Secure Azure VM from day Zero with Azure Security Extension – Azure Security Part 1

Public Cloud is all about trust which security is key pillar to keep the customer trust. There is a misconception about Cloud Security. This post will be part of my Azure Security blog post series. In this series we will dispell some of the myths and discuss how to mitigate the risks.

Based on Gartner 2014 survey, 25% Enterprises have made significant cloud investments and 72% Enterprises have made cloud investments. 47% have IaaS running which the trends will increase significantly for upcoming years. Top three spending for IT budgets in Australia: Mobile, Analytics and Cloud.

Security and Compliance are still major concerns for Cloud adoption. Very often myth of Cloud computing security mixed with negativity built the pre-assumption of Cloud Computing security.

Security in the Public Cloud in general is joint responsibility. There are few security features which we inherit from our Cloud Provider. Azure for this post and there are few security responsibility gaps which we are responsible for them.

For more information regarding Microsoft Azure Security and what Microsoft provides security out of the box —> here.

Below is the common scenario which I found out there.


Let’s say We have Azure subscription which has site to site connectivity to our On-Prem with System Center VMM. We have HYBRID here! YES!

Now I feel like testing the performance SharePoint 2013 on Azure. Why? Because We CAN 🙂 with Azure PowerShell script – We can spin those three tier SharePoint 2013 farm on Azure VMs very quickly. On day Zero, those VMs are ‘green’.  Those VMs have enough patch level and have no malware. Days turn weeks and those VMs left un-managed / partially managed with no anti-malware protection, unpatched and no server hardening on those VMs.

Who is the party responsible for this VMs security? Azure? Yes partially. Mark Russinovich ? Probably…NO. We ? YES to manage this VMs.

The same manner if I spin up some Hyper-V VMs using my System Center VMM, I need to manage those VMs and keep them on ‘Green’ state.

Now how do we provide protection from day Zero ? The answer is Azure Anti-Malware Extension!

Currently Azure provides three new security extensions:

  • Microsoft Anti-Malware
  • Symantec Endpoint Protection
  • Trend Micro Deep Security as a Service


Surely We want that to meet our compliance requirements to protect our VMs especially on Production.

How do we install one of the extension to our existing VMs ? Worry not! Below Azure Powershell scripts can help us to install Microsoft Anti-Malware extension:

Add Microsoft Anti-Malware Extension


$service= "AzureVMAntiMalware"
$name = "MyAzureVM01"
# Get the Azure VM
$vm = Get-AzureVM –ServiceName $service –Name $name
# Add Microsoft Antimalware Agent to Azure VM
Set-AzureVMExtension Publisher Microsoft.Azure.Security ExtensionName IaaSAntimalware Version 1.* VM $vm.VM
# Update the VM which will install the Antimalware Agent
Update-AzureVM Name $name ServiceName $service VM $vm.VM

How do we check whether the Anti-Malware has been enabled on VM, Azure PowerShell script below can help us to confirm:

Get Microsoft Anti-Malware Extension Status


$servicename = "AzureVMAntiMalware"
$name = "MyAzureVM01"
# Get Azure VM
$vm = Get-AzureVM –ServiceName $servicename –Name $name
# Get Microsoft Antimalware Agent Azure Virtual Machine Status
Get-AzureVMExtension Publisher Microsoft.Azure.Security ExtensionName IaaSAntimalware Version 1.* VM $vm.VM

To uninstall Microsoft Anti-Malware extension, Azure PowerShell script below can help to uninstall the agent:

Uninstall Microsoft Anti-Malware Extension

$servicename = "MyAzureVMAntiMalware"
$name = "MyAzureVM01"
Get-AzureVM ServiceName $servicename Name $name | Set-AzureVMExtension Publisher Microsoft.Azure.Security ExtensionName IaaSAntimalware Version 1.* Uninstall | Update-AzureVM


Next post we will look further how to secure our Azure Environment using System Center Configuration Manager 2012 R2 to keep our Azure VMs ‘Green’. We will cover few sections below:

  • Patch Management
  • Anti-Malware with Endpoint Protection
  • Firewall
  • Compliance Settings
  • Reporting to comply with Enterprise requirement

One thought on “Secure Azure VM from day Zero with Azure Security Extension – Azure Security Part 1

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.