question

AyushPuri-7728 avatar image
0 Votes"
AyushPuri-7728 asked olgaoos answered

Deployed tpot on azure VM

I just wanted to comfirm this small thing we deployed tpot on azure cloud VM and tpot is honeypot it attracts the attackers to attack on that VM and if there will be large amounts of attacks then there will be any issue with your policy because we are planning to subscribe for pay as you go plan and one more thing my VM should not be blocked or deleted?

azure-virtual-machines
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

olgaoos avatar image
0 Votes"
olgaoos answered

Yes, you could do the penetration tests of your services hosted in Microsoft Cloud if these tests are not causing harm to any other Microsoft customers. All penetration tests must follow the Microsoft Cloud Penetration Testing Rules of Engagement.

The following activities are prohibited:

Scanning or testing assets belonging to any other Microsoft Cloud customers.
Gaining access to any data that is not wholly your own.
Performing any kind of denial of service testing.
Performing network intensive fuzzing against any asset except your Azure Virtual Machine
Performing automated testing of services that generates significant amounts of traffic.
Deliberately accessing any other customer’s data.
Moving beyond “proof of concept” repro steps for infrastructure execution issues (i.e. proving that you have sysadmin access with SQLi is acceptable, running xp_cmdshell is not).
Using our services in a way that violates the Acceptable Use Policy, as set forth in the Microsoft Online Service Terms.
Attempting phishing or other social engineering attacks against our employees.
The following activities are encouraged:
Create a small number of test accounts and/or trial tenants for demonstrating and proving cross-account or cross-tenant data access. However, it is prohibited to use one of these accounts to access the data of another customer or account.
Fuzz, port scan, or run vulnerability assessment tools against your own Azure Virtual Machines.
Load testing your application by generating traffic which is expected to be seen during the normal course of business. This includes testing surge capacity.
Testing security monitoring and detections (e.g. generating anomalous security logs, dropping EICAR, etc).
Attempt to break out of a shared service container such as Azure Websites or Azure Functions. However, should you succeed you must both immediately report it to Microsoft and cease digging deeper. Deliberately accessing another customer’s data is a violation of the terms.
Applying conditional access or mobile application management (MAM) policies within Microsoft Intune to test the enforcement of the restriction enforced by those policies.

You could find more detailed information by looking into our official resources:

Penetration Testing Rules of Engagement: https://www.microsoft.com/en-us/msrc/pentest-rules-of-engagement
Penetration testing: https://docs.microsoft.com/en-us/azure/security/fundamentals/pen-testing

I hope the above is useful to you.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.