module/ConfigurationProvider/ControlConfigurations/Services/AVDHostPool.json
|
{
"FeatureName": "AVDHostPool", "Reference": "", "IsMaintenanceMode": false, "Controls": [ { "ControlID": "Azure_AVD_SI_Configure_HostPool_SecureBoot", "Description": "AVD Host pool VMs must be configured with Secure boot and vTPM", "Id": "AVDHostPool100", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckSecurityType", "DisplayName": "AVD Host pool VMs must be configured with Secure boot and vTPM", "Category": "Secuirty type of Virtual Machine should be of type Trusted Launch with Secure boot and vTPM enabled", "ControlRequirements": "Secuirty type of Virtual Machine should be of type Trusted Launch with Secure boot and vTPM enabled.", "Rationale": "Trusted launch protects against advanced and persistent attack techniques. It is composed of Secure boot, VTPM, Integrity monitoring technologies that can be enabled to Securely deploy virtual machines with verified boot loaders, OS kernels, and drivers and it helps to protect keys, certificates, and secrets in the virtual machine.", "Recommendation": "To remediate: Go to Azure Portal --> Search Virtual Machine --> 'settings' --> 'Configuration' --> Go to Security Type --> Mark the checkbox for 'Enable Secure boot' and 'Enable vTPM'. --> select 'Save'. NOTE: Remediation is only possible if service type is 'Trusted Launch' otherwise create a new VM.", "Tags": [ "SDL", "Automated", "SI", "AVDHostPool", "Baseline" ], "Enabled": true, "ControlSettings": { "AllowedSecurityType": [ "TrustedLaunch" ] }, "CustomTags": [ "Daily", "TenantBaseline", "MSD", "TBv10", "CAIPreview", "EDPreview", "SMTPreview", "SN:AVD_SecureLaunch" ] }, { "ControlID": "Azure_AVD_Audit_Enable_HostPool_Diagnostic_Settings", "Description": "Diagnostics logs must be enabled for AVD Host pool VMs", "Id": "AVDHostPool110", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckDiagnosticsSettings", "DisplayName": "Diagnostics logs must be enabled for AVD Host pool VMs", "Category": "Monitoring must be correctly configured", "ControlRequirements": "Monitoring and auditing must be enabled and correctly configured according to prescribed organizational guidance", "Rationale": "Logs should be retained for a long enough period so that activity trail can be recreated when investigations are required in the event of an incident or a compromise. A period of 1 year is typical for several compliance requirements as well.", "Recommendation": "You can change the diagnostic settings from the Azure Portal by following the steps given here: https://docs.microsoft.com/en-us/azure/azure-monitor/essentials/diagnostic-settings.", "Tags": [ "Automated", "Audit", "AVDHostPool", "Baseline" ], "ControlSettings": { "DiagnosticForeverRetentionValue": "0", "DiagnosticMinRetentionPeriod": "365", "DiagnosticLogs": [ "Checkpoint", "Error", "Management" ] }, "ControlEvaluationDetails": { "RequiredProperties": [ "DiagnosticSettings" ] }, "Enabled": true, "CustomTags": [ "Daily", "TenantBaseline", "MSD", "TBv10", "CAIPreview", "EDPreview", "SMTPreview", "SN:AVD_DiagnosticsLogs" ] }, { "ControlID": "Azure_AVD_NetSec_Restrict_Public_IPs", "Description": "Public IPs must not be open on AVD Host pool VMs", "Id": "AVDHostPool120", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckPublicIPAddresses", "DisplayName": "Public IPs must not be open on AVD Host pool VMs", "ControlRequirements": "Restrict network traffic flows", "Category": "Deploy controls to restrict network traffic", "Rationale": "Public IPs provide direct access over the internet exposing the VM to attacks over the public network. Hence AVD Host pool VMs must not be accessible to any public IPs.", "Recommendation": "To delete the Public IPs: Go to Azure Portal --> VM --> VM Settings --> Networking --> Network Interfaces --> <Select NIC> --> IP Configurations --> <Select IP Configs with Public IP> --> Click 'Disabled' --> Save. Refer: https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-public-ip-address", "Tags": [ "Automated", "NetSec", "AVDHostPool", "Baseline" ], "Enabled": true, "CustomTags": [ "Daily", "TenantBaseline", "MSD", "TBv10", "CAIPreview", "EDPreview", "SMTPreview", "SN:AVD_RestrictPublicIPs" ] }, { "ControlID": "Azure_AVD_NetSec_Dont_Allow_Public_Network_Access", "Description": "Public network access must be disabled on AVD Host pool VMs", "Id": "AVDHostPool130", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckPublicNetworkAccess", "DisplayName": "Public network access must be disabled on AVD Host pool VMs", "ControlRequirements": "Restrict network traffic flows", "Category": "Deploy controls to restrict network traffic", "Rationale": "AVD Host pool firewall must be enabled so that the AVD Host pool VMs is not accessible by default to any public IPs.", "Recommendation": "To remediate, disable public network access on your AVD Host pool. Go to Azure Portal --> your AVD Host pool --> Settings --> Networking --> Public access --> Public network access --> Select on 'Disable public access and use private access' --> Save", "Tags": [ "Automated", "NetSec", "AVDHostPool", "Baseline" ], "Enabled": true, "CustomTags": [ "Weekly" ] } ] } |