module/ConfigurationProvider/ControlConfigurations/Services/ClassicVirtualMachine.json
|
{
"FeatureName": "ClassicVirtualMachine", "Reference": "aka.ms/azsktcp/classicvirtualmachine", "IsMaintenanceMode": false, "Controls": [ { "ControlID": "Azure_ClassicVirtualMachine_SI_Install_System_Updates_MCSB", "Description": "[MCSB] System updates must be installed on your classic virtual machines", "Id": "ClassicVirtualMachine100", "ControlSeverity": "High", "Automated": "Yes", "ControlScanSource": "MDC", "DisplayName": "[MCSB] System updates must be installed on your classic virtual machines", "Category": "Vulnerabilities must be remediated", "ControlRequirements": "Vulnerability scans must be performed and vulnerabilities remediated according to prescribed organizational guidance", "Rationale": "Machines with missing updates are easy targets for compromise from various malware/trojan attacks that exploit known vulnerabilities in operating systems.", "Recommendation": "Click an identified outstanding update. In the Missing system updates pane, click the support link (when exists) and follow the instructions.", "Tags": [ "Automated", "Baseline", "SI", "ClassicVirtualMachine" ], "AssessmentProperties": { "AssessmentNames": [ "4ab6e3c5-74dd-8b35-9ab9-f61b30875b27" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_ClassicVirtualMachine_SI_Resolve_EndPointProtection_Issues_MCSB", "Description": "[MCSB] Endpoint protection health issues must be resolved on your classic VMs", "Id": "ClassicVirtualMachine110", "ControlSeverity": "High", "Automated": "Yes", "ControlScanSource": "MDC", "DisplayName": "[MCSB] Endpoint protection health issues must be resolved on your classic VMs", "Category": "Vulnerabilities must be remediated", "ControlRequirements": "Vulnerability scans must be performed and vulnerabilities remediated according to prescribed organizational guidance", "Rationale": "Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities.", "Recommendation": "Please refer : https://learn.microsoft.com/en-us/azure/defender-for-cloud/endpoint-protection-recommendations-technical", "Tags": [ "Automated", "Baseline", "SI", "ClassicVirtualMachine" ], "AssessmentProperties": { "AssessmentNames": [ "37a3689a-818e-4a0e-82ac-b1392b9bb000" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_ClassicVirtualMachine_SI_Monitor_Endpoint_MCSB", "Description": "[MCSB] Monitor missing Endpoint Protection for classic VMs in Microsoft Defender for Cloud", "Id": "ClassicVirtualMachine120", "ControlSeverity": "High", "Automated": "Yes", "ControlScanSource": "MDC", "DisplayName": "[MCSB] Monitor missing Endpoint Protection for classic VMs in Microsoft Defender for Cloud", "Category": "Monitoring must be enabled", "ControlRequirements": "Monitoring and auditing must be enabled and correctly configured according to prescribed organizational guidance", "Rationale": "Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations.", "Recommendation": "To enable Endpoint Protection in VM, Go to Azure Portal --> Microsoft defender for cloud --> Click security posture --> Select the environment and click view recommendations --> Click on the policy --> Select VMs that need endpoint protection --> Click Install on VMs", "Tags": [ "Automated", "SI", "Baseline", "ClassicVirtualMachine" ], "AssessmentProperties": { "AssessmentNames": [ "3bcd234d-c9c7-c2a2-89e0-c01f419c1a8a", "83f577bd-a1b6-b7e1-0891-12ca19d1e6df" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_ClassicVirtualMachine_SI_Update_Adaptive_Control_Policy_Rules_MCSB", "Description": "[MCSB] Allowlist rules for classic VMs in adaptive application control policy must be updated", "Id": "ClassicVirtualMachine130", "ControlSeverity": "High", "Automated": "Yes", "ControlScanSource": "MDC", "DisplayName": "[MCSB] Allowlist rules for classic VMs in adaptive application control policy must be updated", "Category": "Monitoring must be enabled", "ControlRequirements": "Monitoring and auditing must be enabled and correctly configured according to prescribed organizational guidance", "Rationale": "Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications.", "Recommendation": "To enable allowlist rules for VMs in Microsoft Defender for Cloud please refer: https://learn.microsoft.com/en-us/azure/defender-for-cloud/adaptive-application-controls#enable-application-controls-on-a-group-of-machines", "Tags": [ "Automated", "SI", "Baseline", "ClassicVirtualMachine" ], "AssessmentProperties": { "AssessmentNames": [ "1234abcd-1b53-4fd4-9835-2c2fa3935313" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." }, { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "NotApplicable", "AssessmentStatusCausePatterns": "DatabricksIrrelevantRecommendation(.)*|ServersStandardTierOnly(.)*|MissingDataOrUnsupported(.)*" } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_ClassicVirtualMachine_NetSec_Restrict_Network_Ports_NSG_MCSB", "Description": "[MCSB] All network ports must be restricted on network security groups associated to your classic virtual machine", "Id": "ClassicVirtualMachine140", "ControlSeverity": "High", "Automated": "Yes", "DisplayName": "[MCSB] All network ports must be restricted on network security groups associated to your classic virtual machine", "Category": "Deploy controls to restrict network traffic", "ControlRequirements": "Restrict network traffic flows", "ControlScanSource": "MDC", "Rationale": "Open network ports expose a virtual machine to a high level of risk from internet-based attacks that attempt to brute force credentials to gain admin access to the machine.", "Recommendation": "To restrict access to your virtual machines edit the inbound rules from azure Portal: Go to Azure Portal --> 2.virtual machines service --> Select Virtual machine --> 'Networking' blade --> click Network Security Group with overly permissive rules('Any->Any') --> click on each of the rules that are overly permissive --> Apply less permissive source IP ranges --> click 'Save'. If some or all of these virtual machines do not need to be accessed directly from the Internet, then you can also consider removing the public IP associated to them.", "AssessmentProperties": { "AssessmentNames": [ "3b20e985-f71f-483b-b078-f30d73936d43" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Tags": [ "Automated", "NetSec", "ClassicVirtualMachine", "Baseline" ], "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_ClassicVirtualMachine_SI_Remediate_Security_Vulnerabilities_MCSB", "Description": "[MCSB] Vulnerabilities in security configuration on your classic VMs must be remediated", "Id": "ClassicVirtualMachine150", "ControlSeverity": "High", "Automated": "Yes", "DisplayName": "[MCSB] Vulnerabilities in security configuration on your classic VMs must be remediated.", "Category": "Vulnerabilities must be remediated", "ControlRequirements": "Vulnerability scans must be performed and vulnerabilities remediated according to prescribed organizational guidance", "ControlScanSource": "MDC", "Rationale": "Known OS/framework vulnerabilities in a system can be easy targets for attackers. An attacker can start by compromising such a vulnerability and can eventually compromise the security of the entire network. A vulnerability assessment solution can help to detect/warn about vulnerabilities in the system and facilitate addressing them in a timely manner.", "Recommendation": "Go to security center --> Compute & apps --> VMs and Servers --> Click on VM name --> Click on VM Vulnerability remediation recommendation --> Click on Take Action --> Remediate list of vulnerabilities.", "AssessmentProperties": { "AssessmentNames": [ "181ac480-f7c4-544b-9865-11b8ffe87f47" ] }, "Tags": [ "Automated", "SI", "ClassicVirtualMachine", "Baseline" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ], "Enabled": false, "CustomTags": [ "MCSB", "Daily" ] }, { "ControlID": "Azure_ClassicVirtualMachine_SI_Install_EndpointProtection_MCSB", "Description": "[MCSB] Endpoint protection must be installed on your classic VMs", "Id": "ClassicVirtualMachine160", "ControlSeverity": "High", "Automated": "Yes", "ControlScanSource": "MDC", "DisplayName": "[MCSB] Endpoint protection must be installed on your Classic VMs", "Category": "Monitoring must be enabled", "ControlRequirements": "Monitoring and auditing must be enabled and correctly configured according to prescribed organizational guidance", "Rationale": "Azure virtual machine without endpoint protection are exposed to viruses, spyware, and other malicious software. Endpoint protection like Antimalware for Azure provides real-time protection capability that helps identify and remove such threats.", "Recommendation": "Please refer : https://learn.microsoft.com/en-us/mem/intune/protect/endpoint-protection-configure", "Tags": [ "Automated", "Baseline", "SI", "ClassicVirtualMachine" ], "AssessmentProperties": { "AssessmentNames": [ "4fb67663-9ab9-475d-b026-8c544cced439" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_ClassicVirtualMachine_SI_Enable_Adaptive_Application_Controls_MCSB", "Description": "[MCSB] Adaptive application controls for defining safe applications must be enabled on your classic VMs", "Id": "ClassicVirtualMachine170", "ControlSeverity": "High", "Automated": "Yes", "ControlScanSource": "MDC", "DisplayName": "[MCSB] Adaptive application controls for defining safe applications must be enabled on your classic VMs", "Category": "Monitoring must be enabled", "ControlRequirements": "Monitoring and auditing must be enabled and correctly configured according to prescribed organizational guidance", "Rationale": "Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications", "Recommendation": "Please refer : https://learn.microsoft.com/en-us/azure/defender-for-cloud/adaptive-application-controls", "Tags": [ "Automated", "Baseline", "SI", "ClassicVirtualMachine" ], "AssessmentProperties": { "AssessmentNames": [ "35f45c95-27cf-4e52-891f-8390d1de5828" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." }, { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "NotApplicable", "AssessmentStatusCausePatterns": "(.)*MissingDataOrUnsupported" } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_ClassicVirtualMachine_SI_Migrate_To_Azure_Resource_Manager_Resources_MCSB", "Description": "[MCSB] Classic virtual machines must be migrated to new Azure Resource Manager resources", "Id": "ClassicVirtualMachine180", "ControlSeverity": "High", "Automated": "Yes", "ControlScanSource": "MDC", "DisplayName": "[MCSB] Classic virtual machines must be migrated to new Azure Resource Manager resources", "Category": "Monitoring must be enabled", "ControlRequirements": "Monitoring and auditing must be enabled and correctly configured according to prescribed organizational guidance", "Rationale": "Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management", "Recommendation": "Please refer : https://learn.microsoft.com/en-us/azure/virtual-machines/migration-classic-resource-manager-cli", "Tags": [ "Automated", "Baseline", "SI", "ClassicVirtualMachine" ], "AssessmentProperties": { "AssessmentNames": [ "12018f4f-3d10-999b-e4c4-86ec25be08a1" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_ClassicVirtualMachine_SI_Install_Log_Analytics_Agent_MCSB", "Description": "[MCSB] Log Analytics agent must be installed on your classic virtual machine for Azure Security Center monitoring.", "Id": "ClassicVirtualMachine190", "ControlSeverity": "High", "Automated": "Yes", "ControlScanSource": "MDC", "DisplayName": "[MCSB] Log Analytics agent must be installed on your classic virtual machine for Azure Security Center monitoring.", "Category": "Monitoring must be enabled", "ControlRequirements": "Monitoring and auditing must be enabled and correctly configured according to prescribed organizational guidance", "Rationale": "Installing the Log Analytics agent allows Azure Monitor to collect data from your Azure VMs which can be used for detailed analysis and correlation of events.", "Recommendation": "Please refer : https://learn.microsoft.com/en-us/azure/azure-monitor/agents/agent-windows?tabs=setup-wizard", "Tags": [ "Automated", "Baseline", "SI", "ClassicVirtualMachine" ], "AssessmentProperties": { "AssessmentNames": [ "d1db3318-01ff-16de-29eb-28b344515626" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." }, { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "NotApplicable", "AssessmentStatusCausePatterns": "(.)*UneligibleResourceRecommendation" } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] } ] } |