Protect data with network technologies that block intrusions and attacks
Protecting the security and confidentiality of network traffic, whether in the cloud or on-premises, is a critical part of any data protection strategy. Securing the network infrastructure helps prevent attacks, block malware, and protect your data from unauthorized access, interrupted access, or loss.
In the public cloud, the isolation of customer infrastructure is fundamental to maintaining security. Microsoft Azure, on which most Microsoft business cloud services are built, accomplishes this primarily through a distributed virtual firewall, partitioned local area networks (LANs), and physical separation of back-end servers from public-facing interfaces. Customers can deploy multiple logically isolated private networks, and each virtual network is isolated from the other virtual networks. For on-premises customers, Windows Server 2016 includes firewall, threat analytics, and numerous network security features.
Microsoft business cloud services that are built on Azure use Azure Active Directory for identity management, authentication, and access control. For on-premises customers, Windows Server 2016 uses Active Directory Domain Services (AD DS).
Azure Active Directory and AD DS help ensure that only authorized users can access your network environment, data, and applications, and provide Azure Multi-Factor Authentication for highly secure sign in. With Multi-Factor Authentication, you can require users to verify their sign-in with a mobile application, phone call, or text message.
Microsoft uses several network security technologies to protect your cloud services and data, and block attacks.
- Firewalls help protect network perimeters, subnets, and local machines (including virtual machines). Perimeter firewalls filter packets coming into the network. If malicious traffic has managed to bypass network-level controls, operating system firewalls provide another layer of protection by allowing or denying packets coming into the local system.
- Intrusion detection systems/intrusion prevention systems detect and identify suspicious or undesirable activities that indicate intrusion, proactively drop packets that are determined to be undesirable, and disconnect unauthorized connections.
- Partitioned LANs enable you to separate traffic by segmenting your virtual networks and control how traffic passes between different IP subnets.
- Multi-tier topology enables you to allocate subnets and designate separate address spaces for different elements of your workload. These logical groupings and topologies mean you can define different access policies based on workload types.
- Traffic isolation helps ensure that your virtual machines (VMs) and communications remain private within a virtual network.
- Cross-premises connectivity enables you to establish connections between a virtual network and multiple on-premises sites, or other virtual networks in Azure, by using VPN gateways or third-party virtual appliances.
- Access Control Lists are rules that you can create at different levels of granularity, including network interfaces, individual VMs, or virtual subnets. You can then control access by allowing or denying communications between workloads within a virtual network, from systems on your on-premises networks, or direct Internet communications.
- Azure Security Center provides a centralized portal from which you can secure resources you place in Azure. When you enable Azure Security Center for your subscription or Resource Group, Azure Security Center provides recommendations and alerts for network security issues, with a centralized portal from which you can help secure your Azure deployments and prevent, detect, and respond to threats. It uses behavioral analytics and machine learning for effective threat detection and helps you build an attack timeline for faster remediation.
For on-premises customers, Windows Server 2016 provides protection for networks with its built-in security features and additional security products.
- Datacenter Firewall is a network layer, 5-tuple (protocol, source and destination port numbers, and source and destination IP addresses), stateful, multitenant firewall that can be deployed and offered as a service so that tenant administrators can install and configure firewall policies to help protect their virtual networks.
- Microsoft Advanced Threat Analytics is an on-premises cyber-security product that detects advanced attacks using user and entity behavior analytics (UEBA).
New DNS capabilities enable you to configure DNS policies, limit response rate to prevent use of your DNS servers in attacks, and use DNS-based Authentication of Named Entities (DANE) to help prevent “man-in-the-middle” attacks.
Secure apps and data
Microsoft business cloud services and products implement numerous technologies to help protect your applications and data.
- Virtual Network provides the network fabric on which you place your VMs. You control the network topology and manage it just like your on-site infrastructure. Each virtual network is isolated from other virtual networks and you can create hybrid-networking solutions by connecting your Azure Virtual Networks and on-premises network using site-to-site VPNs or Microsoft Azure ExpressRoute.
- ExpressRoute lets you avoid security issues related to Internet-based site-to-site VPNs. Create private connections between Azure datacenters and your premises or within a colocation center with ExpressRoute. ExpressRoute connections are dedicated wide area network (WAN) links and are more reliable, faster, and more secure.
- Network security groups (NSGs) can be used to control traffic to one or more VM instances in an Azure Virtual Network. An NSG contains access control rules that allow or deny traffic based on traffic direction, protocol, source address and port, and destination address and port. You can change the rules of an NSG at any time, and changes are applied to all associated instances.
- Forced tunneling lets you redirect all Internet-bound traffic to your on-premises location for inspection and auditing by using a site-to-site VPN tunnel or ExpressRoute. Without forced tunneling, Internet-bound traffic from your VMs in Azure will traverse from the Azure network infrastructure directly out to the Internet, potentially bypassing inspection or auditing for that traffic.
- Network security virtual appliances from partners such as A10, Cisco, F5, Fortinet, NGINX, and others can be used to enhance network security. You can use network virtual appliances in your virtual networks and get the same functionality that you get when used on-premises, including firewalls, intrusion prevention systems, WAN optimization, and application delivery controllers (ADC/load balancing).
Network security for Microsoft Professional Services includes the segregation of the internal datacenter network from the external network. Access to Microsoft Professional Services data is controlled through stringent access-control mechanisms and processes. All data transfers are also conducted with security safeguards. For example, customer data sent externally to Microsoft is encrypted. This includes data transferred from customers through our support software and tools.
Dynamics 365 network security features help provide a secure connection over the Internet:
- Dynamics 365 provides security-hardened infrastructure that Microsoft controls and monitors 24 hours a day, seven days a week. Microsoft uses a variety of technologies to block unauthorized traffic to and within Microsoft datacenters.
- Connections that are established between customers and Microsoft datacenters are encrypted by using industry-standard Transport Layer Security (TLS). This establishes a secured browser-to-server connection, which helps provide data confidentiality and integrity between the desktop and datacenter. A redundant network provides failover capability and helps ensure network availability.
For Windows, Android, and iOS mobile devices, Intune uses Secure Sockets Layer (TLS/SSL) to help secure communications between each device and the service. All portals use TLS/SSL to secure communication, and sessions have an inactivity timeout.
In a hybrid configuration, a System Center Configuration Manager (SCCM) site initiates all communication with Intune to push or pull data to the service; Intune does not initiate communications with SCCM. All communications use TLS/SSL. An Intune certificate is installed with the Intune Connector role, and the site uses this certificate to authenticate and communicate with the connector.
Office 365 uses defense-in-depth security principles to protect against internal and external risks. Office 365 services are intentionally built to support a very high load as well as to protect and mitigate against application-level DoS attacks. We have implemented a scaled-out architecture where services are distributed across multiple global datacenters, with regional isolation and throttling features in some of the workloads. Office 365 services follow industry cryptographic standards such as TLS and Advanced Encryption Standard. The use of TLS establishes a highly secure client-to-server connection to help protect the confidentiality and integrity of data between the desktop and the datacenter. All customer-facing servers negotiate secure sessions by using TLS with client machines.
Power BI features the Power BI Personal Gateway, which enables users to create credentials for multiple data sources and automatically use those credentials when accessing the sources. The gateway acts as a bridge, providing quick and secure data transfer between the Power BI service and on-premises data sources. When Power BI refreshes data from an on-site data source, the gateway ensures that your account has the right permissions to connect to and query data from the source.
Data transfer between Power BI and the gateway is secured through Azure Service Bus, which creates a secure channel between the service and your computer. Because the gateway provides this secure connection, there’s usually no need to open a port in your firewall.
Visual Studio Team Services (Team Services) is hosted in Azure datacenters and runs on the Azure platform. To ensure that activities within the service are legitimate, and to detect breaches or attempted breaches, Team Services takes advantage of Azure infrastructure and security mechanisms.
To mitigate and protect against various DoS threats, Microsoft has developed a highly-scalable and dynamic threat detection and mitigation system to protect the underlying infrastructure from DoS attacks and to help prevent service interruptions for Azure customers. The Azure DoS mitigation system protects inbound, outbound, and region-to-region traffic.
Windows Server 2016 includes numerous network security features from previous versions of Windows Server, and its features are secured by default. Windows Server 2016 introduces new network security mechanisms, including the Datacenter Firewall. It is a network layer, 5-tuple (protocol, source and destination port numbers, and source and destination IP addresses), stateful, multitenant firewall. When deployed, and offered as a service by the service provider, tenant administrators can install and configure firewall policies to help protect their virtual networks from unwanted traffic originating from Internet and intranet networks.
Windows Server 2016 also provides DNS-based Authentication of Named Entities (DANE) to help prevent “man-in-the-middle” attacks, and IP Address Management (IPAM) enhancements to help you monitor, audit, and manage DHCP and DNS servers. Windows Defender is installed and runs by default.