The Industry is staring at a long lockdown due to Covid-19 where it has to accept work from home.
This goes for developers too!
While it is easy to say that developers can develop code from home and share it with team members using version control services like git designed and created for sharing work; for enterprises, this creates another set of problems.
Usually, in a normal scenario when developers are working from office, enterprises give developers a desktop or a laptop to work on. These computers are meant to be kept in the office only to prevent code from going out of the premises. Some features like USB ports and CD drives are disabled from these machines so that code cannot be copied on to external devices. All these activities are performed to prevent pilferage of the code, which is really an intellectual property (IP) of the organization where it is developed.
Not every organization can provide a computer to each developer at home. Work from home option for developers is forcing enterprises to allow developers to use their personal computers. This may allow developers uncontrolled access to code from a version control service that is in the cloud, like the one offered by Azure DevOps.
Once the code is on the developer’s machine, then there are no restrictions on it. A few organizations in the past had rejected using Azure DevOps because of this issue. When we think about implementing DevSecOps for the organization, it becomes a necessity to also think seriously about security of the code (IP) in such situations.
In this tutorial, I am going to show how Azure services and Azure DevOps can be used in combination in such a way that the code can be edited by developers without it being copied on the physical computer used by the developer. It involves implementing Conditional Access on Azure DevOps to prevent access to it from any computer other than the controlled VMs in Azure.
Our goals are as follows:
1. Azure DevOps should not be accessible from computers other than those identified as the ones belonging to the organization
2. Those identified computers should be accessible using RDP but with restrictions. Copy – Paste operation in RDP should not be possible
Our plan of implementing a solution to achieve these goals is as follows:
1. Add a VM in Azure that has Visual Studio installed on it. Put that in a subnet of a Virtual Network (VNet) in Azure.
2. Create a NAT Gateway with a Static IP address that provides internet access to the above-mentioned subnet, in which the created VM exists.
3. Create a Conditional Access to the Azure DevOps that allows access only from the Static IP Address (Outbound) of the NAT Gateway.
4. Put a Group Policy on the VM to disallow Copy – Paste from the VM to any other computer.
Figure: Restrict Access to Azure DevOps – Solution Scheme
I am going to walk you through the steps to implement that plan.
Security Restrictions for Remote Working using Azure DevOps – Prerequisites
As a prerequisite for this walkthrough, we need following:
1. Account in Azure that has minimum Premium Level 1 Azure Active Directory enabled.
2. Azure DevOps Account that is connected to the Azure account mentioned above.
3. Azure DevOps should be present in the list of Enterprise Applications of Azure Active Directory of our account. If the Azure DevOps is not there in the list of Enterprise Applications, we can go to Azure DevOps > Organization Settings > Azure Active Directory blade and connect to the Azure Active Directory of our account using Connect Directory button.
Figure: Connect Azure DevOps to Azure Active Directory
Azure DevOps Restrictions Implementation
Let’s begin our walkthrough by creating required resources in Azure.
1. We will start by creating the NAT Gateway. Click “Create a Resource” in the Azure Portal. Search for “NAT Gateway” and click it when shown in the search results.
2. Click the Create button on the page that opens
Create a NAT Gateway Resource in Azure
3. In the wizard that starts, provide the resource group name (create a new resource group if it does not exist), NAT Gateway name, region and retain the idle timeout as it is.
Figure: Details of NAT Gateway
4. In the next screen of the wizard, we will create an IP address that will be used as an Outbound IP of the NAT Gateway. This is the IP address which we will later use for conditional access to Azure DevOps. On the same screen, there is an option to provide Public IP Prefix, which we can safely ignore as it is not required in our scenario.
Figure: Provide an Outbound Public IP Address to NAT Gateway
5. In the next screen of the wizard, we will create a VNet and a Subnet in it. Provide a name for the VNet. Accept the address range for the VNet and the Subnet.
Figure: VNet and Subnet associated with NAT Gateway
6. Finally Review and Create the NAT Gateway.
7. In the Azure Portal, create new resource. Select the VM based upon the template of Microsoft Windows 10. It may be based upon any other template of Windows Servers if that is a necessity.
8. Select the VNet name and subnet under it, created by the NAT Gateway creation wizard for this VM. Ensure that the VM has a Public IP address to connect using RDP.
9. We will now setup the Azure Active Directory of our account to enable conditional access to Azure DevOps. Please note that Conditional Access is enabled only when you have purchased the Premium level Azure Active Directory. The condition that we are going to set by creating a rule is –
a. If the user tries to access our Azure DevOps account from anywhere in the world, block access
b. Exception to above rule is if the user tries to access it from our office location. In that case, do not block access.
10. Let’s first create the office location. That office location is represented by the NAT Gateway that the VMs of the office use. From the Azure Active Directory blade, select the Security tab and then select the Conditional Access tab. On this tab now select the Named Location blade and then click the “+ New Location” button. Give a name to the location, for example “Pune Office”. In the IP Ranges enter the IP address of the Outbound IP of the NAT Gateway with /32 to indicate that it is the single IP address in the range and not a network. Ignore the checkbox of “Mark as Trusted Location”.
Figure: Create Named Location
11. After creating the Named Location, we will now create the rule to block access with the exception condition. Open the blade of Azure Active Directory > Enterprise Applications > Azure DevOps > Conditional Access. If “Conditional Access” blade is disabled (greyed out), ensure that you have enabled the Premium version of Azure Active Directory, as was mentioned in the prerequisites section of the article.
12. Click the “+New Policy” button to create a new conditional access policy.
13. Give a name to the policy like “Restricted Access to Azure DevOps”.
14. On the “Users and Groups” blade select the “All Users”
15. On the Conditions blade, select Location blade. Set the “Configure” selector to “Yes”. Under the Include tab, set the option of “Any Location”. Under the Exclude tab, select the option of “Selected Location” and then select the named location that we created earlier, in my example – “Pune Office”.
Figure: Add Conditional Access
16. Under the “Access Control” section, on the “Grant” blade select “Block Access”. This will ensure that the default behavior of the rule is to block access with an exception for the named location of our office VMs.
17. Finally select the “On” for “Enable Policy” and click the “Create” button to create this policy.
18. It may happen that if the account created is a recent one, a Default security policy is applied on it and it may not allow the rule to be created. To overcome this issue, open the Properties blade of our Azure Active Directory and click the link of “Manage Security Defaults”. On the panel that opens, Select “No” for the option of “Enable Security Defaults” , Check the checkbox to accept that “My organization is using Conditional Access” and then click the “Save” button.
Figure: Disable Default Security
19. The last step to enable this conditional policy is to accept it from Azure DevOps. To do that, open the Organization Settings > Policies page on Azure DevOps. On that page, enable the policy of “Azure Active Directory Conditional Access Policy Validation”.
Figure: Enable AAD Conditional Access for Azure DevOps Organization
20. By creating this Conditional Access Policy, we have ensured that our organizational Azure DevOps can be accessed from the Azure VMs in a specific Subnet of a Virtual Network that belongs to the organization. What it has still not taken care of is that once the VM is opened using RDP from a home computer, the developer can copy – paste the code from the VM to the host machine at home that is uncontrolled. To take care of this issue, we need to set a Group Policy on the VM which disallows such Copy – Paste to other machine.
Disallowing Copy-Paste on VM accessed via RDP
21. Open the created VM using RDP. On the command prompt with Admin privileges, run the command “gpedit.msc”.
22. Drill down into Local Computer Policy > Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Device and Resource Redirection. On this page, select the group policy “Do not allow clipboard redirection” and enable it.
Figure: Apply Clipboard Redirection Group Policy
23. Repeat the process for the group policy of “Do not allow drive redirection”.
24. Restart the VM after setting these group policies to apply those policies.
We can test our configuration now. If we try to browse to the Azure DevOps of our organization now, it does authenticate the user but shows the message that you do not meet the criteria to access this resource.
Figure: Test Access Restriction
If we try to access the Azure DevOps portal of the organization from the VM that we created earlier, it does allow us to access the pages of the portal. If we try to copy – paste any code from the VM to host machine, it does not allow us to do that.
What we have achieved in this walkthrough is to use Azure DevOps to secure our code which is an intellectual property of the organization from being pilfered. We enabled a Conditional Access for Azure DevOps of our organization to allow it to be accessed only from certain VMs in a subnet of a virtual network of the organization.
This way, organizations can let developers work from home using their own computers, and allows directly access to the code from those computers, thereby protecting their IP.
This article was technically reviewed by Gouri Sohoni and Vikram Pendse.
This article has been editorially reviewed by Suprotim Agarwal.
C# and .NET have been around for a very long time, but their constant growth means there’s always more to learn.
We at DotNetCurry are very excited to announce The Absolutely Awesome Book on C# and .NET. This is a 500 pages concise technical eBook available in PDF, ePub (iPad), and Mobi (Kindle).
Organized around concepts, this Book aims to provide a concise, yet solid foundation in C# and .NET, covering C# 6.0, C# 7.0 and .NET Core, with chapters on the latest .NET Core 3.0, .NET Standard and C# 8.0 (final release) too. Use these concepts to deepen your existing knowledge of C# and .NET, to have a solid grasp of the latest in C# and .NET OR to crack your next .NET Interview.
Click here to Explore the Table of Contents or Download Sample Chapters!