July 21, 2024

SamTech 365

PowerPlatform, Power Apps, Power Automate, PVA, SharePoint, C#, .Net, SQL, Azure News, Tips ….etc

How to Secure and Govern your PowerPages Sites with Ease

PowerPages

This session was presented by Dipti Jaiswal & Vamsee Dilli

Power Pages Administration & Governance

This area allows you to monitor and govern your websites

Monitoring

In term of Monitoring, we have the following capabilities:

Inventory: Which give you your web sites inventory, and as Power Pages Admin, you can check how many sites are availble, how many are public …etc.

Security: This gives you the security dashboard, things like :

  • Authentication provider
  • Is anonymous access enabled …etc.

Analytics: This gives you the traffic insights about your sites

Governance

Once you had a look at the monitoring features and got an overview of your enviornment, it is time to put some rules in place and ensure Power Pages

e.g. Blocking anonymous access

Under the Resources > Power Pages Sites, you can decide to deactivate the anonymous access.

Implementing the change at this level, will overwrite whatever your site makers have put in place PowerPages.

Bulk actions in manager environments

This functionnality is still in preview, and it starts with an overview and lists of

Power Page Security

Security is not just an IT responsibility, it is becoming more a business shared responsibility.

The default Pages-Security features:

Secure

  • Authentication
  • Authorization
  • Security Settings
  • Prevent Injection & Cross Site scripting

Control

  • Website Visibility
  • Security Meter
  • Go Live-Checklist

Monitor

  • Integrate with Application insights
  • Enable Diagnostic logging

We need to highlight the following built-in security aspects of Power Pages:

  • Power Pages runs on Azure PaaS
  • Power Pages enforces Https for data encryption (At transit & at rest)
  • Application Security:
    • Server-side validation (to avoid Injection attacks)
    • Security – Authentication, Authorisation, Managed WAS & Security Settings
    • Governance – Observe, Control, Secure & Audit

The 4 key dimension of Power Pages Security

Security for Makers

  • Do Not use location authentication, instead, confide AD B2C identities.
  • Azure AD is enabled by default for your organisational users.
  • Low code Auth Provider setup or Bring your own Auth Provider (Facebook, Google, Twitter, LinkedIn …etc.)
  • Pages also supports advanced authentication features.

Authorisations

Power pages provide secure authorisation via Role Based Access Controls.

You can define Web roles, Page permissions and Table permissions.

Makers, have an abundance of security settings, which can be configurable through the power pages management app.

For example, Power Pages are cannot be embedded in Iframes, if you have a scenario where you have to absolutely do that, you can configure the X-Frame option header.

 

Some HTML tricks to protect agains Injection attacks PowerPages

  • When working with Liquid, always use the escape filter {{‘<p>test</p>’ | escape }}.
  • Always apply htmlEncode(SAMPLEDATA) before you read the data and use it in HTML DOM

Control site visibility

  • All new sites, are created by default as private.
  • Taking sites “public” is an explicit maker action.
  • Service Admins or System Admins (controlled by a governance setting).
  • Makers can invite other makers to collaborate on the website.
  • Sites in developer environments are always private.

 

Security meter [New] This shows how secure your powerpages site is. Use it to

Site Checker: this is a self service diagnostic tool for makers quiet similar to the Power Apps Checkers.

Go Live Checklist: This is a handy to-do list which reminds you of the tasks you need to perform before going live.

Monitoring for makers:

Power Pages can be easily integrated with Azure Application Insights, or other tools such as Google Analytics.

The integration is done via the Management App, whcih will allow capturing some telemetry.

Security for Admins

Observe:the new security centre gives an overview of all your sites.

Control:

Admins can excercise control via:

1- Web site Creation: You can chose who can create new sites in your teanant.

2- Making a site visibility to Public: As an admin you can also limit PowerPages who can make a site as a public, which gives you a higher level of control.

3- Restrict annonymous access to you web sites.

4- [Planned] Restrict the available auth providers: this features is planned for next year, where admins can select which authentication providers are available.

Secure:

  • Turnkey WAF capability
  • Protect against OWASP Top 10
  • You can also bring any other WAF provider
  • [Planned] Enhanced WAF Rulesets, Geo Filtering, IP Blocklisting and Rate Limiting
  • [Planned] Security policies and recommendations

Monitor & Audit:

Enable website access logs:

  1. Complete Access logs for your website in IIS (w3c) format.
  2. Available in M365 Audit and Compliance center.
  3. Utilize this to monitor who is accessing, what is being accessed and where it is being accessed from.
  4. Use built in SIEM integration in M365 to automate your website monitoring and strengthen security.