Auditing Management Certificates in Azure

The cmdlets Get-AzurePublishSettingsFile and Import-AzurePublishSettingsFile setup and configure management certificates in Azure and on the local machine to allow easy authentication to access classic resources in Azure.

man certs

I have seen several potential pitfalls with this approach.

  • Removing a user as co-admin on a subscription does not remove or invalidate the management certificates. Unless you have really on the ball Azure admins, this can leave users with full access to your classic resources even after they have been removed as subscription admins.
  • Management certificates can not be linked to specific users. This makes removing a specific users management certificates very tricky.
  • The anonymity of these certificates makes auditing user actions very difficult.

It is for all these reasons that I see the use of these certificates as a very big security risk and it is worth noting that the use of management certificates and publish settings has been deprecated for ARM resources.

In all the Azure environments I have worked in I have enacted a policy to disallow the use of management certificates completely and force all users and applications to authenticate into Azure using different methods (Azure active directory, service principals). The following scripts show how we can automate the auditing of these certificates and potentially automate the removal of unauthorised certificates.

There is currently no powershell cmdlet to list management certificates in azure so we have to fall back on the service management api.

Obviously we don’t want to authenticate to the service management rest api using a management certificate (because we want to deprecate the use of those!) so instead we will use an authentication header. The following script is taken from this technet article and shows how to authenticate to the rest api using username and password.

Once we have the authentication token we have to use the service management rest api proper to list and then optionally delete unauthorised management certificates. The following script shows the three main methods and example usage.

There you have it. There is also the option to keep previously authorised known management certificates whilst deleting all others.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s