Disable password authentication#

Security · Virtual Machine Scale Sets · Rule · 2022_09 · Important

Use SSH keys instead of common credentials to secure virtual machine scale sets against malicious activities.

Description#

Linux virtual machine scale sets should have password authentication disabled to help with eliminating password-based attacks.

A common tactic observed used by adversaries against customers running Linux Virtual Machines (VMs) in Azure is password-based attacks.

Recommendation#

Linux virtual machine scale sets should have password authentication disabled and instead use SSH keys.

Examples#

Configure with Azure template#

To deploy an virtual machine scale set that pass this rule:

Set properties.virtualMachineProfile.OsProfile.linuxConfiguration.disablePasswordAuthentication to true.

For example:

Azure Template snippet

{
    "type": "Microsoft.Compute/virtualMachineScaleSets",
    "apiVersion": "2021-11-01",
    "name": "vmss-01",
    "location": "[resourceGroup().location]",
    "sku": {
      "name": "b2ms",
      "tier": "Standard",
      "capacity": 1
    },
    "properties": {
      "overprovision": true,
      "upgradePolicy": {
        "mode": "Automatic"
      },
      "singlePlacementGroup": true,
      "platformFaultDomainCount": 3,
      "virtualMachineProfile": {
        "storageProfile": {
          "osDisk": {
            "caching": "ReadWrite",
            "createOption": "FromImage"
          },
          "imageReference": {
            "publisher": "microsoft-aks",
            "offer": "aks",
            "sku": "aks-ubuntu-1804-202208",
            "version": "2022.08.29"
          }
        },
        "osProfile": {
          "adminUsername": "azureuser",
          "computerNamePrefix": "vmss-01",
          "linuxConfiguration": {
            "disablePasswordAuthentication": true
          },
          "provisionVMAgent": true,
          "ssh": {
            "publicKeys": [
              {
                "path": "/home/azureuser/.ssh/authorized_keys"
              }
            ]
          }
        },
        "networkProfile": {
          "networkInterfaceConfigurations": [
            {
              "name": "vmss-001",
              "properties": {
                "primary": true,
                "enableAcceleratedNetworking": true,
                "networkSecurityGroup": {
                  "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Network/networkSecurityGroups/nsg-001"
                },
                "ipConfigurations": [
                  {
                    "name": "ipconfig1",
                    "properties": {
                      "primary": true,
                      "subnet": {
                        "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Network/virtualNetworks/vnet-001/subnets/subnet-001"
                      },
                      "privateIPAddressVersion": "IPv4",
                      "loadBalancerBackendAddressPools": [
                        {
                          "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Network/loadBalancers/kubernetes/backendAddressPools/kubernetes"
                        }
                      ]
                    }
                  }
                ]
              }
            }
          ]
        }
      }
    }
  }

Configure with Bicep#