity%2520Recommendations%2FCustom%20Policies%2FRequire%20Linux%20VM%20to%20use%20SSH%20key%20authentication%2FAzure%20Policy%20-%20Deny%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ean%20Azure%20Policy%20which%20helps%20ensure%20Azure%20Linux%20VMs%20use%20SSH%20key%20authentication%20instead%20of%20passwords%3C%2FA%3E.%20You%20can%20deploy%20this%20policy%20to%20your%20subscription%20or%20management%20group%20to%20prevent%20creation%20of%20Linux%20VMs%20with%20password%20as%20the%20SSH%20authentication%20type.%20As%20seen%20below%2C%20this%20policy%20blocks%20the%20deployment%20if%20the%20%E2%80%98disablePasswordAuthentication%E2%80%99%20property%20in%20a%20VM%20is%20not%20defined%20or%20is%20set%20to%20%E2%80%98false%E2%80%99%20when%20the%20VM%20image%20publisher%20and%20offer%20are%20well-known%20Linux%20offerings.%20After%20deploying%20this%20policy%2C%20any%20new%20deployments%20which%20include%20a%20Linux%20VM%20with%20password-based%20authentication%20fail.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CDIV%20style%3D%22height%3A%20400px%3B%20overflow%3A%20auto%3B%22%3E%3CPRE%20class%3D%22lia-code-sample%20language-json%22%3E%3CCODE%3E%22policyRule%22%3A%20%7B%0A%20%20%22if%22%3A%20%7B%0A%20%20%20%20%22allOf%22%3A%20%5B%0A%20%20%20%20%20%20%7B%0A%20%20%20%20%20%20%20%20%22field%22%3A%20%22type%22%2C%0A%20%20%20%20%20%20%20%20%22equals%22%3A%20%22Microsoft.Compute%2FvirtualMachines%22%0A%20%20%20%20%20%20%7D%2C%0A%20%20%20%20%20%20%7B%0A%20%20%20%20%20%20%20%20%22anyof%22%3A%20%5B%0A%20%20%20%20%20%20%20%20%20%20%7B%0A%20%20%20%20%20%20%20%20%20%20%20%20%22field%22%3A%20%22Microsoft.Compute%2FvirtualMachines%2FosProfile.linuxConfiguration.disablePasswordAuthentication%22%2C%0A%20%20%20%20%20%20%20%20%20%20%20%20%22exists%22%3A%20%22False%22%0A%20%20%20%20%20%20%20%20%20%20%7D%2C%0A%20%20%20%20%20%20%20%20%20%20%7B%0A%20%20%20%20%20%20%20%20%20%20%20%20%22field%22%3A%20%22Microsoft.Compute%2FvirtualMachines%2FosProfile.linuxConfiguration.disablePasswordAuthentication%22%2C%0A%20%20%20%20%20%20%20%20%20%20%20%20%22equals%22%3A%20%22false%22%0A%20%20%20%20%20%20%20%20%20%20%7D%0A%20%20%20%20%20%20%20%20%5D%0A%20%20%20%20%20%20%7D%2C%0A%20%20%20%20%20%20%7B%0A%20%20%20%20%20%20%20%20%22anyOf%22%3A%20%5B%0A%20%20%20%20%20%20%20%20%20%20%7B%0A%20%20%20%20%20%20%20%20%20%20%20%20%22allOf%22%3A%20%5B%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%7B%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%22field%22%3A%20%22Microsoft.Compute%2FimagePublisher%22%2C%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%22equals%22%3A%20%22Canonical%22%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%7D%2C%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%7B%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%22field%22%3A%20%22Microsoft.Compute%2FimageOffer%22%2C%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%22in%22%3A%20%5B%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%22UbuntuServer%22%2C%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%22Ubuntu_Core%22%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%5D%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%7D%0A%20%20%20%20%20%20%20%20%20%20%20%20%5D%0A%20%20%20%20%20%20%20%20%20%20%7D%2C%0A%20%20%20%20%20%20%20%20%20%20...%0A%20%20%20%20%20%20%20%20%20%20%7B%0A%20%20%20%20%20%20%20%20%20%20%20%20%22allOf%22%3A%20%5B%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%7B%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%22field%22%3A%20%22Microsoft.Compute%2FimagePublisher%22%2C%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%22equals%22%3A%20%22RedHat%22%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%7D%2C%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%7B%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%22field%22%3A%20%22Microsoft.Compute%2FimageOffer%22%2C%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%22in%22%3A%20%5B%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%22osa%22%2C%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%22RHEL%22%2C%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%22rhel-byos%22%2C%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%22rhel-ocp-marketplace%22%2C%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%22RHEL-SAP%22%2C%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%22RHEL-SAP-APPS%22%2C%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%22RHEL-SAP-HANA%22%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%5D%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%7D%0A%20%20%20%20%20%20%20%20%20%20%20%20%5D%0A%20%20%20%20%20%20%20%20%20%20%7D%0A%20%20%20%20%20%20%20%20%5D%0A%20%20%20%20%20%20%7D%0A%20%20%20%20%5D%0A%20%20%7D%2C%0A%20%20%22then%22%3A%20%7B%0A%20%20%20%20%22effect%22%3A%20%22deny%22%0A%20%20%7D%0A%7D%3C%2FCODE%3E%3C%2FPRE%3E%3C%2FDIV%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--1621234144%22%20id%3D%22toc-hId--1621234058%22%3EPost-Deployment%20%E2%80%93%20Staying%20Secure%3A%20The%20Microsoft%20Defender%20for%20Cloud%20Recommendation%3C%2FH2%3E%0A%3CP%3EWe%20have%20discussed%20solutions%20for%20new%20deployments%2C%20but%20what%20if%20you%20have%20VMs%20already%20deployed%20which%20use%20password-based%20SSH%20authentication%3F%20A%20new%20Microsoft%20Defender%20for%20Cloud%20recommendation%2C%20%3CA%20href%3D%22https%3A%2F%2Fportal.azure.com%2F%23blade%2FMicrosoft_Azure_Policy%2FPolicyDetailBlade%2FdefinitionId%2F%252fproviders%252fMicrosoft.Authorization%252fpolicyDefinitions%252f630c64f9-8b6b-4c64-b511-6544ceff6fd6%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3E%E2%80%9CAuthentication%20to%20Linux%20machines%20should%20require%20SSH%20keys%E2%80%9D%3C%2FA%3E%2C%20checks%20for%20the%20use%20of%20SSH%20authentication%20after%20a%20VM%20has%20been%20deployed.%20This%20recommendation%20is%20part%20of%20the%20ASC%20Secure%20Score*%20and%20follows%20Azure%20Security%20Benchmark%20best%20practices.%20The%20recommendation%20is%20a%20built-in%20Guest%20Configuration%20policy%20that%20monitors%20changes%20made%20to%20the%20SSH%20password%20authentication%20setting%20on%20the%20machine%20itself%3B%20if%20a%20VM%20was%20originally%20deployed%20with%20SSH%20key-based%20authentication%20and%20later%20password-based%20authentication%20is%20enabled%20in%20the%20SSH%20settings%2C%20this%20recommendation%20will%20report%20the%20VM%20as%20non-compliant.%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3EFor%20the%20recommendation%20to%20run%2C%20the%20Guest%20Configuration%20extension%20must%20be%20installed.%20You%20can%20follow%20this%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fgovernance%2Fpolicy%2Fconcepts%2Fguest-configuration%23deploy-requirements-for-azure-virtual-machines%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Edocumentation%20for%20installing%20the%20prerequisite%20Guest%20Configuration%20extension%3C%2FA%3E.%20There%20is%20also%20a%20Defender%20for%20Cloud%20recommendation%20suggesting%20downloading%20the%20extension%20that%20includes%20a%20Quick%20Fix%20capability%20named%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fportal.azure.com%2F%23blade%2FMicrosoft_Azure_Policy%2FPolicyDetailBlade%2FdefinitionId%2F%252fproviders%252fmicrosoft.authorization%252fpolicyDefinitions%252fae89ebca-1c92-4898-ac2c-9f63decb045c%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3E%E2%80%9CGuest%20Configuration%20extension%20should%20be%20installed%20on%20your%20machines%E2%80%9D%3C%2FA%3E.%20It%20can%20be%20found%20under%20the%20%E2%80%9CManage%20access%20and%20permissions%E2%80%9D%20control.%20Likewise%2C%20the%20Linux%20SSH%20policy%20recommendation%20can%20be%20found%20under%20the%20%E2%80%9CManage%20access%20and%20permissions%E2%80%9D%20control.%20The%20figure%20below%20shows%20this%20Linux%20SSH%20policy%20recommendation%3A%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22ASC%20Linux%20SSH%20Recommendation%20-%20Screenshot%20of%20the%20recommendation%20in%20the%20Azure%20Security%20Center%20blade%20in%20the%20Azure%20Portal.%20You%20can%20find%20the%20recommendation%20by%20searching%20for%20%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F272651i5B747C3F613FFFB0%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22ASCRecommendation.PNG%22%20alt%3D%22ASC%20Linux%20SSH%20Recommendation%20-%20Screenshot%20of%20the%20recommendation%20in%20the%20Azure%20Security%20Center%20blade%20in%20the%20Azure%20Portal.%20You%20can%20find%20the%20recommendation%20by%20searching%20for%20%26quot%3Bssh%26quot%3B%20in%20the%20search%20bar.%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3EASC%20Linux%20SSH%20Recommendation%20-%20Screenshot%20of%20the%20recommendation%20in%20the%20Azure%20Security%20Center%20blade%20in%20the%20Azure%20Portal.%20You%20can%20find%20the%20recommendation%20by%20searching%20for%20%22ssh%22%20in%20the%20search%20bar.%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20style%3D%22font-family%3A%20inherit%3B%22%3EThe%20policy%20can%20also%20be%20found%20in%20the%20virtual%20machine%20resource%20under%20the%20Policies%20blade.%20This%20can%20be%20useful%20for%20understanding%20the%20Compliance%20state%2C%20Compliance%20reason%2C%20and%20Last%20evaluated%20time.%20The%20figure%20below%20shows%20a%20Non-compliant%20machine%20using%20password%20authentication%3A%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22ASC%20Linux%20SSH%20Policy%20-%20Screenshot%20of%20the%20Azure%20Portal%20showing%20the%20Compliance%20information%20for%20the%20ASC%20recommendation.%20This%20example%20shows%20a%20VM%20as%20non-complaint%20for%20this%20recommendation.%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F272652iC04CE03611346C75%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22ASCPolicy.png%22%20alt%3D%22ASC%20Linux%20SSH%20Policy%20-%20Screenshot%20of%20the%20Azure%20Portal%20showing%20the%20Compliance%20information%20for%20the%20ASC%20recommendation.%20This%20example%20shows%20a%20VM%20as%20non-complaint%20for%20this%20recommendation.%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3EASC%20Linux%20SSH%20Policy%20-%20Screenshot%20of%20the%20Azure%20Portal%20showing%20the%20Compliance%20information%20for%20the%20ASC%20recommendation.%20This%20example%20shows%20a%20VM%20as%20non-complaint%20for%20this%20recommendation.%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20style%3D%22font-family%3A%20inherit%3B%22%3ETo%20remediate%20this%20recommendation%2C%20you%20must%20add%20an%20SSH%20key%20to%20the%20non-compliant%20VM%20and%20disable%20password%20authentication%20by%20following%20the%20below%20steps.%3C%2FSPAN%3E%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3ESSH%20into%20the%20existing%20VM%3C%2FLI%3E%0A%3CLI%3ECopy%20the%20SSH%20public%20key%20from%20your%20host%20into%20~%2F.ssh%2Fauthorized_keys%3C%2FLI%3E%0A%3CLI%3EEdit%20%2Fetc%2Fssh%2Fsshd_config%20(with%20sudo)%20and%20update%20the%20value%20of%20%22PasswordAuthentication%22%20to%20%22no%22.%3C%2FLI%3E%0A%3CLI%3ERestart%20the%20SSH%20service%20on%20the%20VM%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CH2%20id%3D%22toc-hId-866278689%22%20id%3D%22toc-hId-866278775%22%3EAzure%20Active%20Directory%20(Azure%20AD)%20alternative%3C%2FH2%3E%0A%3CP%3EAn%20alternative%20to%20SSH%20keys%20is%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fvirtual-machines%2Flinux%2Flogin-using-aad%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Eusing%20Azure%20Active%20Directory%20(Azure%20AD)%20authentication%3C%2FA%3E.%20This%20allows%20for%20the%20use%20of%20Azure%20AD%20credentials%20to%20log%20in%20to%20Azure%20Linux%20VMs%3B%20this%20feature%20is%20currently%20in%20public%20preview.%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--941175774%22%20id%3D%22toc-hId--941175688%22%3E%3CBR%20%2F%3EConclusion%3C%2FH2%3E%0A%3CP%3EPassword-based%20attacks%20on%20Azure%20Linux%20VMs%20is%20an%20active%20problem%2C%20but%20solutions%20are%20available%20to%20help%20protect%20against%20these%20attacks.%20We%E2%80%99ve%20demonstrated%20how%20to%20fix%20ARM%20templates%20to%20use%20SSH%20Key%20instead%20of%20passwords%2C%20how%20to%20deploy%20a%20security%20gate%20using%20Azure%20Policy%20which%20disallows%20Linux%20VMs%20that%20use%20passwords%2C%20and%20how%20to%20detect%20and%20remediate%20existing%20VMs%20that%20have%20password%20authentication%20enabled.%20Together%2C%20these%20recommendations%20provide%20a%20solid%20defense%20against%20password-based%20attacks%20on%20Azure%20Linux%20VMs.%20Take%20action%20and%20do%20all%20you%20can%20to%20be%20as%20secure%20as%20possible!%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CEM%3EFootnotes%3A%3C%2FEM%3E%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-30px%22%3E%3CEM%3E*The%20policy%20does%20not%20impact%20the%20Defender%20for%20Cloud%20Secure%20Score%20during%20public%20preview.%20Secure%20Score%20will%20only%20be%20impacted%20when%20the%20policy%20becomes%20Generally%20Available%20(GA).%3C%2FEM%3E%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-30px%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EReviewers%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EJohnathon%20Mohr%2C%20Security%20Software%20Engineer%2C%20Cloud%20%26amp%3B%20AI%20Security%20%3CA%20href%3D%22https%3A%2F%2Faka.ms%2Fgreenteamblog%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EGreen%20Team%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-2271139%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22PasswordSprayDiagram.png%22%20style%3D%22width%3A%20370px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F272624i2D7571CC738CDB7C%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22PasswordSprayDiagram.png%22%20alt%3D%22PasswordSprayDiagram.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20style%3D%22margin%3A%200in%3B%20font-family%3A%20'Segoe%20UI'%3B%20font-size%3A%2010.5pt%3B%22%3EAlthough%20SSH%20provides%20a%20secure%20channel%2C%20passwords%20leave%20VMs%20vulnerable%20to%20brute-force%20attacks.%3C%2FP%3E%3C%2FLINGO-TEASER%3E
Co-Authors
Version history
Last update:
‎Nov 02 2021 11:20 AM
Updated by:
www.000webhost.com