Export (0) Print
Expand All

Differences between Azure Guest OS and Default Windows Server

Updated: November 13, 2014

The following page lists the differences between default installations of Windows Server and the Microsoft Azure Guest Operating System (OS) used with Azure Cloud Services. For more information on the Guest OS, see Manage Upgrades to the Azure Guest Operating System (Guest OS). The Guest OS only applies to Azure Cloud Services. It does not apply to Azure Virtual Machines (IaaS).

Upcoming Changes

  • None at this time

Past Changes

  • Additional Audit and Local Group Policy Security Settings – Introduced June 2013

  • TLS/SSL Cipher Suite Enhancements – Introduced August 2014

Additional FAQ information will be provided on the Guest OS Security FAQ page

You must be running the August Guest OS or later to have these changes.

As part of Microsoft’s promise to protecting customer data from government snooping, Azure is implementing stronger cryptography to protect communications, including Perfect Forward Secrecy (PFS). The following Transport Layer Security (TLS)/Secure Socket Layer (SSL) Cipher Suite enhancements are implemented in the August 2014 updates of the Azure Guest OS. These changes are available in versions 4.11, 3.18, 2.30, and 1.38 (if released) of the Azure Guest OS.

Cipher Suite Order determines the cipher suites used by the Transport Layer Security (TLS)/Secure Socket Layer (SSL).

This setting prioritizes use of the following TLS/SSL cipher suites in the order specified, with the most secure options being first on the list.

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_RC4_128_MD5

This change disables weaker TLS/SSL protocols, (for example, SSL 2.0) in addition to those that are already disabled. The change will also ensure that the stronger protocols are enabled in all Azure Guest OS families (SSL 3.0, TLS 1.0, 1.1 and 1.2).

Show:
© 2014 Microsoft