Customize the extension allowlist for Azure Arc-enabled Windows Servers – Wim Matthyssen

Spread the love

In this blog post, you’ll learn how to customize the extension allowlist on the Azure Connected Machine agent for Azure Arc-enabled Windows Servers.

If you’re already using Azure Arc, you probably know that VM extensions for Azure Arc-enabled servers are optional add-ons (small applications) that enable features like monitoring, security, patch management, and custom script execution, just as they can be used with Azure VMs.

By default, if no allowlist or blocklist is configured on the Azure Connect Machine agent of an Arc-enabled server, all extensions are allowed, which is not ideal from a security standpoint.

💡 The default setting is [ ], wich means “Empty, all extensions allowed”

💡 Also, keep in mind that not all VM extensions are supported on every Windows Server operating system (OS). To check Windows extension availability per Windows Server OS, visit the following link.

Configuring an allowlist can enhance security by controlling which extensions are permitted, reducing the risk of unauthorized deployments.

Allowlists are restrictive, meaning only the specific extensions included in the list can be installed. In contrast, blocklists are permissive, allowing any extension to be installed except for those explicitly listed.

In my opinion, allowlists are a better choice than blocklists because they automatically prevent any new, unapproved extensions from being introduced in the future. The most secure approach is to explicitly specify the extensions you want to allow, ensuring that anything not on the allowlist is automatically blocked.

Only allowing the extensions you need can also be useful when connecting servers to Azure for a specific purpose, such as only for monitoring, while preventing other management capabilities from being used on the server.

💡 Allowlists and blocklists are set up locally on a per-server basis, ensuring that no one, not even users with Owner or Global Administrator permissions in Azure, can bypass your security rules by installing unauthorized extensions.

In this blog post, you’ll find step-by-step instructions on customizing the extension allowlist on the Azure Connected Machine agent for Azure Arc-enabled Windows Servers, helping you securely manage your Azure Arc environment.

Table of Contents

Customize the extension allowlist on a Windows server

First, connect to the Arc-enabled Windows Server via RDP, ideally through a Jump Server, and open Windows PowerShell in administrator mode.

Then type the following command to list all configuration properties and their current values:

You can then check if there is already an allowlist or blocklist applied, or if the default setting of allowing all extensions ([ ]) is still in place for this server.

Then, as I prefer to do, you can configure an allowlist on this server. To allow only specific extensions, such as the Windows Admin Center (preview) extension, you can use the following command:

azcmagent config set extensions.allowlist "Microsoft.AdminCenter/AdminCenter"

💡 You can find a full list of available extensions for Windows via this link.

Add or remove an extension from a configured allowlist

If you later want to add an extra extension to the configured allowlist, you can do so by using the “--add” flag.

For example, if you later want to allow the Microsoft Defender for Cloud extension as well, you can run the following:

azcmagent config set extensions.allowlist "Microsoft.Azure.AzureDefenderForServers/MDE.Windows" --add

If, on the other hand, you want to remove an extension from the allowlist at a later time, you can do so by using the “--remove” flag.

For example, if you later want to remove the Windows Admin Center (preview) extension, you can run the following:

azcmagent config set extensions.allowlist "Microsoft.AdminCenter/AdminCenter" --remove

💡 When troubleshooting issues while running a command, it can be helpful to display more detailed logging information during execution. Simply add the “--verbose” flag at the end of the command.

Allow multiple extensions at once

Of course, it’s better to avoid configuring each extension individually by allowing multiple extensions at once.

For example, if you want to allow the Windows Admin Center, the Azure Monitor Agent, Microsoft Defender for Cloud, the Windows OS Update, and the Windows Patch extension on your Windows server, you can use the following command:

azcmagent config set extensions.allowlist "Microsoft.AdminCenter/AdminCenter,Microsoft.Azure.Monitor/AzureMonitorWindowsAgent,Microsoft.Azure.AzureDefenderForServers/MDE.Windows,Microsoft.SoftwareUpdateManagement/WindowsOsUpdateExtension,Microsoft.CPlat.Core/WindowsPatchExtension"

Allowlist for Tier 0 servers

To ensure security, only essential management functions and authorized users should have access to Tier 0 Arc-enabled Windows servers, such as Domain Controllers, Entra ID Connect servers, and Certificate Authority servers.

For Tier 0 assets, it’s crucial to disable any unused functionality and allow only the necessary extensions in the agent to prevent both intentional and accidental changes to the server.

As a best practice, you should disable all unnecessary management features and set an extension allowlist, or completely disable the extension manager if you decide not to use any extensions for security reasons.

For most customers, I configure the allowlist for their Tier 0 servers as follows:

azcmagent config set incomingconnections.enabled false

azcmagent config set guestconfiguration.enabled false

azcmagent config set extensions.allowlist "Microsoft.Azure.Monitor/AzureMonitorWindowsAgent,Microsoft.Azure.AzureDefenderForServers/MDE.Windows"

💡 It’s also a good idea to use a dedicated Azure subscription for your Tier 0 assets. This way, you can better monitor and limit the number of administrators who have access to these resources.

Allowlist for Windows Server 2012 Extended Security Updates

The recommended configuration for using Azure Arc to deliver Windows Server 2012 (W2K12) Extended Security Updates (ESU) without intending to use any other extensions is to set a special allowlist value of “Allow/None.”

You can configure this by running the following command on those W2K12 or W2K12 R2 servers:

azcmagent config set extensions.allowlist "Allow/None"

Customizing the Arc Onboarding script with an allowlist

For automated deployments at scale, the allowlist can be seamlessly integrated into the Azure Arc onboarding PowerShell script (OnboardingScript.ps1), which you can manually generate from the Azure Arc menu.

This integration enables you to streamline and automate the onboarding process across multiple machines or environments, ensuring that the allowlist is consistently applied to all machines during the deployment.

Below is an example of how this can be implemented by adding an extra line of code which adds an allowlist to the OnboardingScript.ps1:

& "$env:ProgramW6432\AzureConnectedMachineAgent\azcmagent.exe" config set extensions.allowlist "Microsoft.AdminCenter/AdminCenter,Microsoft.Azure.Monitor/AzureMonitorWindowsAgent,Microsoft.Azure.AzureDefenderForServers/MDE.Windows,Microsoft.SoftwareUpdateManagement/WindowsOsUpdateExtension,Microsoft.CPlat.Core/WindowsPatchExtension";

Reset an extension allowlist to its default setting

If you have configured an allowlist but, for any specific reason, no longer need it, you can clear the extension allowlist and restore the default setting of allowing all extensions by running the following command:

azcmagent config clear "extensions.allowlist"

Disable the Extension Manager

If you don’t need to use extensions with Azure Arc, you can completely disable the extension manager by running the following command:

azcmagent config set extensions.enabled false

💡 Keep in mind that disabling the extension manager won’t remove any extensions already installed on your server, so you’ll still need to remove them.

Conlusion

From a security and management perspective, it’s best to configure an allowlist for the Azure Connected Machine agent on any of your Arc-enabled Windows servers.

This approach enhances security by controlling which extensions are permitted, reducing the risk of unauthorized or accidental deployments or tasks performed by either authorized or malicious users.

I hope the steps and various allowlist configurations, explained in this blog post, help you keep your Arc deployments secure and well-managed.

If you have any questions or suggestions about this blog post, feel free to reach out to me on X (@wmatthyssen) or leave a comment. I’ll be happy to assist!