Framework/Configurations/SVT/Services/VirtualMachine.json
|
{
"FeatureName": "VirtualMachine", "Reference": "aka.ms/azsdktcp/virtualmachine", "IsManintenanceMode": false, "Controls": [ { "ControlID": "Azure_VirtualMachine_Deploy_Latest_OS_Version", "Description": "Virtual Machine should have latest OS version installed", "Id": "VirtualMachine110", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckOSVersion", "Rationale": "It is always a best practise to updagrade your VM to latest possible OS version. This would protect your application from the known security vulnerabilities of older OS versions, fixed the OS provider.", "Recommendation": "Run command 'Update-AzureRmVM -ResourceGroupName {resourceGroupName} -VM (Get-AzureRmVM -ResourceGroupName {resourceGroupName} -Name {vmName})' . Run 'Get-Help Update-AzureRmVM -full' for more help.", "Tags": [ "SDL", "TCP", "Automated", "Deploy", "Windows", "Linux" ], "Enabled": true }, { "ControlID": "Azure_VirtualMachine_Config_OS_Auto_Update_Windows", "Description": "OS automatic updates must be enabled on Windows Virtual Machine", "Id": "VirtualMachine120", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckOSAutoUpdateStatus", "Rationale": "VMs where automatic updates are disabled are likely to miss important security patches due to human error. This may lead to compromise from various malware/trojan attacks that exploit known vulnerabilities in operating systems and related software.", "Recommendation": "Run command 'Set-AzureRmVMOperatingSystem' with the EnableAutoUpdate flag. Run 'Get-Help Set-AzureRmVMOperatingSystem -full' for more help or Refer: https://docs.microsoft.com/en-us/powershell/module/azurerm.compute/set-azurermvmoperatingsystem", "Tags": [ "SDL", "TCP", "Automated", "Config", "Windows" ], "Enabled": true }, { "ControlID": "Azure_VirtualMachine_SI_Enable_Antimalware_Windows", "Description": "Antimalware must be enabled with real time protection on Windows Virtual Machine", "Id": "VirtualMachine130", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckAntimalwareStatus", "Rationale": "Microsoft Antimalware provide real-time protection, scheduled scanning, malware remediation, signature updates, engine updates, samples reporting, exclusion event collection etc.", "Recommendation": "To install antimalware, Go to Azure Portal --> VM Properties --> Extensions --> Add 'Microsoft Antimalware' --> Enable Real-Time Protection and Scheduled Scan --> Click Ok. If antimalware is already present on VM, validate and resolve endpoint protection recommendations in ASC. Refer: https://docs.microsoft.com/en-us/azure/security-center/security-center-install-endpoint-protection, https://docs.microsoft.com/en-us/azure/security/azure-security-antimalware", "Tags": [ "SDL", "TCP", "Automated", "Config", "Windows", "SOX", "SI" ], "Enabled": true }, { "ControlID": "Azure_VirtualMachine_Config_Enable_NSG", "Description": "NSG must be configured for Virtual Machine", "Id": "VirtualMachine140", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckNSGConfig", "Rationale": "A network security group (NSG) provide security rules to tightly control the network traffic in VM", "Recommendation": "Refer: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/endpoints-in-resource-manager, https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-create-nsg-arm-ps", "Tags": [ "SDL", "TCP", "Automated", "Config", "Windows", "Linux" ], "Enabled": true }, { "ControlID": "Azure_VirtualMachine_NetSec_Justify_PublicIPs", "Description": "Public IPs on a Virtual Machine should carefully reviewed", "Id": "VirtualMachine150", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckPublicIP", "Rationale": "Public IPs provide direct access over the internet exposing the VM to attacks over the public network hence each public IP on VM must be reviewed carefully", "Recommendation": "Go to Azure Portal --> VM Settings --> Networking --> Network Interfaces --> <Select NIC> --> IP Configurations --> <Select IP Configs with Public IP> --> Click 'Disabled' --> Save. Refer: https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-public-ip-address ", "Tags": [ "SDL", "TCP", "Automated", "NetSec", "Windows", "Linux" ], "Enabled": true, "DataObjectProperties": [ "PublicIpAllocationMethod", "IpConfiguration", "Id", "DnsSettings" ] }, { "ControlID": "Azure_VirtualMachine_DP_Enable_Disk_Encryption_Windows", "Description": "Disk encryption must be enabled on both OS and data disks for Windows Virtual Machine", "Id": "VirtualMachine160", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckDiskEncryption", "Rationale": "Using this feature ensures that sensitive data is stored encrypted at rest. This minimizes the risk of data loss from physical theft and also helps meet regulatory compliance requirements. In the case of VMs, both OS and data disks may contain sensitive information that needs to be protected at rest. Hence disk encryption must be enabled for both.", "Recommendation": "Refer: https://docs.microsoft.com/en-us/azure/security-center/security-center-disk-encryption?toc=%2fazure%2fsecurity%2ftoc.json", "Tags": [ "SDL", "TCP", "Automated", "DP", "Windows" ], "Enabled": true }, { "ControlID": "Azure_VirtualMachine_Audit_Vulnerabilities", "Description": "Virtual Machine must be in a healthy state in Azure Security Center", "Id": "VirtualMachine171", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckASCVMSecurityBaselineStatus", "Rationale": "Azure Security Center raises alerts (which are typically indicative of resources that are not compliant with some baseline security protection). It is important that these alerts/actions are resolved promptly in order to eliminate the exposure to attacks.", "Recommendation": "Refer: https://docs.microsoft.com/en-us/azure/security-center/security-center-remediate-os-vulnerabilities", "Tags": [ "SDL", "TCP", "Automated", "Audit", "Windows" ], "Enabled": true }, { "ControlID": "Azure_VirtualMachine_SI_Missing_OS_Patches", "Description": "Virtual Machine must have all the required OS patches installed.", "Id": "VirtualMachine172", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckASCVMMissingPatchingStatus", "Rationale": "Unpatched VMs are easy targets for compromise from various malware/trojan attacks that exploit known vulnerabilities in operating systems and related software.", "Recommendation": "Refer: https://docs.microsoft.com/en-us/azure/security-center/security-center-apply-system-updates", "Tags": [ "SDL", "TCP", "Automated", "Audit", "Windows", "SOX", "SI" ], "Enabled": true }, { "ControlID": "Azure_VirtualMachine_Audit_ASC_Recommendations", "Description": "Virtual Machine must implement all the flagged ASC recommendations.", "Id": "VirtualMachine173", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckASCVMRecommendations", "Rationale":"Azure Security Center raises alerts (which are typically indicative of resources that are not compliant with some baseline security protection). It is important that these alerts/actions are resolved promptly in order to eliminate the exposure to attacks.", "Recommendation": "Refer: https://docs.microsoft.com/en-us/azure/security-center/security-center-virtual-machine-recommendations", "Tags": [ "SDL", "TCP", "Automated", "Audit", "Windows", "Linux" ], "Enabled": true }, { "ControlID": "Azure_VirtualMachine_Audit_Enable_Diagnostics", "Description": "Diagnostics (IaaSDiagnostics extension on Windows; LinuxDiagnostic extension on Linux) must be enabled on Virtual Machine", "Id": "VirtualMachine180", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckVMDiagnostics", "Rationale": "Diagnostics logs are needed for creating activity trail while investigating an incident or a compromise.", "Recommendation": "Go to Azure Portal --> VM Properties --> Diagnostics settings --> Enable guest-level-monitoring. Refer: https://docs.microsoft.com/en-us/azure/monitoring-and-diagnostics/azure-diagnostics", "Tags": [ "SDL", "TCP", "Automated", "Audit", "Windows", "Linux" ], "Enabled": true }, { "ControlID": "Azure_VirtualMachine_NetSec_Dont_Open_Management_Ports", "Description": "Do not leave management ports open on Virtual Machines", "Id": "VirtualMachine190", "ControlSeverity": "Critical", "Automated": "Yes", "MethodName": "CheckOpenPorts", "Rationale": "Open remote management connections expose a VM/compute node to a high level of risk from internet-based attacks that attempt to brute force credentials to gain access to the machine.", "Recommendation": "Go to Azure Portal --> VM Settings --> Networking --> Inbound security rules --> Select security rule which allows management ports (e.g. RDP-3389, WINRM-5985, SSH-22) --> Click 'Deny' under Action --> Click Save.", "Tags": [ "SDL", "TCP", "Automated", "NetSec", "Windows", "Linux", "OwnerAccess" ], "Enabled": true } ] } |